Windows Analysis Report
pzG0rkIchr.exe

Overview

General Information

Sample Name: pzG0rkIchr.exe (renamed file extension from exe to dll)
Analysis ID: 752975
MD5: d6ef4778f7dc9c31a0a2a989ef42d2fd
SHA1: 5dad8394ef37d5a006674589754f7a3187d303b1
SHA256: 54de1f2c26a63a8f6b7f8d5de99f8ebd4093959ab07f027db1985d0652258736
Tags: exeLDR4
Infos:

Detection

Ursnif
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Ursnif
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Performs DNS queries to domains with low reputation
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Checks if the current process is being debugged
Registers a DLL
Launches processes in debugging mode, may be used to hinder debugging
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: pzG0rkIchr.dll ReversingLabs: Detection: 73%
Antivirus detection for URL or domain
Source: https://reaso.xyz Avira URL Cloud: Label: malware
Source: 3.3.regsvr32.exe.6cf200.1.raw.unpack Malware Configuration Extractor: Ursnif {"c2_domain": ["https://gigimas.xyz", "https://reaso.xyz"], "botnet": "202206061", "aes key": "eq2opFFpGzpd2p9t", "sleep time": "20", "request time": "30", "host keep time": "120", "host shift time": "120"}
Source: pzG0rkIchr.dll Static PE information: certificate valid
Source: pzG0rkIchr.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: UxTheme.pdb source: WerFault.exe, 0000000B.00000003.395877568.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.396307800.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 0000000B.00000003.396163566.000001716E474000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396822650.000001DFB5E14000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 0000000B.00000003.392399774.000001716D896000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390485617.000001DFB52D7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.392399063.000001DFB52D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.395877568.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.396307800.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dwmapi.pdb: source: WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: se.pdb\ source: WerFault.exe, 0000000C.00000002.404139284.000001DFB33E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb8 source: WerFault.exe, 0000000B.00000003.396163566.000001716E474000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396822650.000001DFB5E14000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: se.pdb( source: WerFault.exe, 0000000B.00000002.404499737.000001716B9D2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb6 source: WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: UxTheme.pdb" source: WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.395877568.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.396307800.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32full.pdb8 source: WerFault.exe, 0000000B.00000003.396163566.000001716E474000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396822650.000001DFB5E14000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32.pdb8 source: WerFault.exe, 0000000B.00000003.396163566.000001716E474000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396822650.000001DFB5E14000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.396118866.000001716E470000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396815765.000001DFB5E10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdbU source: WerFault.exe, 0000000B.00000002.404499737.000001716B9D2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 0000000B.00000003.390149544.000001716D88A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.393542297.000001716D88A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390425076.000001DFB52CA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.393721593.000001DFB52CA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 0000000B.00000003.390201513.000001716D890000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.392963034.000001716D890000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390462142.000001DFB52D1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.393053418.000001DFB52D1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.390045053.000001716D884000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.389884691.000001716D918000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390315024.000001DFB52C4000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390223237.000001DFB5359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: se.pdb source: WerFault.exe, 0000000B.00000002.404499737.000001716B9D2000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.404139284.000001DFB33E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.395877568.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.396307800.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: WerFault.exe, 0000000B.00000003.396163566.000001716E474000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396822650.000001DFB5E14000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32full.pdb source: WerFault.exe, 0000000B.00000003.396163566.000001716E474000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396822650.000001DFB5E14000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: user32.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.395877568.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.396307800.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 0000000B.00000003.390149544.000001716D88A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.393542297.000001716D88A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390425076.000001DFB52CA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.393721593.000001DFB52CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 0000000B.00000003.392399774.000001716D896000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390485617.000001DFB52D7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.392399063.000001DFB52D7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 0000000B.00000003.390201513.000001716D890000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.392963034.000001716D890000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390462142.000001DFB52D1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.393053418.000001DFB52D1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 0000000B.00000003.396118866.000001716E470000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396815765.000001DFB5E10000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C07FB70 FindFirstFileExA, 0_2_00007FF88C07FB70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C07FB70 FindFirstFileExA, 3_2_00007FF88C07FB70
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C07FB70 FindFirstFileExA, 6_2_00007FF88C07FB70

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 185.250.148.35 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Domain query: gigimas.xyz
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2039645 ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) 192.168.2.4:61007 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2039645 ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) 192.168.2.4:60686 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2039645 ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) 192.168.2.4:61124 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2039645 ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) 192.168.2.4:59444 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2039645 ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) 192.168.2.4:55570 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2039645 ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) 192.168.2.4:64906 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2039645 ET TROJAN Observed DNS Query to Ursnif Domain (gigimas .xyz) 192.168.2.4:59446 -> 8.8.8.8:53
Performs DNS queries to domains with low reputation
Source: C:\Windows\System32\rundll32.exe DNS query: gigimas.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: gigimas.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: gigimas.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: gigimas.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: gigimas.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: gigimas.xyz
Source: C:\Windows\System32\rundll32.exe DNS query: gigimas.xyz
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FIRSTDC-ASRU FIRSTDC-ASRU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.250.148.35 185.250.148.35
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: pzG0rkIchr.dll String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: WerFault.exe, 0000000B.00000002.405055392.000001716D880000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.404603896.000001DFB52C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: WerFault.exe, 0000000B.00000002.405055392.000001716D880000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.404603896.000001DFB52C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: pzG0rkIchr.dll String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: pzG0rkIchr.dll String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: pzG0rkIchr.dll String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: pzG0rkIchr.dll String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: pzG0rkIchr.dll String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: pzG0rkIchr.dll String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: pzG0rkIchr.dll String found in binary or memory: http://ocsp.comodoca.com0
Source: pzG0rkIchr.dll String found in binary or memory: http://ocsp.sectigo.com0
Source: loaddll64.exe, 00000000.00000003.402271914.0000027ED3940000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.388635168.0000000002100000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.826743463.0000021DDAD90000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.826725063.0000021DDAC4D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.388322445.000001F71CC60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz
Source: rundll32.exe, 00000004.00000002.825050387.0000021DD91F4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.758857404.0000021DD9255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.758869560.0000021DD925F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.693664493.0000021DD925F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz/
Source: rundll32.exe, 00000004.00000003.432267293.0000021DD9200000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz/92
Source: rundll32.exe, 00000004.00000002.825050387.0000021DD91F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz/ic
Source: rundll32.exe, 00000004.00000003.563913643.0000021DD9221000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz/index.html
Source: rundll32.exe, 00000004.00000003.759039619.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.759733313.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.694516726.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.629091178.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.693778417.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz/index.html)I6
Source: rundll32.exe, 00000004.00000003.563913643.0000021DD9221000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz/index.htmll
Source: rundll32.exe, 00000004.00000003.497300012.0000021DD9221000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.497398978.0000021DD9226000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz/index.htmlr
Source: rundll32.exe, 00000004.00000003.432113341.0000021DD9221000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz/index.htmluH
Source: rundll32.exe, 00000004.00000002.825032098.0000021DD91ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.825050387.0000021DD91F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyz:443/index.html
Source: rundll32.exe, 00000004.00000002.826725063.0000021DDAC4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigimas.xyzhttps://reaso.xyz
Source: loaddll64.exe, 00000000.00000003.402277727.0000027ED3942000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.388644042.0000000002102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.826756799.0000021DDAD92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.388329786.000001F71CC62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://http://Mozilla/5.0
Source: rundll32.exe, 00000004.00000002.826725063.0000021DDAC4D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.388322445.000001F71CC60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reaso.xyz
Source: pzG0rkIchr.dll String found in binary or memory: https://sectigo.com/CPS0
Source: unknown DNS traffic detected: queries for: gigimas.xyz

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 400, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 400, type: MEMORYSTR
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2100 -s 304
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000027ED37137E0 0_2_0000027ED37137E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000027ED3715638 0_2_0000027ED3715638
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000027ED371A918 0_2_0000027ED371A918
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000027ED3716DF0 0_2_0000027ED3716DF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000027ED3717FD4 0_2_0000027ED3717FD4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000027ED3713CD8 0_2_0000027ED3713CD8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000027ED37131C0 0_2_0000027ED37131C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000027ED37134A4 0_2_0000027ED37134A4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000027ED3719D6C 0_2_0000027ED3719D6C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000027ED3714540 0_2_0000027ED3714540
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000027ED371204C 0_2_0000027ED371204C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C076D50 0_2_00007FF88C076D50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C075840 0_2_00007FF88C075840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C071520 0_2_00007FF88C071520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C088D50 0_2_00007FF88C088D50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C090D70 0_2_00007FF88C090D70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C07F964 0_2_00007FF88C07F964
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C08B9B0 0_2_00007FF88C08B9B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C0875E0 0_2_00007FF88C0875E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C081E14 0_2_00007FF88C081E14
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C08F290 0_2_00007FF88C08F290
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C0742A0 0_2_00007FF88C0742A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C0776E0 0_2_00007FF88C0776E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C071B10 0_2_00007FF88C071B10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C08B370 0_2_00007FF88C08B370
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C079BA0 0_2_00007FF88C079BA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C0783C0 0_2_00007FF88C0783C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C086808 0_2_00007FF88C086808
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C076820 0_2_00007FF88C076820
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C074C80 0_2_00007FF88C074C80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C07DCAC 0_2_00007FF88C07DCAC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C0790B0 0_2_00007FF88C0790B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C075CC0 0_2_00007FF88C075CC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C08F8F0 0_2_00007FF88C08F8F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C0898F0 0_2_00007FF88C0898F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_003D37E0 3_2_003D37E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_003D5638 3_2_003D5638
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_003DA918 3_2_003DA918
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_003D9D6C 3_2_003D9D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_003D204C 3_2_003D204C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_003D4540 3_2_003D4540
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_003D34A4 3_2_003D34A4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_003D6DF0 3_2_003D6DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_003D3CD8 3_2_003D3CD8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_003D7FD4 3_2_003D7FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_003D31C0 3_2_003D31C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C076D50 3_2_00007FF88C076D50
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C075840 3_2_00007FF88C075840
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C071520 3_2_00007FF88C071520
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C088D50 3_2_00007FF88C088D50
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C090D70 3_2_00007FF88C090D70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C07F964 3_2_00007FF88C07F964
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C08B9B0 3_2_00007FF88C08B9B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C0875E0 3_2_00007FF88C0875E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C081E14 3_2_00007FF88C081E14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C08F290 3_2_00007FF88C08F290
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C0742A0 3_2_00007FF88C0742A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C0776E0 3_2_00007FF88C0776E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C071B10 3_2_00007FF88C071B10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C08B370 3_2_00007FF88C08B370
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C079BA0 3_2_00007FF88C079BA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C0783C0 3_2_00007FF88C0783C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C086808 3_2_00007FF88C086808
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C076820 3_2_00007FF88C076820
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C074C80 3_2_00007FF88C074C80
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C07DCAC 3_2_00007FF88C07DCAC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C0790B0 3_2_00007FF88C0790B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C075CC0 3_2_00007FF88C075CC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C08F8F0 3_2_00007FF88C08F8F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C0898F0 3_2_00007FF88C0898F0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000021DD93337E0 4_2_0000021DD93337E0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000021DD9333CD8 4_2_0000021DD9333CD8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000021DD93331C0 4_2_0000021DD93331C0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000021DD9335638 4_2_0000021DD9335638
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000021DD9339D6C 4_2_0000021DD9339D6C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000021DD93334A4 4_2_0000021DD93334A4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000021DD9336DF0 4_2_0000021DD9336DF0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000021DD9337FD4 4_2_0000021DD9337FD4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000021DD933A918 4_2_0000021DD933A918
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000021DD9334540 4_2_0000021DD9334540
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000021DD933204C 4_2_0000021DD933204C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001F71CC037E0 5_2_000001F71CC037E0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001F71CC03CD8 5_2_000001F71CC03CD8
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001F71CC06DF0 5_2_000001F71CC06DF0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001F71CC034A4 5_2_000001F71CC034A4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001F71CC031C0 5_2_000001F71CC031C0
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001F71CC07FD4 5_2_000001F71CC07FD4
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001F71CC09D6C 5_2_000001F71CC09D6C
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001F71CC0A918 5_2_000001F71CC0A918
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001F71CC05638 5_2_000001F71CC05638
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001F71CC04540 5_2_000001F71CC04540
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001F71CC0204C 5_2_000001F71CC0204C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C071520 6_2_00007FF88C071520
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C088D50 6_2_00007FF88C088D50
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C076D50 6_2_00007FF88C076D50
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C090D70 6_2_00007FF88C090D70
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C07F964 6_2_00007FF88C07F964
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C08B9B0 6_2_00007FF88C08B9B0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C0875E0 6_2_00007FF88C0875E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C081E14 6_2_00007FF88C081E14
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C08F290 6_2_00007FF88C08F290
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C0742A0 6_2_00007FF88C0742A0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C0776E0 6_2_00007FF88C0776E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C071B10 6_2_00007FF88C071B10
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C08B370 6_2_00007FF88C08B370
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C079BA0 6_2_00007FF88C079BA0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C0783C0 6_2_00007FF88C0783C0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C086808 6_2_00007FF88C086808
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C076820 6_2_00007FF88C076820
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C075840 6_2_00007FF88C075840
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C074C80 6_2_00007FF88C074C80
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C07DCAC 6_2_00007FF88C07DCAC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C0790B0 6_2_00007FF88C0790B0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C075CC0 6_2_00007FF88C075CC0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C08F8F0 6_2_00007FF88C08F8F0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C0898F0 6_2_00007FF88C0898F0
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000027ED371A0AC CreateFileW,NtQueryDirectoryFile, 0_2_0000027ED371A0AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_003DA0AC CreateFileW,NtQueryDirectoryFile, 3_2_003DA0AC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_0000021DD933A0AC CreateFileW,NtQueryDirectoryFile, 4_2_0000021DD933A0AC
Source: C:\Windows\System32\rundll32.exe Code function: 5_2_000001F71CC0A0AC CreateFileW,NtQueryDirectoryFile, 5_2_000001F71CC0A0AC
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: pzG0rkIchr.dll ReversingLabs: Detection: 73%
Source: pzG0rkIchr.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\pzG0rkIchr.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pzG0rkIchr.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pzG0rkIchr.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pzG0rkIchr.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pzG0rkIchr.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pzG0rkIchr.dll,ItsnPq5v
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pzG0rkIchr.dll,QlqYo259k
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2100 -s 304
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1308 -s 304
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2100 -s 304
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1308 -s 304
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pzG0rkIchr.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pzG0rkIchr.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pzG0rkIchr.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pzG0rkIchr.dll,ItsnPq5v Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pzG0rkIchr.dll,QlqYo259k Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pzG0rkIchr.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2100 -s 304 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1308 -s 304 Jump to behavior
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8047.tmp Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winDLL@22/8@7/1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pzG0rkIchr.dll",#1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_01
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1308
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2100
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\ManagerMui
Source: C:\Windows\System32\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: pzG0rkIchr.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: pzG0rkIchr.dll Static PE information: certificate valid
Source: pzG0rkIchr.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: pzG0rkIchr.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: UxTheme.pdb source: WerFault.exe, 0000000B.00000003.395877568.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.396307800.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 0000000B.00000003.396163566.000001716E474000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396822650.000001DFB5E14000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 0000000B.00000003.392399774.000001716D896000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390485617.000001DFB52D7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.392399063.000001DFB52D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.395877568.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.396307800.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dwmapi.pdb: source: WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: se.pdb\ source: WerFault.exe, 0000000C.00000002.404139284.000001DFB33E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb8 source: WerFault.exe, 0000000B.00000003.396163566.000001716E474000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396822650.000001DFB5E14000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: se.pdb( source: WerFault.exe, 0000000B.00000002.404499737.000001716B9D2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb6 source: WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: UxTheme.pdb" source: WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.395877568.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.396307800.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32full.pdb8 source: WerFault.exe, 0000000B.00000003.396163566.000001716E474000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396822650.000001DFB5E14000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32.pdb8 source: WerFault.exe, 0000000B.00000003.396163566.000001716E474000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396822650.000001DFB5E14000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.396118866.000001716E470000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396815765.000001DFB5E10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdbU source: WerFault.exe, 0000000B.00000002.404499737.000001716B9D2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 0000000B.00000003.390149544.000001716D88A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.393542297.000001716D88A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390425076.000001DFB52CA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.393721593.000001DFB52CA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 0000000B.00000003.390201513.000001716D890000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.392963034.000001716D890000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390462142.000001DFB52D1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.393053418.000001DFB52D1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.390045053.000001716D884000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.389884691.000001716D918000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390315024.000001DFB52C4000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390223237.000001DFB5359000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: se.pdb source: WerFault.exe, 0000000B.00000002.404499737.000001716B9D2000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.404139284.000001DFB33E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.395877568.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.396307800.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: WerFault.exe, 0000000B.00000003.396163566.000001716E474000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396822650.000001DFB5E14000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gdi32full.pdb source: WerFault.exe, 0000000B.00000003.396163566.000001716E474000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396822650.000001DFB5E14000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: user32.pdb8 source: WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.395877568.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.396307800.000001716E477000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396853459.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396775988.000001DFB5E17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 0000000B.00000003.390149544.000001716D88A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.393542297.000001716D88A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390425076.000001DFB52CA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.393721593.000001DFB52CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 0000000B.00000003.392399774.000001716D896000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.395867216.000001716E471000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390485617.000001DFB52D7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.392399063.000001DFB52D7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396760863.000001DFB5E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 0000000B.00000003.390201513.000001716D890000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.392963034.000001716D890000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.390462142.000001DFB52D1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.393053418.000001DFB52D1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 0000000B.00000003.396118866.000001716E470000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.396815765.000001DFB5E10000.00000004.00000020.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C08B9B0 LoadLibraryA,GetProcAddress, 0_2_00007FF88C08B9B0
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pzG0rkIchr.dll

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 400, type: MEMORYSTR
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 5272 Thread sleep time: -120000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Windows\System32\rundll32.exe API coverage: 4.0 %
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C07FB70 FindFirstFileExA, 0_2_00007FF88C07FB70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C07FB70 FindFirstFileExA, 3_2_00007FF88C07FB70
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C07FB70 FindFirstFileExA, 6_2_00007FF88C07FB70
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\loaddll64.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\loaddll64.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: rundll32.exe, 00000004.00000003.759039619.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.564079958.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.759733313.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.497353450.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.694516726.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.629091178.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.825208523.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.432152980.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.497418075.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.693778417.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW\
Source: WerFault.exe, 0000000C.00000002.404708361.000001DFB5324000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0*K
Source: WerFault.exe, 0000000B.00000002.405301805.000001716D916000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.403687494.000001716D916000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW</
Source: WerFault.exe, 0000000B.00000003.401733084.000001716D910000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000003.401808320.000001716D914000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW</%SystemRoot%\system32\mswsock.dll<reqs>
Source: rundll32.exe, 00000004.00000003.759039619.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.564079958.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.759733313.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.497353450.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.694516726.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.629091178.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.825208523.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.432152980.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.497418075.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.693778417.0000021DD923C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000002.404822488.000001716BA98000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000004.00000002.824960141.0000021DD91C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C07E374 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF88C07E374
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C08B9B0 LoadLibraryA,GetProcAddress, 0_2_00007FF88C08B9B0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C0711F0 ReadFile,GetProcessHeap,HeapFree, 0_2_00007FF88C0711F0
Checks if the current process is being debugged
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2100 -s 304 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C086DA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF88C086DA4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C07E374 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF88C07E374
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C07BC0C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF88C07BC0C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C086DA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FF88C086DA4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C07E374 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FF88C07E374
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FF88C07BC0C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FF88C07BC0C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C086DA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00007FF88C086DA4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C07E374 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00007FF88C07E374
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FF88C07BC0C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00007FF88C07BC0C

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 185.250.148.35 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Domain query: gigimas.xyz
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pzG0rkIchr.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2100 -s 304 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1308 -s 304 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C0865F0 cpuid 0_2_00007FF88C0865F0
Source: C:\Windows\System32\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C08ED60 CreateNamedPipeA, 0_2_00007FF88C08ED60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF88C07BB08 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF88C07BB08

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 400, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: Process Memory Space: loaddll64.exe PID: 492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 400, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 752975 Sample: pzG0rkIchr.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 84 31 Snort IDS alert for network traffic 2->31 33 Antivirus detection for URL or domain 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Ursnif 2->37 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 3 other processes 7->15 process5 17 rundll32.exe 9->17         started        21 WerFault.exe 17 9 11->21         started        23 WerFault.exe 11->23         started        25 WerFault.exe 3 9 13->25         started        27 WerFault.exe 13->27         started        dnsIp6 29 gigimas.xyz 185.250.148.35, 443, 49706, 49707 FIRSTDC-ASRU Russian Federation 17->29 39 System process connects to network (likely due to code injection or exploit) 17->39 41 Performs DNS queries to domains with low reputation 17->41 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.250.148.35
 gigimas.xyz Russian Federation
48430 FIRSTDC-ASRU true

Contacted Domains

Name IP Active
gigimas.xyz 185.250.148.35 true