Windows Analysis Report
I7GcHDtUIF.exe

Overview

General Information

Sample name: I7GcHDtUIF.exe
renamed because original name is a hash value
Original sample name: bb63e746e54ae6a1ff2d5d01fc4b6c61.exe
Analysis ID: 1499931
MD5: bb63e746e54ae6a1ff2d5d01fc4b6c61
SHA1: b22879f1eb81aabb7cf37fd531f85724f84fdc09
SHA256: 18aeb7be496d51bada50f3781764bb7771f74d7050e3ceefa51725b3f86a59f6
Tags: Amadeyexe
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://45.80.158.31/g9bkfkWf/index.php?scr=1 Avira URL Cloud: Label: malware
Source: http://45.80.158.31/g9bkfkWf/index.php?wal=1 Avira URL Cloud: Label: malware
Source: http://45.80.158.31/g9bkfkWf/index.php?wal=18 Avira URL Cloud: Label: malware
Source: http://45.80.158.31/g9bkfkWf/index.php?wal=1urn Avira URL Cloud: Label: malware
Source: http://45.80.158.31/g9bkfkWf/index.php Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll Avira: detection malicious, Label: HEUR/AGEN.1300426
Source: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll Avira: detection malicious, Label: TR/PSW.Agent.nwhwy
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Avira: detection malicious, Label: HEUR/AGEN.1300426
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Avira: detection malicious, Label: TR/PSW.Agent.nwhwy
Found malware configuration
Source: I7GcHDtUIF.exe Malware Configuration Extractor: Amadey {"C2 url": "45.80.158.31/g9bkfkWf/index.php", "Version": "4.41", "Install Folder": "28c5e5ba36", "Install File": "Hkbsse.exe"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe ReversingLabs: Detection: 60%
Multi AV Scanner detection for submitted file
Source: I7GcHDtUIF.exe ReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: I7GcHDtUIF.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: I7GcHDtUIF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: I7GcHDtUIF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64.dll.1.dr, cred64[1].dll.1.dr
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6C83C5EF FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free, 8_2_6C83C5EF
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\OneDrive\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Videos\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Music\desktop.ini Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.80.158.31 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.80.158.31
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UK2NET-ASGB UK2NET-ASGB
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_006FB219 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA, 0_2_006FB219
Source: rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.80.158.31/
Source: Hkbsse.exe, 00000001.00000003.1696660497.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000001.00000003.1696660497.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.80.158.31/g9bkfkWf/Plugins/clip64.dll
Source: Hkbsse.exe, 00000001.00000003.1696660497.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.80.158.31/g9bkfkWf/Plugins/clip64.dllndows.storage.dlll
Source: Hkbsse.exe, 00000001.00000003.1696660497.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1944445331.00000265A3D88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4126034396.000000000354A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4126034396.0000000003590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.80.158.31/g9bkfkWf/index.php
Source: Hkbsse.exe, 00000001.00000003.1696660497.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.80.158.31/g9bkfkWf/index.php?scr=1
Source: rundll32.exe, 00000005.00000002.1944445331.00000265A3DB2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1944445331.00000265A3DD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.80.158.31/g9bkfkWf/index.php?wal=1
Source: rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.80.158.31/g9bkfkWf/index.php?wal=18
Source: rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.80.158.31/g9bkfkWf/index.php?wal=1urn
Source: rundll32.exe, 00000008.00000002.4126034396.000000000354A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.80.158.31/g9bkfkWf/index.phpk
Source: rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.80.158.31/im
Source: rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.80.158.31/sP
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B4A36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3161000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3161000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B4734000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B4A36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6C833140 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard, 8_2_6C833140
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6C833140 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard, 8_2_6C833140
Contains functionality to call native functions
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_007105E7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 0_2_007105E7
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_001605E7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 2_2_001605E7
Creates files inside the system directory
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe File created: C:\Windows\Tasks\Hkbsse.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_006FB219 0_2_006FB219
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_00715054 0_2_00715054
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_0073B17B 0_2_0073B17B
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_0073C240 0_2_0073C240
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_0073B29B 0_2_0073B29B
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_007366F0 0_2_007366F0
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_00714865 0_2_00714865
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_00717843 0_2_00717843
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_0072B8A3 0_2_0072B8A3
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_0073AA29 0_2_0073AA29
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_006F4AF0 0_2_006F4AF0
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_00719BE5 0_2_00719BE5
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_00736B88 0_2_00736B88
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_006F4C70 0_2_006F4C70
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_006F4E70 0_2_006F4E70
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_00165054 2_2_00165054
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_0018B17B 2_2_0018B17B
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_0018C240 2_2_0018C240
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_0018B29B 2_2_0018B29B
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_001866F0 2_2_001866F0
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_00167843 2_2_00167843
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_00164865 2_2_00164865
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_0017B8A3 2_2_0017B8A3
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_0018AA29 2_2_0018AA29
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_00144AF0 2_2_00144AF0
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_00186B88 2_2_00186B88
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_00169BE5 2_2_00169BE5
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_00144C70 2_2_00144C70
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_00144E70 2_2_00144E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6C833140 8_2_6C833140
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6C8422C1 8_2_6C8422C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B4C77F8 9_2_00007FFD9B4C77F8
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: String function: 001619D0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: String function: 0015BA50 appears 128 times
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: String function: 00161392 appears 67 times
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: String function: 007119D0 appears 39 times
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: String function: 0070BA50 appears 128 times
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: String function: 00711392 appears 67 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6C837560 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6C835F40 appears 103 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6C836CB8 appears 47 times
Uses 32bit PE files
Source: I7GcHDtUIF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@18/22@0/1
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_006FB219 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA, 0_2_006FB219
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe File created: C:\Users\user\AppData\Roaming\309a138a12cecf Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Mutant created: \Sessions\1\BaseNamedObjects\309a138a12cecfb9dfd5a76987d8a372
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe File created: C:\Users\user\AppData\Local\Temp\28c5e5ba36 Jump to behavior
Source: I7GcHDtUIF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main
Source: cred64.dll.1.dr, cred64[1].dll.1.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: cred64.dll.1.dr, cred64[1].dll.1.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: cred64.dll.1.dr, cred64[1].dll.1.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: cred64.dll.1.dr, cred64[1].dll.1.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: cred64.dll.1.dr, cred64[1].dll.1.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: cred64.dll.1.dr, cred64[1].dll.1.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, 00000005.00000002.1944445331.00000265A3D28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: cred64.dll.1.dr, cred64[1].dll.1.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: I7GcHDtUIF.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe File read: C:\Users\user\Desktop\I7GcHDtUIF.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\I7GcHDtUIF.exe "C:\Users\user\Desktop\I7GcHDtUIF.exe"
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Process created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, Main
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Process created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, Main Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office Jump to behavior
Source: I7GcHDtUIF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: I7GcHDtUIF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: I7GcHDtUIF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: I7GcHDtUIF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: I7GcHDtUIF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: I7GcHDtUIF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: I7GcHDtUIF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: I7GcHDtUIF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64.dll.1.dr, cred64[1].dll.1.dr
Source: I7GcHDtUIF.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: I7GcHDtUIF.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: I7GcHDtUIF.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: I7GcHDtUIF.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: I7GcHDtUIF.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_0071F9EC LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0071F9EC
PE file contains sections with non-standard names
Source: cred64[1].dll.1.dr Static PE information: section name: _RDATA
Source: cred64.dll.1.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_0071136C push ecx; ret 0_2_0071137F
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_0070049B push ds; retf 0000h 0_2_0070049F
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_0016136C push ecx; ret 2_2_0016137F
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_0015049B push ds; retf 0000h 2_2_0015049F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6C8375A6 push ecx; ret 8_2_6C8375B9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B4B28FA push ebx; iretd 9_2_00007FFD9B4B290A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B4B2785 push ebx; iretd 9_2_00007FFD9B4B290A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B58BBCA push ss; ret 9_2_00007FFD9B58BBD5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B584BCA push ss; ret 9_2_00007FFD9B584BCC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B584BD0 push ss; ret 9_2_00007FFD9B584BD9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B58B2CA push esi; retf 9_2_00007FFD9B58B2CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B58CACC push eax; retf 0000h 9_2_00007FFD9B58CAD5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B5812CF push ss; ret 9_2_00007FFD9B5812D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B58CAA8 push 140000C9h; retf 0000h 9_2_00007FFD9B58CAB1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B58CA8A push esi; retf 9_2_00007FFD9B58CA8B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B58B260 push ss; ret 9_2_00007FFD9B58B263
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B586340 push eax; retf 9_2_00007FFD9B58634B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B584B05 push ss; ret 9_2_00007FFD9B584B0B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B5862DE push ss; ret 9_2_00007FFD9B5862E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B58AA1B push ss; ret 9_2_00007FFD9B58AA1E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B58221A push esi; retf 9_2_00007FFD9B58221B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B5888B2 push esi; retf 9_2_00007FFD9B5888B3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B58185F push ss; ret 9_2_00007FFD9B581861
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B589942 push ss; ret 9_2_00007FFD9B589944
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B5837A8 push eax; retf 9_2_00007FFD9B5837B3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B582F98 push ss; ret 9_2_00007FFD9B582F9A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B58CF60 push eax; iretd 9_2_00007FFD9B58CF61
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B58285C push ss; ret 9_2_00007FFD9B582865
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B582856 push ss; ret 9_2_00007FFD9B582858
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B58AFFA push ss; ret 9_2_00007FFD9B58AFFD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFD9B586E64 push ss; ret 9_2_00007FFD9B586E6C
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe File created: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe File created: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll Jump to dropped file
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe File created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Jump to dropped file
Creates job files (autostart)
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe File created: C:\Windows\Tasks\Hkbsse.job Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 9719 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5091 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4680 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe API coverage: 4.5 %
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe API coverage: 2.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe TID: 4080 Thread sleep time: -1500000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe TID: 2676 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe TID: 344 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe TID: 4080 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3492 Thread sleep count: 278 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3492 Thread sleep time: -278000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3492 Thread sleep count: 9719 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3492 Thread sleep time: -9719000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6C83C5EF FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free, 8_2_6C83C5EF
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_006F85E0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 0_2_006F85E0
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\OneDrive\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Videos\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Music\desktop.ini Jump to behavior
Source: rundll32.exe, 00000008.00000002.4126034396.00000000035A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWAc*t
Source: rundll32.exe, 00000005.00000002.1944445331.00000265A3DB2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW7
Source: rundll32.exe, 00000008.00000002.4126034396.000000000354A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: rundll32.exe, 00000005.00000002.1944445331.00000265A3D28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: Hkbsse.exe, 00000001.00000003.1696660497.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1944445331.00000265A3DB2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4126034396.00000000035A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: netsh.exe, 00000006.00000003.1703353327.0000027C72365000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_0072A4FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0072A4FE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_0071F9EC LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0071F9EC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_0072DCE2 mov eax, dword ptr fs:[00000030h] 0_2_0072DCE2
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_00729F7B mov eax, dword ptr fs:[00000030h] 0_2_00729F7B
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_0017DCE2 mov eax, dword ptr fs:[00000030h] 2_2_0017DCE2
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_00179F7B mov eax, dword ptr fs:[00000030h] 2_2_00179F7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6C83C0D1 mov eax, dword ptr fs:[00000030h] 8_2_6C83C0D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6C83AA9F mov eax, dword ptr fs:[00000030h] 8_2_6C83AA9F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6C83DA64 GetProcessHeap, 8_2_6C83DA64
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_0072A4FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0072A4FE
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_007115F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007115F5
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_00710C37 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00710C37
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_0017A4FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0017A4FE
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_001615F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_001615F5
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_00160C37 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00160C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6C836CCD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_6C836CCD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6C837431 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_6C837431
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_6C83A094 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_6C83A094

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.80.158.31 80 Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_006F77A0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree, 0_2_006F77A0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Process created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, Main Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_007117E1 cpuid 0_2_007117E1
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\HTAGVDFUIE.xlsx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.xlsx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU.xlsx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\UMMBDNEQBN.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\UMMBDNEQBN.xlsx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.docx VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_006FB219 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA, 0_2_006FB219
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_006FB219 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA, 0_2_006FB219
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_006F85E0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 0_2_006F85E0

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Stealing of Sensitive Information
barindex
Yara detected Amadeys Clipper DLL
Source: Yara match File source: 8.2.rundll32.exe.6c830000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, type: DROPPED
Yara detected Amadeys stealer DLL
Source: Yara match File source: I7GcHDtUIF.exe, type: SAMPLE
Source: Yara match File source: 8.2.rundll32.exe.6c830000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.I7GcHDtUIF.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.I7GcHDtUIF.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1659071184.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.2288882399.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2290214428.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.1664512178.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.1667726403.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1692138583.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.1689588542.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll, type: DROPPED
Tries to harvest and steal WLAN passwords
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\System32\oobe\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Program Files (x86)\FZZgSiwoxTBSBtKXXbDNUUJFBqMCcytLQCqtnkRwXnprVQJgVODeSJUWpvjulcQr\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\AppData\Local\Temp\28c5e5ba36\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Windows\SysWOW64\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\Users\user\Desktop\{6D809377-6AF0-444B-8957-A3773F02200E}\Common Files\microsoft shared\ClickToRun\.purple\accounts.xml Jump to behavior
Source: C:\Windows\System32\rundll32.exe File opened: C:\.purple\accounts.xml Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_0072269B Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 0_2_0072269B
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe Code function: 0_2_007219A4 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 0_2_007219A4
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_0017269B Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 2_2_0017269B
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe Code function: 2_2_001719A4 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 2_2_001719A4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1499931 Sample: I7GcHDtUIF.exe Startdate: 27/08/2024 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Antivirus detection for URL or domain 2->61 63 Antivirus detection for dropped file 2->63 65 8 other signatures 2->65 10 I7GcHDtUIF.exe 5 2->10         started        14 Hkbsse.exe 2->14         started        16 Hkbsse.exe 2->16         started        18 Hkbsse.exe 2->18         started        process3 file4 53 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 10->53 dropped 55 C:\Users\user\...\Hkbsse.exe:Zone.Identifier, ASCII 10->55 dropped 73 Contains functionality to inject code into remote processes 10->73 20 Hkbsse.exe 30 10->20         started        signatures5 process6 dnsIp7 57 45.80.158.31 UK2NET-ASGB Netherlands 20->57 45 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 20->45 dropped 47 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 20->47 dropped 49 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 20->49 dropped 51 2 other malicious files 20->51 dropped 69 Multi AV Scanner detection for dropped file 20->69 71 Machine Learning detection for dropped file 20->71 25 rundll32.exe 20->25         started        27 rundll32.exe 12 20->27         started        file8 signatures9 process10 signatures11 30 rundll32.exe 25 25->30         started        75 System process connects to network (likely due to code injection or exploit) 27->75 process12 signatures13 77 Tries to steal Instant Messenger accounts or passwords 30->77 79 Uses netsh to modify the Windows network and firewall settings 30->79 81 Tries to harvest and steal ftp login credentials 30->81 83 2 other signatures 30->83 33 powershell.exe 26 30->33         started        37 netsh.exe 2 30->37         started        process14 file15 43 C:\Users\user\...\246122658369_Desktop.zip, Zip 33->43 dropped 67 Loading BitLocker PowerShell Module 33->67 39 conhost.exe 33->39         started        41 conhost.exe 37->41         started        signatures16 process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.80.158.31
 unknown Netherlands
13213 UK2NET-ASGB true