Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | File created: C:\ProgramData\c523645.der |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Process created: C:\Windows\System32\certutil.exe certutil -addstore -f -user ROOT C:\ProgramData\\c523645.der |
Source: powershell.exe | String found in binary or memory: file:// |
Source: powershell.exe | String found in binary or memory: file:/// |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/assembly/gac_msil/system.management.automation/1.0.0.0__31bf3856ad364e35/system.m |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/ |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/9 |
Source: powershell.exe | String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/en-us/microsoft.powershell.consolehost.resources/ |
Source: cert8.db.3068.dr | String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0n |
Source: powershell.exe | String found in binary or memory: http://crl.microsoft.com/pki/crl/products/miccodsigpca_08-31-2010.crl0z |
Source: powershell.exe | String found in binary or memory: http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0t |
Source: powershell.exe | String found in binary or memory: http://crl.microsoft.com/pki/crl/products/microsofttimestamppca.crl0x |
Source: cert8.db.3068.dr | String found in binary or memory: http://crl3.digicert.com/digicertglobalrootca.crl07 |
Source: cert8.db.3068.dr | String found in binary or memory: http://crl3.digicert.com/digicerthighassuranceevrootca.crl0 |
Source: cert8.db.3068.dr | String found in binary or memory: http://crl4.digicert.com/digicertglobalrootca.crl0= |
Source: cert8.db.3068.dr | String found in binary or memory: http://crl4.digicert.com/digicerthighassuranceevrootca.crl0 |
Source: cert8.db.3068.dr | String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0. |
Source: cert8.db.3068.dr | String found in binary or memory: http://g.symcd.com0 |
Source: rasdial.exe | String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=104288 |
Source: powershell.exe | String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=108995 |
Source: powershell.exe | String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=109270 |
Source: powershell.exe | String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=125824-http://go.microsoft.com/fwlink/?linkid=125723-http://g |
Source: powershell.exe | String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=92362. |
Source: powershell.exe | String found in binary or memory: http://java.com/ |
Source: powershell.exe | String found in binary or memory: http://java.com/help |
Source: powershell.exe | String found in binary or memory: http://java.com/helphttp://java.com/help |
Source: powershell.exe | String found in binary or memory: http://java.com/http://java.com/ |
Source: powershell.exe | String found in binary or memory: http://microsoft.com0 |
Source: cert8.db.3068.dr | String found in binary or memory: http://ocsp.digicert.com0 |
Source: cert8.db.3068.dr | String found in binary or memory: http://ocsp.digicert.com0m |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | String found in binary or memory: http://schemas.microsoft.com/windows/2004/02/mit/task |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | String found in binary or memory: http://schemas.microsoft.com/windows/2004/02/mit/task( |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | String found in binary or memory: http://schemas.microsoft.com/windows/2004/02/mit/task? |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | String found in binary or memory: http://schemas.microsoft.com/windows/2004/02/mit/taskh |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | String found in binary or memory: http://schemas.microsoft.com/windows/2004/02/mit/taskp |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | String found in binary or memory: http://schemas.microsoft.com/windows/2004/02/mit/taskty |
Source: cert8.db.3068.dr | String found in binary or memory: http://www.digicert.com/cacerts/digicerthighassuranceevrootca.crt0 |
Source: cert8.db.3068.dr | String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0 |
Source: powershell.exe | String found in binary or memory: http://www.microsoft.com/downloadsberr: |
Source: powershell.exe | String found in binary or memory: http://www.microsoft.com/pki/certs/miccodsigpca_08-31-2010.crt0 |
Source: powershell.exe | String found in binary or memory: http://www.microsoft.com/pki/certs/microsoftrootcert.crt0 |
Source: powershell.exe | String found in binary or memory: http://www.microsoft.com/pki/certs/microsofttimestamppca.crt0 |
Source: cert8.db.3068.dr | String found in binary or memory: https://www.digicert.com/cps0 |
Source: cert8.db.3068.dr | String found in binary or memory: https://www.geotrust.com/resources/repository0 |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_2_00402060 DeleteUrlCacheEntry,URLDownloadToFileA, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | File created: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | File created: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | File created: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif |
Source: powershell.exe | String found in binary or memory: LOG: AssemblyStore path = %wsLWRN: Comparing the assembly name resulted in the mismatch: Retargetable flag"LOG: Retarget policy is not found.CLOG: Name redirect found in retarget config: %ws redirected to %ws.FLOG: Version redirect found in retarget config: %ws redirected to %ws.MLOG: PublicKeyToken redirect found in retarget config: %ws redirected to %ws.$ERR: Parse XML memory stream failed.CERR: bindingRetarget tag is not processed due to insufficient data. |
Source: certutil.exe | String found in binary or memory: ???=%x!Get configuration via ICertConfig |
Source: certutil.exe | String found in binary or memory: ???=%x!Get configuration via ICertConfig |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | File created: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | File created: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_2_00412E87 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Static PE information: real checksum: 0x0 should be: 0x45796 |
Source: system.pif.3060.dr | Static PE information: real checksum: 0x0 should be: 0x45796 |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_2_0041FA95 push cs; retf |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_1_0041FA95 push cs; retf |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 0_2_00408850 #6330,#860,#354,GetSystemTimeAdjustment,GetUserNameA,SetCommTimeouts,GetCurrentThread,GetCurrentThread,GetCurrentProcess,GetTimeFormatA,LoadCursorA,SetFilePointer,IsDialogMessageA,ShowCaret,GetMessageW,EmptyClipboard,FindFirstFileA,IsDialogMessageA,SetTimer,GetTimeFormatA,RegisterClassA,EndPaint,MultiByteToWideChar,#273,#1961,#273,#879,#1961,#1971,time,srand,rand,#537,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#800,rand,rand,#537,#800,rand,#858,#603,#603,#6330,#665, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_2_00405960 GetEnvironmentVariableA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,RegOpenKeyExA,RegOpenKeyExA,RegEnumKeyExA,RegCloseKey,lstrcatA,RegOpenKeyExA,RegCloseKey,RegCloseKey,RegCloseKey,RegQueryValueExA,RegCloseKey,RegCloseKey,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,LoadLibraryA,SetCurrentDirectoryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FindFirstFileA,FreeLibrary,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,FreeLibrary, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_1_00405960 GetEnvironmentVariableA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,RegOpenKeyExA,RegOpenKeyExA,RegEnumKeyExA,RegCloseKey,lstrcatA,RegOpenKeyExA,RegCloseKey,RegCloseKey,RegCloseKey,RegQueryValueExA,RegCloseKey,RegCloseKey,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,LoadLibraryA,SetCurrentDirectoryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FindFirstFileA,FreeLibrary,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,FreeLibrary, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\admin\AppData\Roaming\Microsoft |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\admin\AppData\Roaming |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\admin\AppData |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\admin |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\admin\AppData\Roaming\Microsoft\Windows |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll |
Source: | Binary string: mscorrc.pdb source: powershell.exe |
Source: classification engine | Classification label: mal80.evad.adwa.phis.bank.winEXE@12/10@0/0 |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 0_2_003D0018 LoadLibraryA,SHGetSpecialFolderPathW,CreateProcessW,NtReadVirtualMemory,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,MoveFileExW,CopyFileW,MoveFileExW, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_2_00403040 RevertToSelf,CoInitializeEx,CoInitializeSecurity,CoUninitialize,CoCreateInstance,CoUninitialize,#8,#8,#8,#8,#8,#9,#9,#9,#9,CoUninitialize,CoUninitialize,#8,#9,#9,#9,#9,#8,#9,SetErrorInfo, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_2_00404CD0 FindResourceA,WideCharToMultiByte,WideCharToMultiByte, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | File created: C:\ProgramData\c523645.der |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | File created: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File read: C:\Users\desktop.ini |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: unknown | Process created: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe |
Source: unknown | Process created: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe |
Source: unknown | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Source: unknown | Process created: C:\Windows\System32\certutil.exe |
Source: unknown | Process created: C:\Windows\System32\certutil.exe |
Source: unknown | Process created: C:\Windows\System32\cmd.exe |
Source: unknown | Process created: C:\Windows\System32\rasdial.exe |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Process created: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell /? |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Process created: C:\Windows\System32\certutil.exe certutil -? |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Process created: C:\Windows\System32\certutil.exe certutil -addstore -f -user ROOT C:\ProgramData\\c523645.der |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rasdial.exe rasdial Intenret user1 2fc45dZFEfdf |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 0_2_003D0018 LoadLibraryA,SHGetSpecialFolderPathW,CreateProcessW,NtReadVirtualMemory,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,MoveFileExW,CopyFileW,MoveFileExW, |
Source: C:\Windows\System32\certutil.exe | File created: C:\Windows\cer93.tmp |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex |
Source: C:\Windows\System32\certutil.exe | File deleted: C:\Windows\cer93.tmp |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: String function: 00409788 appears 103 times |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: String function: 0040954C appears 38 times |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: system.pif.3060.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Binary or memory string: OriginalFilenameArranger.exe vs Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Binary or memory string: OriginalFilenameMFC42.DLL.MUIR vs Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Binary or memory string: OriginalFilenameodbcint.dll.muij% vs Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Binary or memory string: OriginalFilenameCertUtil.exej% vs Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Binary or memory string: OriginalFilenameArranger.exe vs Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Binary or memory string: OriginalFilenameArranger.exe vs Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | File read: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\36.0.1 (x86 en-US)\Main Install Directory |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: LoadLibraryA,SHGetSpecialFolderPathW,CreateProcessW,NtReadVirtualMemory,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,MoveFileExW,CopyFileW,MoveFileExW, explorer.exe.\ |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: LoadLibraryA,SHGetSpecialFolderPathW,CreateProcessW,NtReadVirtualMemory,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,MoveFileExW,CopyFileW,MoveFileExW, explorer.exe.\ |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 0_2_003D0018 LoadLibraryA,SHGetSpecialFolderPathW,CreateProcessW,NtReadVirtualMemory,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,MoveFileExW,CopyFileW,MoveFileExW, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Memory written: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe base: 300000 value starts with: 4D5A |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Memory written: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe base: 400000 value starts with: 4D5A |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Thread register set: target process: 3068 |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_2_0040ECFA SetUnhandledExceptionFilter, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_2_00407C4D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_2_0041304D SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_2_00408557 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_1_0040ECFA SetUnhandledExceptionFilter, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_1_00407C4D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_1_0041304D SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_1_00408557 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Memory allocated: page read and write and page guard |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | System information queried: KernelDebuggerInformation |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_2_00407C4D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_2_00412E87 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_2_004182E9 GetProcessHeap, |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process token adjusted: Debug |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 0_2_00408850 #6330,#860,#354,GetSystemTimeAdjustment,GetUserNameA,SetCommTimeouts,GetCurrentThread,GetCurrentThread,GetCurrentProcess,GetTimeFormatA,LoadCursorA,SetFilePointer,IsDialogMessageA,ShowCaret,GetMessageW,EmptyClipboard,FindFirstFileA,IsDialogMessageA,SetTimer,GetTimeFormatA,RegisterClassA,EndPaint,MultiByteToWideChar,#273,#1961,#273,#879,#1961,#1971,time,srand,rand,#537,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#800,rand,rand,#537,#800,rand,#858,#603,#603,#6330,#665, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_2_00405960 GetEnvironmentVariableA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,RegOpenKeyExA,RegOpenKeyExA,RegEnumKeyExA,RegCloseKey,lstrcatA,RegOpenKeyExA,RegCloseKey,RegCloseKey,RegCloseKey,RegQueryValueExA,RegCloseKey,RegCloseKey,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,LoadLibraryA,SetCurrentDirectoryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FindFirstFileA,FreeLibrary,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,FreeLibrary, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_1_00405960 GetEnvironmentVariableA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,RegOpenKeyExA,RegOpenKeyExA,RegEnumKeyExA,RegCloseKey,lstrcatA,RegOpenKeyExA,RegCloseKey,RegCloseKey,RegCloseKey,RegQueryValueExA,RegCloseKey,RegCloseKey,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,LoadLibraryA,SetCurrentDirectoryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FindFirstFileA,FreeLibrary,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,FreeLibrary, |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Binary or memory string: VBoxService.exe |
Source: Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Binary or memory string: vmtoolsd.exe |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Process information queried: ProcessInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Thread delayed: delay time: -922337203685477 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\admin\AppData\Roaming\Microsoft |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\admin\AppData\Roaming |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\admin\AppData |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\admin |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\admin\AppData\Roaming\Microsoft\Windows |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3120 | Thread sleep time: -922337203685477ms >= -60000ms |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | File opened: C:\myapp.exe |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: VBoxService.exe VBoxService.exe VBoxService.exe VBoxService.exe vmtoolsd.exe vmtoolsd.exe |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 0_2_004093A0 IsIconic, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | File written: C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\7e8oquqo.default\cert8.db |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | File written: C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\7e8oquqo.default\key3.db |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 0_2_00408850 #6330,#860,#354,GetSystemTimeAdjustment,GetUserNameA,SetCommTimeouts,GetCurrentThread,GetCurrentThread,GetCurrentProcess,GetTimeFormatA,LoadCursorA,SetFilePointer,IsDialogMessageA,ShowCaret,GetMessageW,EmptyClipboard,FindFirstFileA,IsDialogMessageA,SetTimer,GetTimeFormatA,RegisterClassA,EndPaint,MultiByteToWideChar,#273,#1961,#273,#879,#1961,#1971,time,srand,rand,#537,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#800,rand,rand,#537,#800,rand,#858,#603,#603,#6330,#665, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 0_2_00408850 #6330,#860,#354,GetSystemTimeAdjustment,GetUserNameA,SetCommTimeouts,GetCurrentThread,GetCurrentThread,GetCurrentProcess,GetTimeFormatA,LoadCursorA,SetFilePointer,IsDialogMessageA,ShowCaret,GetMessageW,EmptyClipboard,FindFirstFileA,IsDialogMessageA,SetTimer,GetTimeFormatA,RegisterClassA,EndPaint,MultiByteToWideChar,#273,#1961,#273,#879,#1961,#1971,time,srand,rand,#537,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#537,#800,#800,rand,rand,#537,#800,rand,#858,#603,#603,#6330,#665, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: 1_2_00406440 GetVersionExA, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: GetLocaleInfoA, |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Code function: GetLocaleInfoA, |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Registry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate |
Source: C:\Quittung.Ihre_N00000005334641-6541c26d4e687dbe01f96033d6578663.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\hh.exe VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Source: C:\Windows\System32\cmd.exe | Queries volume information: C:\ VolumeInformation |