Edit tour

Windows Analysis Report
1pXdiCesZ6.exe

Overview

General Information

Sample Name:	1pXdiCesZ6.exe
Original Sample Name:	bd52acbe6fba86dc602e5a851d70c665.exe
Analysis ID:	1352847
MD5:	bd52acbe6fba86dc602e5a851d70c665
SHA1:	b5371851f50ff84372553b296208d97c4a04c9a2
SHA256:	8ffd4fd0e29d6888e9eaf78a6f698436f8a4477cdba8b6271015f7b012d1f8e0
Tags:	32exetrojan
Infos:

Detection

DanaBot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected DanaBot stealer dll

Detected unpacking (overwrites its own PE header)

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

May use the Tor software to hide its network traffic

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to steal Instant Messenger accounts or passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Internet Provider seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Yara detected Credential Stealer

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries information about the installed CPU (vendor, model number etc)

AV process strings found (often used to terminate AV products)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Drops PE files

Classification

Process Tree

System is w10x64

1pXdiCesZ6.exe (PID: 5100 cmdline: C:\Users\user\Desktop\1pXdiCesZ6.exe MD5: BD52ACBE6FBA86DC602E5A851D70C665)

conhost.exe (PID: 1608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rundll32.exe (PID: 2084 cmdline: C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Uspehfsepf.dll,start MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5004 cmdline: "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 MD5: EF3179D498793BF4234F708D3BE28633)

schtasks.exe (PID: 7188 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7240 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7924 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8020 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8132 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7228 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2256 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2260 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7504 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2144 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4088 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7608 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2344 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1640 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3748 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1356 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5168 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2004 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5668 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4908 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4228 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6236 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6496 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6796 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6376 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6116 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8024 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8152 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7252 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1800 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7332 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2212 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7504 cmdline: schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7056 cmdline: schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DanaBot	Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.	SCULLY SPIDER	https://asec.ahnlab.com/en/30445/ https://asert.arbornetworks.com/danabots-travels-a-global-perspective/ https://assets.virustotal.com/reports/2021trends.pdf https://blog.lexfo.fr/danabot-malware.html https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
Process Memory Space: rundll32.exe PID: 2084	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.1pXdiCesZ6.exe.f20000.0.unpack	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 1pXdiCesZ6.exe	ReversingLabs: Detection: 29%
Source: 1pXdiCesZ6.exe	Virustotal: Detection: 32%			Perma Link

Yara detected DanaBot stealer dll

Source: Yara match	File source: 0.2.1pXdiCesZ6.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Uspehfsepf.dll

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\1pXdiCesZ6.exe

Unpacked PE file: 0.2.1pXdiCesZ6.exe.f20000.0.unpack

Source: 1pXdiCesZ6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1pXdiCesZ6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\1pXdiCesZ6.exe	Code function: 0_2_00F2D258 FindFirstFileW,FindClose,	0_2_00F2D258
Source: C:\Users\user\Desktop\1pXdiCesZ6.exe	Code function: 0_2_00F2CC8C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_00F2CC8C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000223B8D66AE1 FindFirstFileW,	3_2_00000223B8D66AE1

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.145.4.27 443	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 23.152.0.207 443	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 194.15.112.203 443	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.159.210.26 443	Jump to behavior

Source: Joe Sandbox View	ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
Source: Joe Sandbox View	ASN Name: INTERNATIONAL-HOSTING-SOLUTIONS-ASEUDCrouteGB INTERNATIONAL-HOSTING-SOLUTIONS-ASEUDCrouteGB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50158 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902

Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.4.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 23.152.0.207
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.112.203

Source: rundll32.exe, 00000003.00000003.3533336163.00007DF4A3C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Qll_wallet_import_enabled_migrated":true,"requested":false},"translate_site_blacklist":[],"translate_site_blocklist_with_time":{},"updateclientdata":{"apps":{"ghbmnnjooekpmoecnnnilnnbdlolhkhi":{"cohort":"1::","cohortname":"","dlrc":6120,"installdate":6120,"pf":"e8cfbc86-35d0-4127-9614-1b5020b1c2a0"},"nmmhkkegccagdldgiimedpiccmgmieda":{"cohort":"1::","cohortname":"","dlrc":6120,"installdate":6120,"pf":"dcb37f49-aa68-4ebc-a8d4-14eaa556e331"}}},"web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}},"web_apps":{"did_migrate_default_chrome_apps":["MigrateDefaultChromeAppToWebAppsGSuite","MigrateDefaultChromeAppToWebAppsNonGSuite"],"last_preinstall_synchronize_version":"117","migrated_default_apps":["aohghmighlieiainnegkcijnfilokake","aapocclcgogkmnckokdopfmhonfmgoek","felcaaldnbdncclmgdcncolpebgiejap","apdfllckaahabafndbhieahigkjlhalf","pjkljhegncpnkpknbcohdijeoejaedia","blpcfgokakmgnkcojhhkbfbldkacnbeo"]},"zerosuggest":{"cachedresults":")]}'\n[\"\",[\"one piece chapter 1094 spoilers twitter\",\"baltimore drinking water parasites\",\"as3 equals www.youtube.com (Youtube)
Source: rundll32.exe, 00000003.00000003.3533336163.00007DF4A3C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ll_wallet_import_enabled_migrated":true,"requested":false},"translate_site_blacklist":[],"translate_site_blocklist_with_time":{},"updateclientdata":{"apps":{"ghbmnnjooekpmoecnnnilnnbdlolhkhi":{"cohort":"1::","cohortname":"","dlrc":6120,"installdate":6120,"pf":"e8cfbc86-35d0-4127-9614-1b5020b1c2a0"},"nmmhkkegccagdldgiimedpiccmgmieda":{"cohort":"1::","cohortname":"","dlrc":6120,"installdate":6120,"pf":"dcb37f49-aa68-4ebc-a8d4-14eaa556e331"}}},"web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}},"web_apps":{"did_migrate_default_chrome_apps":["MigrateDefaultChromeAppToWebAppsGSuite","MigrateDefaultChromeAppToWebAppsNonGSuite"],"last_preinstall_synchronize_version":"117","migrated_default_apps":["aohghmighlieiainnegkcijnfilokake","aapocclcgogkmnckokdopfmhonfmgoek","felcaaldnbdncclmgdcncolpebgiejap","apdfllckaahabafndbhieahigkjlhalf","pjkljhegncpnkpknbcohdijeoejaedia","blpcfgokakmgnkcojhhkbfbldkacnbeo"]},"zerosuggest":{"cachedresults":")]}'\n[\"\",[\"one piece chapter 1094 spoilers twitter\",\"baltimore drinking water parasites\",\"as3 equals www.youtube.com (Youtube)

Source: rundll32.exe, 00000002.00000003.1665301390.000000007E780000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.css
Source: rundll32.exe, 00000002.00000003.1665301390.000000007E780000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.jpg
Source: rundll32.exe, 00000002.00000003.1665301390.000000007E780000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: rundll32.exe, 00000002.00000003.1665301390.000000007E780000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: rundll32.exe, 00000002.00000003.1665301390.000000007E780000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html.
Source: rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: rundll32.exe, 00000002.00000003.2174590540.00000000026C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecop
Source: rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: rundll32.exe, 00000003.00000003.3533336163.00007DF4A3C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: rundll32.exe, 00000003.00000003.3533336163.00007DF4A3C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: rundll32.exe, 00000003.00000003.3533336163.00007DF4A3C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: rundll32.exe, 00000003.00000003.3533336163.00007DF4A3C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: rundll32.exe, 00000002.00000003.2512683350.0000000002700000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2174590540.00000000026D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2174590540.0000000002697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: rundll32.exe, 00000002.00000003.2517530122.0000000006507000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2517961518.0000000006507000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2512683350.0000000002700000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2515998102.0000000006507000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2517041867.0000000006507000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2174590540.0000000002667000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2516508697.0000000006507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: rundll32.exe, 00000002.00000003.2648572939.0000000006507000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2649633274.0000000006507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033nsLMEM
Source: rundll32.exe, 00000002.00000003.2174590540.0000000002667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033~v
Source: rundll32.exe, 00000002.00000003.2174590540.00000000026D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: rundll32.exe, 00000003.00000003.3533336163.00007DF4A3C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: rundll32.exe, 00000003.00000003.3533336163.00007DF4A3C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: 1pXdiCesZ6.exe, 00000000.00000003.1654803619.000000007E7B0000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_6d50855d-9

E-Banking Fraud

Yara detected DanaBot stealer dll

Source: Yara match	File source: 0.2.1pXdiCesZ6.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: schtasks.exe

Process created: 67

Source: 1pXdiCesZ6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 49%

Source: 1pXdiCesZ6.exe, 00000000.00000003.1658594017.0000000000DB8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs 1pXdiCesZ6.exe
Source: 1pXdiCesZ6.exe, 00000000.00000000.1646152461.0000000000F29000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBeast : vs 1pXdiCesZ6.exe
Source: 1pXdiCesZ6.exe	Binary or memory string: OriginalFilenameBeast : vs 1pXdiCesZ6.exe

Source: 1pXdiCesZ6.exe	ReversingLabs: Detection: 29%
Source: 1pXdiCesZ6.exe	Virustotal: Detection: 32%

Source: 1pXdiCesZ6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1pXdiCesZ6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1pXdiCesZ6.exe C:\Users\user\Desktop\1pXdiCesZ6.exe
Source: C:\Users\user\Desktop\1pXdiCesZ6.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1pXdiCesZ6.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Uspehfsepf.dll,start
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1pXdiCesZ6.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Uspehfsepf.dll,start	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\1pXdiCesZ6.exe

File created: C:\Users\user\AppData\Local\Temp\Uspehfsepf.dll

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@135/249@0/5

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: rundll32.exe, 00000002.00000003.1665183791.000000007E640000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: rundll32.exe, 00000002.00000003.1665183791.000000007E640000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: rundll32.exe, 00000002.00000003.1665183791.000000007E640000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: rundll32.exe, 00000002.00000003.1665183791.000000007E640000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, 00000002.00000003.2435200878.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643833451.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2513071172.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2577760101.00000000063D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2787431072.00000000064FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2369702256.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2724342687.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2644620287.00000000064FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1721835599.00000000063F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2513475206.00000000064F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2786727641.00000000063F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\1pXdiCesZ6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\1pXdiCesZ6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\1pXdiCesZ6.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Uspehfsepf.dll,start

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Windows\SysWOW64\rundll32.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 1pXdiCesZ6.exe

Static file information: File size 6904320 > 1048576

Source: 1pXdiCesZ6.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x690200

Source: 1pXdiCesZ6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 1pXdiCesZ6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\1pXdiCesZ6.exe

Unpacked PE file: 0.2.1pXdiCesZ6.exe.f20000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\1pXdiCesZ6.exe

Unpacked PE file: 0.2.1pXdiCesZ6.exe.f20000.0.unpack .text:ER;.rdata:R;.data:W;.CRT:R;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.didata:W;.edata:R;.tls:W;.rdata:R;.reloc:R;.rsrc:R;

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_3_06421CE0 push es; retf	2_3_06421CE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_3_06421CE0 push es; retf	2_3_06421CE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_3_06421CE0 push es; retf	2_3_06421CE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_3_06421CE0 push es; retf	2_3_06421CE4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_009E2BC5 pushad ; retf	3_2_009E2BC6

Source: Uspehfsepf.dll.0.dr

Static PE information: section name: .didata

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_009E0244 LoadLibraryA,GetProcAddressForCaller,

3_2_009E0244

Source: Uspehfsepf.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x6a8c64
Source: 1pXdiCesZ6.exe	Static PE information: real checksum: 0x696abd should be: 0x6a1f94

Source: C:\Users\user\Desktop\1pXdiCesZ6.exe

File created: C:\Users\user\AppData\Local\Temp\Uspehfsepf.dll

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

Hooking and other Techniques for Hiding and Protection

May use the Tor software to hide its network traffic

Source: rundll32.exe, 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1664805385.000000007E170000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: torConnect

Source: C:\Users\user\Desktop\1pXdiCesZ6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter

Source: C:\Windows\SysWOW64\rundll32.exe TID: 6980	Thread sleep time: -30600s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2500	Thread sleep time: -7368000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5100	Thread sleep time: -75075s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7120	Thread sleep time: -11146000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7120	Thread sleep time: -218000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2500	Thread sleep time: -78000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7124	Thread sleep time: -63026691s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\1pXdiCesZ6.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Uspehfsepf.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 3684	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 5573	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 9971	Jump to behavior

Source: C:\Users\user\Desktop\1pXdiCesZ6.exe	Code function: 0_2_00F2D258 FindFirstFileW,FindClose,	0_2_00F2D258
Source: C:\Users\user\Desktop\1pXdiCesZ6.exe	Code function: 0_2_00F2CC8C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_00F2CC8C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000223B8D66AE1 FindFirstFileW,	3_2_00000223B8D66AE1

Source: C:\Windows\SysWOW64\rundll32.exe

Thread delayed: delay time: 75075

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: rundll32.exe, 00000003.00000002.4106339889.00000223B8B4E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_009E0244 LoadLibraryA,GetProcAddressForCaller,

3_2_009E0244

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.145.4.27 443	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 23.152.0.207 443	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 194.15.112.203 443	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.159.210.26 443	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\rundll32.exe

Thread register set: target process: 5004

Jump to behavior

Binary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32U

Source: C:\Windows\SysWOW64\rundll32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\1pXdiCesZ6.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,		0_2_00F2D390
Source: C:\Users\user\Desktop\1pXdiCesZ6.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		0_2_00F2C830

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\1pXdiCesZ6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 1pXdiCesZ6.exe, 00000000.00000003.1654803619.000000007E7B0000.00000004.00001000.00020000.00000000.sdmp, 1pXdiCesZ6.exe, 00000000.00000003.1654860923.000000007E8AB000.00000004.00001000.00020000.00000000.sdmp, 1pXdiCesZ6.exe, 00000000.00000003.1658152583.000000007DB3B000.00000004.00001000.00020000.00000000.sdmp, Uspehfsepf.dll.0.dr

Binary or memory string: MSASCui.exe

Stealing of Sensitive Information

Yara detected DanaBot stealer dll

Source: Yara match	File source: 0.2.1pXdiCesZ6.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\Miranda\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\8a41173cbadc68f7_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5ff1e53f5a9f69f4_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOCK	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\df63f5a27d36f38a_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3d502876efe858ed_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\7b4cf8be860f8cdc_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\8e073450b73a8120_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\eb86727a72089436_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\the-real-index	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsSiteData	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\4a1882c66f3063c6_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\4eb0b524436dbaf9_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\06cf702c77b35749_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\34226c3d3915e5cf_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0aa25cf1adddac5d_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c38171b22e3652c4_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\1543a54143de000c_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\2c556df7bb39a94c_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\085e8be96c88d39b_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation Database	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\e8b22a1fbab4c95a_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG.old	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\6b59c256380c6bcb_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\b685eaa427109ba6_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\36009ced4931b21f_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOCK	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOCK	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\b7def6ab7bcd560b_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\347206588efe1e3f_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\cdc535867ca73ce2_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\7c0e2aa88f7413bc_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\171d445a43159dc3_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\8f3c2e2c260a7099_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fff7b524fcc73443_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation Database-journal	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\b230787e5c4f63c8_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\a673680755eab746_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOCK	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\e23a21dd73d0fd53_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fce34a99f9b5d1c7_0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsSiteData-journal	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG	Jump to behavior

Source: Yara match

File source: Process Memory Space: rundll32.exe PID: 2084, type: MEMORYSTR

Remote Access Functionality

Yara detected DanaBot stealer dll

Source: Yara match	File source: 0.2.1pXdiCesZ6.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	22 Process Injection	111 Virtualization/Sandbox Evasion	1 OS Credential Dumping	111 Security Software Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	22 Process Injection	11 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Multi-hop Proxy	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	1 Credentials in Registry	111 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	1 Credentials In Files	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Proxy			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	43 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1pXdiCesZ6.exe	30%	ReversingLabs	Win32.Trojan.SpywareX
1pXdiCesZ6.exe	32%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Uspehfsepf.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://.jpg	0%	Avira URL Cloud	safe
https://cdn.ecop	0%	Avira URL Cloud	safe
http://html4/loose.dtd	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	false		high
http://html4/loose.dtd	rundll32.exe, 00000002.00000003.1665301390.000000007E780000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://duckduckgo.com/chrome_newtab	rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default	rundll32.exe, 00000003.00000003.3533336163.00007DF4A3C30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/installwebapp?usp=chrome_default	rundll32.exe, 00000003.00000003.3533336163.00007DF4A3C30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/drive/installwebapp?usp=chrome_default	rundll32.exe, 00000003.00000003.3533336163.00007DF4A3C30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecop	rundll32.exe, 00000002.00000003.2174590540.00000000026C2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.youtube.com/s/notifications/manifest/cr_install.html	rundll32.exe, 00000003.00000003.3533336163.00007DF4A3C30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/document/installwebapp?usp=chrome_default	rundll32.exe, 00000003.00000003.3533336163.00007DF4A3C30000.00000004.00001000.00020000.00000000.sdmp	false		high
http://.css	rundll32.exe, 00000002.00000003.1665301390.000000007E780000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.ecosia.org/newtab/	rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	false		high
http://.jpg	rundll32.exe, 00000002.00000003.1665301390.000000007E780000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	rundll32.exe, 00000002.00000003.2512534074.0000000006521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2435727393.00000000064FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2643213363.0000000006539000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2785967702.0000000006551000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2370030643.00000000064E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.2723622013.0000000006541000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html.	rundll32.exe, 00000002.00000003.1665301390.000000007E780000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/installwebapp?usp=chrome_default	rundll32.exe, 00000003.00000003.3533336163.00007DF4A3C30000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html	rundll32.exe, 00000002.00000003.1665301390.000000007E780000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.152.0.207	unknown	United States	8100	ASN-QUADRANET-GLOBALUS	true
194.15.112.203	unknown	Ukraine	213354	INTERNATIONAL-HOSTING-SOLUTIONS-ASEUDCrouteGB	true
45.159.210.26	unknown	Russian Federation	42316	KOBI-ASNKobiShmueliIL	true
45.145.4.27	unknown	Russian Federation	200019	ALEXHOSTMD	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1352847
Start date and time:	2023-12-04 03:24:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	76
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	1pXdiCesZ6.exe renamed because original name is a hash value
Original Sample Name:	bd52acbe6fba86dc602e5a851d70c665.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@135/249@0/5
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 2084 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:24:59	API Interceptor	14736679x Sleep call for process: rundll32.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-QUADRANET-GLOBALUS	U9jeNdDH6s.exe	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse	45.87.61.156
	securefile.vbs	Get hash	malicious	Remcos	Browse	185.174.101.114
	bScu.exe	Get hash	malicious	Njrat	Browse	173.44.50.84
	FRA-4181.exe	Get hash	malicious	FormBook	Browse	154.205.84.217
	https://mycttadvisory.com/ctt.html	Get hash	malicious	HTMLPhisher	Browse	23.163.0.95
	HSBC_Payment_Advice_pdf.exe	Get hash	malicious	FormBook	Browse	154.205.84.217
	SecuriteInfo.com.Win32.PWSX-gen.1503.19116.exe	Get hash	malicious	AgentTesla	Browse	64.188.2.244
	https://waysnuanjob.com/	Get hash	malicious	Unknown	Browse	104.129.12.212
	SecuriteInfo.com.Win32.PWSX-gen.26942.1928.exe	Get hash	malicious	AgentTesla	Browse	64.188.2.244
	HSBC_Payment_Advice_pdf.exe	Get hash	malicious	FormBook	Browse	154.205.84.217
	SecuriteInfo.com.Win32.PWSX-gen.13136.3562.exe	Get hash	malicious	AgentTesla	Browse	64.188.2.244
	TEKL#U0130F_TALEP_VE_F#U0130YAT_TEKL#U0130F#U0130_PDF.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	69.174.100.3
	6h5wwsQiwN.exe	Get hash	malicious	GuLoader	Browse	64.188.12.78
	SecuriteInfo.com.Trojan.PackedNET.2270.20735.14818.exe	Get hash	malicious	AgentTesla	Browse	64.188.2.244
	https://www.etesdl.top/login	Get hash	malicious	Unknown	Browse	172.86.124.210
	https://www.etesdl.top/login	Get hash	malicious	Unknown	Browse	172.86.124.210
	SecuriteInfo.com.Win32.CrypterX-gen.17640.5876.exe	Get hash	malicious	AgentTesla	Browse	64.188.2.244
	SecuriteInfo.com.Win32.CrypterX-gen.17199.441.exe	Get hash	malicious	AgentTesla	Browse	64.188.2.244
	e-dekont_html.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	69.174.100.3
	9yI76aV8tE.exe	Get hash	malicious	AgentTesla	Browse	64.188.2.244
INTERNATIONAL-HOSTING-SOLUTIONS-ASEUDCrouteGB	bad.pdf.exe	Get hash	malicious	Unknown	Browse	194.15.113.200
	FromRussiaWithLove.ps1	Get hash	malicious	Unknown	Browse	194.15.112.70
	x.exe	Get hash	malicious	Unknown	Browse	194.15.113.210
	b69SScPQRV.dll	Get hash	malicious	BazaLoader	Browse	194.15.113.155
	Dsf8JqfE7v.dll	Get hash	malicious	BazaLoader	Browse	194.15.113.155
	0x0005000000012636-65.exe	Get hash	malicious	BazaLoader	Browse	194.15.112.35
	Invoice_#fdp..exe	Get hash	malicious	BazaLoader	Browse	194.15.112.35
	03.Nov-Plans.js	Get hash	malicious	Unknown	Browse	194.15.112.228
	sgRkrN.dll	Get hash	malicious	Bazar Loader	Browse	194.15.112.173
	bazar.dll	Get hash	malicious	BazaLoader	Browse	194.15.112.159
	Vrd8Yqy7kn.exe	Get hash	malicious	Unknown	Browse	194.15.112.71
	motHf.dll	Get hash	malicious	Bazar Loader	Browse	194.15.113.160
	mal.dll	Get hash	malicious	Bazar Loader	Browse	194.15.113.160
	StNsbaY.dll	Get hash	malicious	Bazar Loader	Browse	194.15.113.148
	stopSetInstall.dll	Get hash	malicious	Bazar Loader	Browse	194.15.113.148
	o8qD5hnaJq.dll	Get hash	malicious	Bazar Loader	Browse	194.15.113.148
	113_ColourPickDemo.dll	Get hash	malicious	TrickBot	Browse	194.15.113.73
	oMNhCoZdeT.dll	Get hash	malicious	Unknown	Browse	194.15.113.73
	lovemetertok.dll	Get hash	malicious	Unknown	Browse	194.15.113.73
	Positions_invoice-103246.xlsm	Get hash	malicious	Unknown	Browse	194.15.113.73

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	E6FF930C3FB6DE61F664581C1A85F60C
SHA1:	F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
SHA-256:	CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
SHA-512:	60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\1pXdiCesZ6.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6964224
Entropy (8bit):	7.371682610276596
Encrypted:	false
SSDEEP:	98304:9gy4Jwik47hc5m6Z5/Wswps3Q/TKPuidCQXZl0iTQEQtz0mQPagkIL:9gy4JnB7u5L7JwivuUCQJu23ggkI
MD5:	819A76CA58A3CF6D255556B7F6F132CF
SHA1:	CFBE60F62FD60F6F948185BA860E1B73FB26AA75
SHA-256:	0AC69D5B9B536F5B5C29A4AD740A6E88D14A0DCB42D1C25A3D89F6409E334C54
SHA-512:	E6CACE216BC54A4B1164BC7F7ED7042AC73F7A14577E20CD975E6640704B9F14011F1D868A80F843839C587B0A8DF876086B374D7512A0C10F1087E53147C708
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...g.de.................dc.........$.c.......c...@...........................k.......................................e.......d..=....j......................0e.....................................................t.d.l.....e.>....................text...LBc......Dc................. ..`.itext..p....`c.. ...Hc............. ..`.data.........c......hc.............@....bss.....c...Pd..........................idata...=....d..>....d.............@....didata.>.....e......ld.............@....edata........e......zd.............@..@.rdata..D.... e......\|d.............@..@.reloc.......0e......~d.............@..B.rsrc.........j......Li.............@..@..............k......Dj.............@..@........................................................

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.518758680396983
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1pXdiCesZ6.exe
File size:	6'904'320 bytes
MD5:	bd52acbe6fba86dc602e5a851d70c665
SHA1:	b5371851f50ff84372553b296208d97c4a04c9a2
SHA256:	8ffd4fd0e29d6888e9eaf78a6f698436f8a4477cdba8b6271015f7b012d1f8e0
SHA512:	7c5f5873760ba7e59ba4ac2eb4819d783b86faab658ee65f8333e09d3d77ab22349a99b0fc57feb94b003490c66d03101cdbc6e7285ad3836e6959e05acec89c
SSDEEP:	196608:7C7EEQed3SdBeNmPDgohMXVuHAeGnyprMFamB8UTowy82tQCni/T5y4w0ute/N8H:kxd3S+uMoh0VUAVnyprKT88bs+o4bVTK
TLSH:	5866115BB00BD74FD28061B4D0C23EE165079D7ABE65DB9B91043AE83736EEC391AC52
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$...E...E...E...=...E...E...E.......E....b..E.......E..Rich.E..........PE..L.....fe...............&.F....i.....0........`....@

Entrypoint:	0x401030
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x656601F5 [Tue Nov 28 15:06:29 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	9aa72e326f234de080a0666006671d0a

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6180	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9000	0x690178	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x69a000	0x468	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6018	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x44ce	0x4600	False	0.5303571428571429	data	5.918249852162766	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6000	0x22a	0x400	False	0.314453125	data	2.4286336397854016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7000	0x8c	0x200	False	0.068359375	data	0.3124291846600516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x8000	0x4	0x200	False	0.03125	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "@"	0.04078075625387198	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x9000	0x690178	0x690200	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x69a000	0x468	0x600	False	0.6744791666666666	data	5.572184589549816	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x9180	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m	English	United States	0.10777238850112386
RT_RCDATA	0x19e80	0x67f2f7	data	English	United States	0.7874717712402344
RT_GROUP_ICON	0x199a8	0x14	data	English	United States	1.15
RT_VERSION	0x19b20	0x360	data	English	United States	0.47685185185185186
RT_MANIFEST	0x199c0	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

DLL	Import
KERNEL32.dll	GetModuleHandleA, HeapCreate
GDI32.dll	GetBkColor, SetBkColor

Target ID:	0
Start time:	03:24:54
Start date:	04/12/2023
Path:	C:\Users\user\Desktop\1pXdiCesZ6.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\1pXdiCesZ6.exe
Imagebase:	0xf20000
File size:	6'904'320 bytes
MD5 hash:	BD52ACBE6FBA86DC602E5A851D70C665
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	03:24:55
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Uspehfsepf.dll,start
Imagebase:	0x180000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000002.00000003.1670063397.000000007DA80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000002.00000003.1665420017.000000007EA10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	03:25:03
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	03:25:05
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	03:26:08
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	03:26:10
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	03:26:14
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	17
Start time:	03:26:17
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	20
Start time:	03:26:22
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	22
Start time:	03:26:24
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	24
Start time:	03:26:28
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	26
Start time:	03:26:31
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	28
Start time:	03:26:37
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1pXdiCesZ6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Adyidprpfyeap

C:\Users\user\AppData\Local\Temp\Aeqeiueqaqfuw

C:\Users\user\AppData\Local\Temp\Aeqeiueqaqfuw-shm

C:\Users\user\AppData\Local\Temp\Aftdfueeqeaet

C:\Users\user\AppData\Local\Temp\Aqqthtdetehse

C:\Users\user\AppData\Local\Temp\Atpeswqsusoyi

C:\Users\user\AppData\Local\Temp\Awqawuiawfhii

C:\Users\user\AppData\Local\Temp\Ayeaytytawfay

C:\Users\user\AppData\Local\Temp\Ayeaytytawfay-shm

C:\Users\user\AppData\Local\Temp\Ddupaydyee

C:\Users\user\AppData\Local\Temp\Defduitu

C:\Users\user\AppData\Local\Temp\Defrsafaertqyii

Windows Analysis Report
1pXdiCesZ6.exe

Target ID:	30
Start time:	03:26:39
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	32
Start time:	03:26:43
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	34
Start time:	03:26:45
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	36
Start time:	03:26:49
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	38
Start time:	03:26:52
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	40
Start time:	03:26:55
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	42
Start time:	03:26:57
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	44
Start time:	03:27:00
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	46
Start time:	03:27:02
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	48
Start time:	03:27:06
Start date:	04/12/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true