Loading ...

Play interactive tourEdit tour

Windows Analysis Report eZY2eXORIp

Overview

General Information

Sample Name:eZY2eXORIp (renamed file extension from none to exe)
Analysis ID:481002
MD5:8baf707c7afeb686ca13710762829052
SHA1:e4e5310572a5f15be59a84185d7bc999a47cef2f
SHA256:ad6d0f94a890ee4ef5b0a36ab1fa2845910d3b687ef7bc0c42f0dfc3e1952469
Tags:exeFORTHPROPERTYLTD
Infos:

Most interesting Screenshot:

Detection

Ursnif Ursnif v3
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
PE file contains an invalid checksum
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

  • System is w10x64
  • eZY2eXORIp.exe (PID: 4304 cmdline: 'C:\Users\user\Desktop\eZY2eXORIp.exe' MD5: 8BAF707C7AFEB686CA13710762829052)
  • iexplore.exe (PID: 6212 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6296 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6212 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6496 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5400 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.292866191.00000000036F0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.291929905.00000000036F0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.292913639.00000000036F0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.291547643.00000000036F0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.291632853.00000000036F0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.eZY2eXORIp.exe.619d7c.0.raw.unpackJoeSecurity_Ursnifv3Yara detected UrsnifJoe Security
              0.2.eZY2eXORIp.exe.1000000.0.unpackJoeSecurity_Ursnifv3Yara detected UrsnifJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: eZY2eXORIp.exeReversingLabs: Detection: 24%
                Machine Learning detection for sampleShow sources
                Source: eZY2eXORIp.exeJoe Sandbox ML: detected
                Source: 0.2.eZY2eXORIp.exe.1000000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                Source: 0.3.eZY2eXORIp.exe.619d7c.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: eZY2eXORIp.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
                Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: eZY2eXORIp.exe

                Networking:

                barindex
                Performs DNS queries to domains with low reputationShow sources
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeDNS query: haverit.xyz
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: unknownDNS traffic detected: query: haverit.xyz replaycode: Name error (3)
                Source: msapplication.xml0.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9dce2b00,0x01d7a650</date><accdate>0x9dce2b00,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml0.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9dce2b00,0x01d7a650</date><accdate>0x9dd5514f,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml5.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9dd5514f,0x01d7a650</date><accdate>0x9dd5514f,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml5.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9dd5514f,0x01d7a650</date><accdate>0x9ddc796c,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml7.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9ddc796c,0x01d7a650</date><accdate>0x9ddc796c,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: msapplication.xml7.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9ddc796c,0x01d7a650</date><accdate>0x9ddc796c,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: eZY2eXORIp.exe, 00000000.00000003.292440254.00000000036F0000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
                Source: eZY2eXORIp.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: eZY2eXORIp.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: eZY2eXORIp.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: eZY2eXORIp.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: eZY2eXORIp.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                Source: eZY2eXORIp.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: eZY2eXORIp.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: eZY2eXORIp.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: eZY2eXORIp.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: eZY2eXORIp.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                Source: eZY2eXORIp.exeString found in binary or memory: http://ocsp.comodoca.com0
                Source: eZY2eXORIp.exeString found in binary or memory: http://ocsp.digicert.com0C
                Source: eZY2eXORIp.exeString found in binary or memory: http://ocsp.digicert.com0O
                Source: eZY2eXORIp.exeString found in binary or memory: http://ocsp.sectigo.com0
                Source: msapplication.xml.14.drString found in binary or memory: http://www.amazon.com/
                Source: eZY2eXORIp.exeString found in binary or memory: http://www.digicert.com/CPS0
                Source: msapplication.xml1.14.drString found in binary or memory: http://www.google.com/
                Source: msapplication.xml2.14.drString found in binary or memory: http://www.live.com/
                Source: msapplication.xml3.14.drString found in binary or memory: http://www.nytimes.com/
                Source: msapplication.xml4.14.drString found in binary or memory: http://www.reddit.com/
                Source: msapplication.xml5.14.drString found in binary or memory: http://www.twitter.com/
                Source: msapplication.xml6.14.drString found in binary or memory: http://www.wikipedia.com/
                Source: msapplication.xml7.14.drString found in binary or memory: http://www.youtube.com/
                Source: eZY2eXORIp.exe, eZY2eXORIp.exe, 00000000.00000002.510872632.00000000006B8000.00000004.00000020.sdmpString found in binary or memory: https://haverit.xyz
                Source: eZY2eXORIp.exe, 00000000.00000002.510961640.00000000006FE000.00000004.00000001.sdmpString found in binary or memory: https://haverit.xyz/
                Source: eZY2eXORIp.exe, 00000000.00000002.510872632.00000000006B8000.00000004.00000020.sdmp, eZY2eXORIp.exe, 00000000.00000003.493318612.00000000006FC000.00000004.00000001.sdmp, ~DF19831833E1675488.TMP.26.drString found in binary or memory: https://haverit.xyz/index.htm
                Source: eZY2eXORIp.exe, 00000000.00000002.510872632.00000000006B8000.00000004.00000020.sdmpString found in binary or memory: https://haverit.xyz/index.htm5
                Source: {EE1A57EC-1243-11EC-90E5-ECF4BB570DC9}.dat.26.drString found in binary or memory: https://haverit.xyz/index.htmRoot
                Source: eZY2eXORIp.exe, 00000000.00000002.510872632.00000000006B8000.00000004.00000020.sdmpString found in binary or memory: https://haverit.xyz/index.htmbY
                Source: {EE1A57EC-1243-11EC-90E5-ECF4BB570DC9}.dat.26.drString found in binary or memory: https://haverit.xyz/index.htmdex.htm
                Source: eZY2eXORIp.exeString found in binary or memory: https://sectigo.com/CPS0
                Source: eZY2eXORIp.exeString found in binary or memory: https://www.digicert.com/CPS0
                Source: unknownDNS traffic detected: queries for: haverit.xyz

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.eZY2eXORIp.exe.619d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.eZY2eXORIp.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.292866191.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291929905.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292913639.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291547643.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291632853.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291835576.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292487674.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292971089.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292333881.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292136155.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291360640.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.512177753.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292440254.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291279386.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291701567.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292984133.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292892828.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292791301.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292276017.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292076935.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292753214.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292948084.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292386062.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291458965.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291769273.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292670276.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291996066.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292712718.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292211990.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292930955.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292554837.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292619377.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292820042.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: eZY2eXORIp.exe PID: 4304, type: MEMORYSTR
                Source: eZY2eXORIp.exe, 00000000.00000002.510804819.000000000068A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                E-Banking Fraud:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.eZY2eXORIp.exe.619d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.eZY2eXORIp.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.292866191.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291929905.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292913639.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291547643.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291632853.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291835576.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292487674.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292971089.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292333881.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292136155.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291360640.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.512177753.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292440254.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291279386.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291701567.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292984133.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292892828.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292791301.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292276017.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292076935.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292753214.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292948084.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292386062.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291458965.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291769273.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292670276.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291996066.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292712718.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292211990.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292930955.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292554837.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292619377.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292820042.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: eZY2eXORIp.exe PID: 4304, type: MEMORYSTR

                System Summary:

                barindex
                Writes or reads registry keys via WMIShow sources
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Writes registry values via WMIShow sources
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: eZY2eXORIp.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: eZY2eXORIp.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: eZY2eXORIp.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: eZY2eXORIp.exeStatic PE information: invalid certificate
                Source: eZY2eXORIp.exeReversingLabs: Detection: 24%
                Source: eZY2eXORIp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\eZY2eXORIp.exe 'C:\Users\user\Desktop\eZY2eXORIp.exe'
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6212 CREDAT:17410 /prefetch:2
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6212 CREDAT:17410 /prefetch:2
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
                Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C85B3E60-1243-11EC-90E5-ECF4BB570DC9}.datJump to behavior
                Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF56A785732A2B1070.TMPJump to behavior
                Source: classification engineClassification label: mal88.troj.evad.winEXE@7/29@8/1
                Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
                Source: eZY2eXORIp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: eZY2eXORIp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: eZY2eXORIp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: eZY2eXORIp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: eZY2eXORIp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: eZY2eXORIp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: eZY2eXORIp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: eZY2eXORIp.exe
                Source: eZY2eXORIp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: eZY2eXORIp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: eZY2eXORIp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: eZY2eXORIp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: eZY2eXORIp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation:

                barindex
                Detected unpacking (changes PE section rights)Show sources
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeUnpacked PE file: 0.2.eZY2eXORIp.exe.1000000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
                Source: eZY2eXORIp.exeStatic PE information: real checksum: 0xe0d1f should be: 0xe96d5
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeCode function: 0_3_036F198A push ds; retf
                Source: initial sampleStatic PE information: section name: .text entropy: 6.85142500946

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.eZY2eXORIp.exe.619d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.eZY2eXORIp.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.292866191.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291929905.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292913639.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291547643.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291632853.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291835576.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292487674.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292971089.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292333881.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292136155.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291360640.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.512177753.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292440254.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291279386.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291701567.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292984133.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292892828.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292791301.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292276017.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292076935.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292753214.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292948084.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292386062.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291458965.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291769273.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292670276.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291996066.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292712718.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292211990.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292930955.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292554837.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292619377.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292820042.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: eZY2eXORIp.exe PID: 4304, type: MEMORYSTR
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\eZY2eXORIp.exe TID: 6528Thread sleep time: -60000s >= -30000s
                Source: eZY2eXORIp.exe, 00000000.00000003.493460895.00000000006EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxx
                Source: eZY2eXORIp.exe, 00000000.00000002.512016519.0000000001100000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                Source: eZY2eXORIp.exe, 00000000.00000002.512016519.0000000001100000.00000002.00020000.sdmpBinary or memory string: Progman
                Source: eZY2eXORIp.exe, 00000000.00000002.512016519.0000000001100000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                Source: eZY2eXORIp.exe, 00000000.00000002.512016519.0000000001100000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                Source: eZY2eXORIp.exe, 00000000.00000002.512016519.0000000001100000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Users\user\Desktop\eZY2eXORIp.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

                Stealing of Sensitive Information:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.eZY2eXORIp.exe.619d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.eZY2eXORIp.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.292866191.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291929905.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292913639.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291547643.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291632853.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291835576.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292487674.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292971089.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292333881.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292136155.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291360640.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.512177753.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292440254.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291279386.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291701567.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292984133.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292892828.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292791301.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292276017.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292076935.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292753214.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292948084.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292386062.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291458965.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291769273.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292670276.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291996066.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292712718.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292211990.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292930955.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292554837.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292619377.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292820042.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: eZY2eXORIp.exe PID: 4304, type: MEMORYSTR

                Remote Access Functionality:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.eZY2eXORIp.exe.619d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.eZY2eXORIp.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.292866191.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291929905.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292913639.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291547643.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291632853.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291835576.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292487674.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292971089.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292333881.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292136155.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291360640.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.512177753.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292440254.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291279386.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291701567.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292984133.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292892828.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292791301.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292276017.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292076935.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292753214.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292948084.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292386062.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291458965.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291769273.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292670276.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.291996066.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292712718.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292211990.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292930955.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292554837.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292619377.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292820042.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: eZY2eXORIp.exe PID: 4304, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection2Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumNon-Application Layer Protocol1