Loading ...

Play interactive tourEdit tour

Windows Analysis Report CGd7lq6RDL.dll

Overview

General Information

Sample Name:CGd7lq6RDL.dll (renamed file extension from dll to exe)
Analysis ID:481103
MD5:c7b71f03f190a5da3e4976f37194419f
SHA1:8e750d01e1a5edb2c320e1b0b703b5823f241587
SHA256:930d54df724f1637f38d840e1822fa8f5cccedceb4b86d0e737e2311162e0921
Infos:

Most interesting Screenshot:

Detection

Ursnif Ursnif v3
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
Detected unpacking (changes PE section rights)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
PE file contains an invalid checksum
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

  • System is w10x64
  • CGd7lq6RDL.exe (PID: 6948 cmdline: 'C:\Users\user\Desktop\CGd7lq6RDL.exe' MD5: C7B71F03F190A5DA3E4976F37194419F)
  • iexplore.exe (PID: 6672 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6824 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5656 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6136 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5656 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpackJoeSecurity_Ursnifv3Yara detected UrsnifJoe Security
              1.2.CGd7lq6RDL.exe.1000000.0.unpackJoeSecurity_Ursnifv3Yara detected UrsnifJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Machine Learning detection for sampleShow sources
                Source: CGd7lq6RDL.exeJoe Sandbox ML: detected
                Source: 1.3.CGd7lq6RDL.exe.da9d7c.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 1.2.CGd7lq6RDL.exe.1000000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                Source: CGd7lq6RDL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
                Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: CGd7lq6RDL.exe

                Networking:

                barindex
                Performs DNS queries to domains with low reputationShow sources
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeDNS query: haverit.xyz
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: unknownDNS traffic detected: query: haverit.xyz replaycode: Name error (3)
                Source: msapplication.xml0.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb5fcbe9d,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml0.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb5fcbe9d,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml5.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml5.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml7.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: msapplication.xml7.9.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: CGd7lq6RDL.exe, 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
                Source: CGd7lq6RDL.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: CGd7lq6RDL.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: CGd7lq6RDL.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                Source: CGd7lq6RDL.exeString found in binary or memory: http://ocsp.comodoca.com0
                Source: CGd7lq6RDL.exeString found in binary or memory: http://ocsp.digicert.com0C
                Source: CGd7lq6RDL.exeString found in binary or memory: http://ocsp.digicert.com0O
                Source: CGd7lq6RDL.exeString found in binary or memory: http://ocsp.sectigo.com0
                Source: msapplication.xml.9.drString found in binary or memory: http://www.amazon.com/
                Source: CGd7lq6RDL.exeString found in binary or memory: http://www.digicert.com/CPS0
                Source: msapplication.xml1.9.drString found in binary or memory: http://www.google.com/
                Source: msapplication.xml2.9.drString found in binary or memory: http://www.live.com/
                Source: msapplication.xml3.9.drString found in binary or memory: http://www.nytimes.com/
                Source: msapplication.xml4.9.drString found in binary or memory: http://www.reddit.com/
                Source: msapplication.xml5.9.drString found in binary or memory: http://www.twitter.com/
                Source: msapplication.xml6.9.drString found in binary or memory: http://www.wikipedia.com/
                Source: msapplication.xml7.9.drString found in binary or memory: http://www.youtube.com/
                Source: CGd7lq6RDL.exeString found in binary or memory: https://haverit.xyz
                Source: ~DF849AFB3A04ECE3BF.TMP.9.drString found in binary or memory: https://haverit.xyz/index.htm
                Source: {E0443E1C-1261-11EC-90E5-ECF4BB2D2496}.dat.9.drString found in binary or memory: https://haverit.xyz/index.htmRoot
                Source: {E0443E1C-1261-11EC-90E5-ECF4BB2D2496}.dat.9.drString found in binary or memory: https://haverit.xyz/index.htmdex.htm
                Source: CGd7lq6RDL.exeString found in binary or memory: https://sectigo.com/CPS0
                Source: CGd7lq6RDL.exeString found in binary or memory: https://www.digicert.com/CPS0
                Source: unknownDNS traffic detected: queries for: haverit.xyz

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: CGd7lq6RDL.exe PID: 6948, type: MEMORYSTR

                E-Banking Fraud:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: CGd7lq6RDL.exe PID: 6948, type: MEMORYSTR

                System Summary:

                barindex
                Writes or reads registry keys via WMIShow sources
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Writes registry values via WMIShow sources
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: CGd7lq6RDL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: CGd7lq6RDL.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: CGd7lq6RDL.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: CGd7lq6RDL.exeStatic PE information: invalid certificate
                Source: CGd7lq6RDL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\CGd7lq6RDL.exe 'C:\Users\user\Desktop\CGd7lq6RDL.exe'
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5656 CREDAT:17410 /prefetch:2
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5656 CREDAT:17410 /prefetch:2
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
                Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E0443E1A-1261-11EC-90E5-ECF4BB2D2496}.datJump to behavior
                Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF9956526A696EBC76.TMPJump to behavior
                Source: classification engineClassification label: mal80.troj.evad.winEXE@7/29@8/1
                Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
                Source: CGd7lq6RDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: CGd7lq6RDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: CGd7lq6RDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: CGd7lq6RDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: CGd7lq6RDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: CGd7lq6RDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: CGd7lq6RDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: CGd7lq6RDL.exe
                Source: CGd7lq6RDL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: CGd7lq6RDL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: CGd7lq6RDL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: CGd7lq6RDL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: CGd7lq6RDL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation:

                barindex
                Detected unpacking (changes PE section rights)Show sources
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeUnpacked PE file: 1.2.CGd7lq6RDL.exe.1000000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
                Source: CGd7lq6RDL.exeStatic PE information: real checksum: 0xe5cf6 should be: 0xdf042
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeCode function: 1_3_0361198A push ds; retf
                Source: initial sampleStatic PE information: section name: .text entropy: 6.85142771967

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: CGd7lq6RDL.exe PID: 6948, type: MEMORYSTR
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exe TID: 5976Thread sleep time: -30000s >= -30000s
                Source: CGd7lq6RDL.exe, 00000001.00000002.606098013.0000000001100000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                Source: CGd7lq6RDL.exe, 00000001.00000002.606098013.0000000001100000.00000002.00020000.sdmpBinary or memory string: Progman
                Source: CGd7lq6RDL.exe, 00000001.00000002.606098013.0000000001100000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                Source: CGd7lq6RDL.exe, 00000001.00000002.606098013.0000000001100000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Users\user\Desktop\CGd7lq6RDL.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

                Stealing of Sensitive Information:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: CGd7lq6RDL.exe PID: 6948, type: MEMORYSTR

                Remote Access Functionality:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: CGd7lq6RDL.exe PID: 6948, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection2Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1