Loading ...

Play interactive tourEdit tour

Analysis Report setup.exe

Overview

General Information

Sample Name:setup.exe
MD5:eb320243d41500647b767f567a285401
SHA1:ffe46db953bc5227f323baf29008a8eb79ed8dc9
SHA256:3fe5fdbdc141727dc6b70a7c8e2c7700a0eef1ee6236d7a5cb62b15c75ab9f26

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Creates a COM Internet Explorer object
Machine Learning detection for sample
Maps a DLL or memory area into another process
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Domain name seen in connection with other malware
Drops PE files
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • setup.exe (PID: 5272 cmdline: 'C:\Users\user\Desktop\setup.exe' MD5: EB320243D41500647B767F567A285401)
    • setup.exe (PID: 4028 cmdline: 'C:\Users\user\Desktop\setup.exe' MD5: EB320243D41500647B767F567A285401)
  • iexplore.exe (PID: 5536 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4828 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5536 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 1336 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5372 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1336 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4408 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4000 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4408 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "h": "lxpctl", "version": "250150", "uptime": "292\"\"", "crc": "1", "id": "8781", "user": "4fc9620bead8a178b69d58d775b38f61", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.927743678.000000000290B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000002.00000003.858126841.0000000002A88000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000002.00000003.857640839.0000000002A88000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000003.1013142024.000000000280D000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000002.00000003.858050251.0000000002A88000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 8 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: setup.exe.4028.2.memstrMalware Configuration Extractor: Ursnif {"server": "12", "h": "lxpctl", "version": "250150", "uptime": "292\"\"", "crc": "1", "id": "8781", "user": "4fc9620bead8a178b69d58d775b38f61", "soft": "3"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: setup.exeVirustotal: Detection: 22%Perma Link
            Source: setup.exeReversingLabs: Detection: 22%
            Machine Learning detection for sampleShow sources
            Source: setup.exeJoe Sandbox ML: detected
            Source: 2.2.setup.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen7
            Source: 2.1.setup.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
            Source: 0.2.setup.exe.2050000.1.unpackAvira: Label: TR/Patched.Ren.Gen

            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00406313 FindFirstFileA,FindClose,0_2_00406313
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004057D8 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004057D8
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_001E8AB8 CreateFileA,FindCloseChangeNotification,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,2_2_001E8AB8

            Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then sub esp, 20h0_2_0078BB7C
            Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then sub esp, 20h0_2_0078BA10
            Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then sub esp, 20h0_2_0078BB02
            Source: C:\Users\user\Desktop\setup.exeCode function: 4x nop then sub esp, 20h0_2_0078BA88

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: Joe Sandbox ViewDomain Name: fam-geo-atsv2.prod.media.g03.yahoodns.net fam-geo-atsv2.prod.media.g03.yahoodns.net
            Source: Joe Sandbox ViewIP Address: 172.217.22.6 172.217.22.6
            Source: Joe Sandbox ViewIP Address: 185.64.190.80 185.64.190.80
            Source: Joe Sandbox ViewIP Address: 212.82.100.176 212.82.100.176
            Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
            Source: global trafficHTTP traffic detected: GET /images/KDaaNc0Su1e0oWXBLDn/8FwOuN2QLrn1DsJOg7UGoJ/TL_2FG_2BuYvm/kbUZjCU0/V6jvbzejjNcZd6lOmt0nQl5/upDpEu1Ag6/mMX8pXLU1tntdcjYw/8x7wGWp_2Fv4/_2BQCRSRau6/7fQqJFGzu8xtCq/amIq_2BEdo/O.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: line.ehrlum.comConnection: Keep-Alive
            Source: OH2I0YVB.htm.6.drString found in binary or memory: <span class="column"><a href="https://www.yahoo.com/" title="Yahoo"><img src="https://s.yimg.com/rz/p/yahoo_frontpage_en-US_s_f_p_bestfit_frontpage_2x.png" alt="Yahoo" class="logo" width="" height="36" /> equals www.yahoo.com (Yahoo)
            Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xba05d365,0x01d64e52</date><accdate>0xba05d365,0x01d64e52</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xba05d365,0x01d64e52</date><accdate>0xba05d365,0x01d64e52</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xba0ad1e5,0x01d64e52</date><accdate>0xba0ad1e5,0x01d64e52</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xba0ad1e5,0x01d64e52</date><accdate>0xba0ad1e5,0x01d64e52</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xba0d5b55,0x01d64e52</date><accdate>0xba0d5b55,0x01d64e52</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xba0d5b55,0x01d64e52</date><accdate>0xba0fe42a,0x01d64e52</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: Yahoo_Sans-Black[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansBlackCommercialType: Yahoo Sans Black: 2017Yahoo Sans BlackVersion 1.1 2017YahooSans-BlackYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/license equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-Black[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansBlackCommercialType: Yahoo Sans Black: 2017Yahoo Sans BlackVersion 1.1 2017YahooSans-BlackYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseCopyright (C)2017 Commercial Type.Yahoo Sans BlackRegularCommercialType: Yahoo Sans Black: 2017Yahoo Sans Black RegularVersion 1.1 2017YahooSans-BlackYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseYahoo SansBlackLicensed to Yahoo for use on yahoo.com equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-Bold[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansBoldCommercialType: Yahoo Sans Bold: 2017Yahoo Sans BoldVersion 1.1 2017YahooSans-BoldYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/license equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-Bold[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansBoldCommercialType: Yahoo Sans Bold: 2017Yahoo Sans BoldVersion 1.1 2017YahooSans-BoldYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseCopyright (C)2017 Commercial Type.Yahoo Sans BoldRegularCommercialType: Yahoo Sans Bold: 2017Yahoo Sans Bold RegularVersion 1.1 2017YahooSans-BoldYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseYahoo SansBoldLicensed to Yahoo for use on yahoo.com equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-ExtraBold[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansExtraBoldCommercialType: Yahoo Sans ExtraBold: 2017Yahoo Sans ExtraBoldVersion 1.1 2017YahooSans-ExtraBoldYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/license equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-ExtraBold[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansExtraBoldCommercialType: Yahoo Sans ExtraBold: 2017Yahoo Sans ExtraBoldVersion 1.1 2017YahooSans-ExtraBoldYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseCopyright (C)2017 Commercial Type.Yahoo Sans ExtraBoldRegularCommercialType: Yahoo Sans ExtraBold: 2017Yahoo Sans ExtraBold RegularVersion 1.1 2017YahooSans-ExtraBoldYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseYahoo SansExtraBoldLicensed to Yahoo for use on yahoo.com equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-ExtraLight[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansExtraLightCommercialType: Yahoo Sans ExtraLight: 2017Yahoo Sans ExtraLightVersion 1.1 2017YahooSans-ExtraLightYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/license equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-ExtraLight[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansExtraLightCommercialType: Yahoo Sans ExtraLight: 2017Yahoo Sans ExtraLightVersion 1.1 2017YahooSans-ExtraLightYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseCopyright (C)2017 Commercial Type.Yahoo Sans ExtraLightRegularCommercialType: Yahoo Sans ExtraLight: 2017Yahoo Sans ExtraLight RegularVersion 1.1 2017YahooSans-ExtraLightYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseYahoo SansExtraLightLicensed to Yahoo for use on yahoo.com equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-Italic[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansItalicCommercialType: Yahoo Sans Regular Italic: 2017Yahoo Sans ItalicVersion 1.1 2017YahooSans-ItalicYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/license equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-Italic[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansItalicCommercialType: Yahoo Sans Regular Italic: 2017Yahoo Sans ItalicVersion 1.1 2017YahooSans-ItalicYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseCopyright (C)2017 Commercial Type.Yahoo Sans RegularItalicCommercialType: Yahoo Sans Regular Italic: 2017Yahoo Sans Regular ItalicVersion 1.1 2017YahooSans-ItalicYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseYahoo SansLicensed to Yahoo for use on yahoo.com equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-Light[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansLightCommercialType: Yahoo Sans Light: 2017Yahoo Sans LightVersion 1.1 2017YahooSans-LightYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/license equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-Light[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansLightCommercialType: Yahoo Sans Light: 2017Yahoo Sans LightVersion 1.1 2017YahooSans-LightYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseCopyright (C)2017 Commercial Type.Yahoo Sans LightRegularCommercialType: Yahoo Sans Light: 2017Yahoo Sans Light RegularVersion 1.1 2017YahooSans-LightYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseYahoo SansLightLicensed to Yahoo for use on yahoo.com equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-Medium[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansMediumCommercialType: Yahoo Sans Medium: 2017Yahoo Sans MediumVersion 1.1 2017YahooSans-MediumYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/license equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-Medium[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansMediumCommercialType: Yahoo Sans Medium: 2017Yahoo Sans MediumVersion 1.1 2017YahooSans-MediumYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseCopyright (C)2017 Commercial Type.Yahoo Sans SemiboldRegularCommercialType: Yahoo Sans Medium: 2017Yahoo Sans Semibold RegularVersion 1.1 2017YahooSans-MediumYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseYahoo SansMediumLicensed to Yahoo for use on yahoo.com equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-Regular[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansRegularCommercialType: Yahoo Sans Regular: 2017Yahoo Sans RegularVersion 1.1 2017YahooSans-RegularYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/license equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-Regular[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansRegularCommercialType: Yahoo Sans Regular: 2017Yahoo Sans RegularVersion 1.1 2017YahooSans-RegularYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseCopyright (C)2017 Commercial Type.Yahoo Sans RegularRegularCommercialType: Yahoo Sans Regular: 2017Yahoo Sans Regular RegularVersion 1.1 2017YahooSans-RegularYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseYahoo SansLicensed to Yahoo for use on yahoo.com equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-Semibold[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansSemiboldCommercialType: Yahoo Sans Semibold: 2017Yahoo Sans SemiboldVersion 1.1 2017YahooSans-SemiboldYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/license equals www.yahoo.com (Yahoo)
            Source: Yahoo_Sans-Semibold[1].eot.6.drString found in binary or memory: Copyright (C)2017 Commercial Type.Yahoo SansSemiboldCommercialType: Yahoo Sans Semibold: 2017Yahoo Sans SemiboldVersion 1.1 2017YahooSans-SemiboldYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseCopyright (C)2017 Commercial Type.Yahoo Sans SemiboldRegularCommercialType: Yahoo Sans Semibold: 2017Yahoo Sans Semibold RegularVersion 1.1 2017YahooSans-SemiboldYahoo Sans is a registered trademark of Commercial Type/Schwartzco Inc.Commercial Type, Inc.Tim Ripperhttp://commercialtype.comhttp://www.timripper.comNot to be used for anything other than web font use!http://commercialtype.com/licenseYahoo SansSemiboldLicensed to Yahoo for use on yahoo.com equals www.yahoo.com (Yahoo)
            Source: unknownDNS traffic detected: queries for: mail.yahoo.com
            Source: Yahoo_Sans-Bold[1].eot.6.dr, Yahoo_Sans-Italic[1].eot.6.dr, Yahoo_Sans-Light[1].eot.6.dr, Yahoo_Sans-Medium[1].eot.6.dr, Yahoo_Sans-ExtraLight[1].eot.6.dr, Yahoo_Sans-Black[1].eot.6.dr, Yahoo_Sans-Semibold[1].eot.6.dr, Yahoo_Sans-ExtraBold[1].eot.6.dr, Yahoo_Sans-Regular[1].eot.6.drString found in binary or memory: http://commercialtype.com/license
            Source: Yahoo_Sans-Bold[1].eot.6.dr, Yahoo_Sans-Italic[1].eot.6.dr, Yahoo_Sans-Light[1].eot.6.dr, Yahoo_Sans-Medium[1].eot.6.dr, Yahoo_Sans-ExtraLight[1].eot.6.dr, Yahoo_Sans-Black[1].eot.6.dr, Yahoo_Sans-Semibold[1].eot.6.dr, Yahoo_Sans-ExtraBold[1].eot.6.dr, Yahoo_Sans-Regular[1].eot.6.drString found in binary or memory: http://commercialtype.com/licenseCopyright
            Source: Yahoo_Sans-Bold[1].eot.6.dr, Yahoo_Sans-Italic[1].eot.6.dr, Yahoo_Sans-Light[1].eot.6.dr, Yahoo_Sans-Medium[1].eot.6.dr, Yahoo_Sans-ExtraLight[1].eot.6.dr, Yahoo_Sans-Black[1].eot.6.dr, Yahoo_Sans-Semibold[1].eot.6.dr, Yahoo_Sans-ExtraBold[1].eot.6.dr, Yahoo_Sans-Regular[1].eot.6.drString found in binary or memory: http://commercialtype.com/licenseYahoo
            Source: Yahoo_Sans-Regular[1].eot.6.drString found in binary or memory: http://commercialtype.comhttp://www.timripper.comNot
            Source: r-csc[1].htm.6.drString found in binary or memory: http://l.yimg.com/d/
            Source: ~DF2365DDB61D86E9A2.TMP.15.dr, {0E4C7E39-BA46-11EA-AADE-C25F135D3C65}.dat.15.drString found in binary or memory: http://line.ehrlum.com/images/KDaaNc0Su1e0oWXBLDn/8FwOuN2QLrn1DsJOg7UGoJ/TL_2FG_2BuYvm/kbUZjCU0/V6jv
            Source: setup.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: setup.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: msapplication.xml.5.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.5.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.5.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.5.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.5.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.5.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.5.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.5.drString found in binary or memory: http://www.youtube.com/
            Source: moatad[1].js.6.drString found in binary or memory: https://apx.moatads.com
            Source: moatad[1].js.6.drString found in binary or memory: https://apx.moatads.com/pixel.gif?e=24&d=data%3Adata%3Adata%3Adata&i=
            Source: moatad[1].js.6.drString found in binary or memory: https://geo.moatads.com/n.js?
            Source: {E3F14A80-BA45-11EA-AADE-C25F135D3C65}.dat.5.dr, ~DF48F0564494D3AC86.TMP.12.dr, {FF599422-BA45-11EA-AADE-C25F135D3C65}.dat.12.drString found in binary or memory: https://login.yahoo.com/?.src=ym&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimage
            Source: moatad[1].js.6.drString found in binary or memory: https://mb.moatads.com/a.js?yd=
            Source: bid-apid-idsync[1].js.13.drString found in binary or memory: https://opus.analytics.yahoo.com/opus/tag/opus-frame.html?id=4
            Source: OH2I0YVB.htm.6.drString found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
            Source: OH2I0YVB.htm.6.drString found in binary or memory: https://policies.oath.com/us/en/oath/terms/otos/index.html
            Source: r-csc[1].htm.6.drString found in binary or memory: https://s.yimg.com/lq/
            Source: OH2I0YVB.htm.6.drString found in binary or memory: https://s.yimg.com/rz/p/yahoo_frontpage_en-US_s_f_p_bestfit_frontpage_2x.png
            Source: OH2I0YVB.htm.6.drString found in binary or memory: https://s.yimg.com/rz/p/yahoo_frontpage_en-US_s_f_w_bestfit_frontpage_2x.png
            Source: OH2I0YVB.htm.6.drString found in binary or memory: https://s.yimg.com/wm/mbr/images/yahoo-apple-touch-v0.0.2.png
            Source: OH2I0YVB.htm.6.drString found in binary or memory: https://s.yimg.com/wm/mbr/images/yahoo-favicon-img-v0.0.2.ico
            Source: imagestore.dat.15.drString found in binary or memory: https://s.yimg.com/wm/mbr/images/yahoo-favicon-img-v0.0.2.ico~
            Source: OH2I0YVB.htm.6.drString found in binary or memory: https://s.yimg.com/wm/mbr/js/rapid-3.53.17.js
            Source: OH2I0YVB.htm.6.dr, QHNP84JW.htm.13.drString found in binary or memory: https://sb.scorecardresearch.com/p?c1&#x3D;2&amp;c2&#x3D;7241469&amp;c5&#x3D;794200018&amp;ns_c&#x3D
            Source: sp[1].js.6.drString found in binary or memory: https://tag.idsync.analytics.yahoo.com/sp-frame.html?referrer=
            Source: OH2I0YVB.htm.6.drString found in binary or memory: https://www.yahoo.com/
            Source: moatad[1].js.6.drString found in binary or memory: https://z.moatads.com/omidverificationclient/verification-client-v1.js
            Source: moatad[1].js.6.drString found in binary or memory: https://z.moatads.com/px2/client.js
            Source: moatad[1].js.6.drString found in binary or memory: https://z.moatads.com/swf/p6.v3.swf
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
            Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
            Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
            Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
            Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
            Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
            Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
            Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
            Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
            Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
            Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
            Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000003.927743678.000000000290B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.858126841.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857640839.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1013142024.000000000280D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.858050251.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857858228.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1185890626.0000000002690000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857996615.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857370122.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.858215150.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857764057.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1013034692.000000000280D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: setup.exe PID: 4028, type: MEMORY
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00405275 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405275

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000003.927743678.000000000290B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.858126841.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857640839.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1013142024.000000000280D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.858050251.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857858228.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1185890626.0000000002690000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857996615.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857370122.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.858215150.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857764057.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1013034692.000000000280D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: setup.exe PID: 4028, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Users\user\Desktop\setup.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\setup.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\setup.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_001E1A8C LdrInitializeThunk,NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,2_2_001E1A8C
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_00401000 GetProcAddress,NtCreateSection,memset,2_2_00401000
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_004016CB NtMapViewOfSection,2_2_004016CB
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_0040025D GetProcAddress,NtCreateSection,memset,2_2_0040025D
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_004000E2 LdrInitializeThunk,GetProcAddress,NtCreateSection,memset,2_2_004000E2
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_1_00401000 GetProcAddress,NtCreateSection,memset,2_1_00401000
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_1_004016CB NtMapViewOfSection,2_1_004016CB
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_1_0040025D GetProcAddress,NtCreateSection,memset,2_1_0040025D
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_1_004000E2 LdrInitializeThunk,GetProcAddress,NtCreateSection,memset,2_1_004000E2
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326B
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00406FC40_2_00406FC4
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004067ED0_2_004067ED
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_739A1A980_2_739A1A98
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0078DAF70_2_0078DAF7
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_001EAC3C2_2_001EAC3C
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_001E391E2_2_001E391E
            Source: setup.exeStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
            Source: setup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: setup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: setup.exe, 00000000.00000003.788158190.0000000002925000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs setup.exe
            Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@12/81@50/24
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326B
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00404530 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404530
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,0_2_00402138
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\nshEE1F.tmpJump to behavior
            Source: setup.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\setup.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: setup.exeVirustotal: Detection: 22%
            Source: setup.exeReversingLabs: Detection: 22%
            Source: C:\Users\user\Desktop\setup.exeFile read: C:\Users\user\Desktop\setup.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\setup.exe 'C:\Users\user\Desktop\setup.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\setup.exe 'C:\Users\user\Desktop\setup.exe'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5536 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1336 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4408 CREDAT:17410 /prefetch:2
            Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\Desktop\setup.exe 'C:\Users\user\Desktop\setup.exe' Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5536 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1336 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4408 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Users\user\Desktop\setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
            Source: setup.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: setup.exe, 00000000.00000003.790911532.00000000029A0000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: setup.exe, 00000000.00000003.790911532.00000000029A0000.00000004.00000001.sdmp

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\setup.exeUnpacked PE file: 2.2.setup.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\setup.exeUnpacked PE file: 2.2.setup.exe.400000.1.unpack
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_739A1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_739A1A98
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_739A2F60 push eax; ret 0_2_739A2F8E
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_001EAC2B push ecx; ret 2_2_001EAC3B
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_001EA870 push ecx; ret 2_2_001EA879

            Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\nssEEAD.tmp\System.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000003.927743678.000000000290B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.858126841.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857640839.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1013142024.000000000280D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.858050251.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857858228.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1185890626.0000000002690000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857996615.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857370122.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.858215150.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857764057.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1013034692.000000000280D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: setup.exe PID: 4028, type: MEMORY
            Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Source: C:\Users\user\Desktop\setup.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-3934
            Source: C:\Users\user\Desktop\setup.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\setup.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00406313 FindFirstFileA,FindClose,0_2_00406313
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004057D8 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004057D8
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_001E8AB8 CreateFileA,FindCloseChangeNotification,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,2_2_001E8AB8
            Source: C:\Users\user\Desktop\setup.exeAPI call chain: ExitProcess graph end nodegraph_0-4968
            Source: C:\Users\user\Desktop\setup.exeAPI call chain: ExitProcess graph end nodegraph_0-4972
            Source: C:\Users\user\Desktop\setup.exeAPI call chain: ExitProcess graph end nodegraph_2-3600

            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_001E9E93 LdrInitializeThunk,2_2_001E9E93
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_739A1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_739A1A98
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0078C4F7 mov edx, dword ptr fs:[00000030h]0_2_0078C4F7
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0078D9E7 mov eax, dword ptr fs:[00000030h]0_2_0078D9E7
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0078D987 mov eax, dword ptr fs:[00000030h]0_2_0078D987
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_004020C2 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,2_2_004020C2
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_1_004020C2 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,2_1_004020C2

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\setup.exeSection loaded: unknown target: C:\Users\user\Desktop\setup.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\Desktop\setup.exe 'C:\Users\user\Desktop\setup.exe' Jump to behavior
            Source: setup.exe, 00000002.00000002.1185448519.0000000000AB0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: setup.exe, 00000002.00000002.1185448519.0000000000AB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: setup.exe, 00000002.00000002.1185448519.0000000000AB0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: setup.exe, 00000002.00000002.1185448519.0000000000AB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_001E8362 cpuid 2_2_001E8362
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_00401CE9 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,2_2_00401CE9
            Source: C:\Users\user\Desktop\setup.exeCode function: 2_2_001E8362 GetUserNameW,2_2_001E8362
            Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326B
            Source: C:\Users\user\Desktop\setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000003.927743678.000000000290B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.858126841.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857640839.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1013142024.000000000280D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.858050251.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857858228.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1185890626.0000000002690000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857996615.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857370122.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.858215150.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857764057.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1013034692.000000000280D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: setup.exe PID: 4028, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000003.927743678.000000000290B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.858126841.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857640839.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1013142024.000000000280D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.858050251.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857858228.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1185890626.0000000002690000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857996615.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857370122.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.858215150.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.857764057.0000000002A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1013034692.000000000280D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: setup.exe PID: 4028, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2Winlogon Helper DLLAccess Token Manipulation1Masquerading1Credential DumpingSystem Time Discovery1Remote File Copy1Clipboard Data1Data Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
            Replication Through Removable MediaExecution through API2Port MonitorsProcess Injection112Software Packing21Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionAccess Token Manipulation1Input CaptureAccount Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection112Credentials in FilesSystem Owner/User Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol3SIM Card SwapPremium SMS Toll Fraud