Loading ...

Play interactive tourEdit tour

Analysis Report 9JRFKqb0ML

Overview

General Information

Sample Name:9JRFKqb0ML (renamed file extension from none to exe)
Analysis ID:316301
MD5:1192ff210983aaf16d351d808a063161
SHA1:349e706b47728b73ec5b4b5e20b2871039b7ff05
SHA256:08f2f0f6505415d63394539b98067844abab6ba5cb8c08d130c88d86e3b0076d
Tags:Gozi

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Creates a COM Internet Explorer object
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 9JRFKqb0ML.exe (PID: 7080 cmdline: 'C:\Users\user\Desktop\9JRFKqb0ML.exe' MD5: 1192FF210983AAF16D351D808A063161)
  • iexplore.exe (PID: 5056 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6504 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5056 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6592 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5764 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6592 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4980 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5716 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4980 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 1768 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6988 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1768 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.327430855.00000000030C0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.327547863.00000000030C0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.326900879.00000000030C0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.327662190.00000000030C0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.327606871.00000000030C0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 30 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 9JRFKqb0ML.exeAvira: detected
            Source: 9JRFKqb0ML.exeAvira: detected
            Multi AV Scanner detection for domain / URLShow sources
            Source: https://daycareforyou.xyz/index.htmVirustotal: Detection: 6%Perma Link
            Source: https://daycareforyou.xyz/index.htmVirustotal: Detection: 6%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: 9JRFKqb0ML.exeVirustotal: Detection: 72%Perma Link
            Source: 9JRFKqb0ML.exeReversingLabs: Detection: 85%
            Source: 9JRFKqb0ML.exeVirustotal: Detection: 72%Perma Link
            Source: 9JRFKqb0ML.exeReversingLabs: Detection: 85%
            Machine Learning detection for sampleShow sources
            Source: 9JRFKqb0ML.exeJoe Sandbox ML: detected
            Source: 9JRFKqb0ML.exeJoe Sandbox ML: detected
            Source: 0.2.9JRFKqb0ML.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 0.2.9JRFKqb0ML.exe.2050000.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 0.2.9JRFKqb0ML.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 0.2.9JRFKqb0ML.exe.2050000.1.unpackAvira: Label: TR/Patched.Ren.Gen

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: unknownDNS traffic detected: queries for: daycareforyou.xyz
            Source: unknownDNS traffic detected: queries for: daycareforyou.xyz
            Source: 9JRFKqb0ML.exeString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
            Source: 9JRFKqb0ML.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
            Source: 9JRFKqb0ML.exeString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
            Source: 9JRFKqb0ML.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
            Source: 9JRFKqb0ML.exeString found in binary or memory: http://ocsp.sectigo.com0
            Source: 9JRFKqb0ML.exe, 00000000.00000003.327430855.00000000030C0000.00000004.00000040.sdmp, 9JRFKqb0ML.exe, 00000000.00000003.407176912.000000000072A000.00000004.00000001.sdmpString found in binary or memory: https://daycareforyou.xyz
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593661879.0000000000711000.00000004.00000020.sdmp, 9JRFKqb0ML.exe, 00000000.00000003.429526964.0000000000713000.00000004.00000001.sdmpString found in binary or memory: https://daycareforyou.xyz/
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593557029.00000000006AA000.00000004.00000020.sdmpString found in binary or memory: https://daycareforyou.xyz/7
            Source: 9JRFKqb0ML.exe, 00000000.00000003.429799958.00000000006D9000.00000004.00000001.sdmp, ~DFE4B63E1B19B94E90.TMP.24.drString found in binary or memory: https://daycareforyou.xyz/index.htm
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593661879.0000000000711000.00000004.00000020.sdmpString found in binary or memory: https://daycareforyou.xyz/index.htm(m
            Source: 9JRFKqb0ML.exe, 00000000.00000003.555785562.000000000073B000.00000004.00000001.sdmpString found in binary or memory: https://daycareforyou.xyz/index.htm39Dz
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593629880.00000000006F1000.00000004.00000020.sdmpString found in binary or memory: https://daycareforyou.xyz/index.htm:
            Source: 9JRFKqb0ML.exe, 00000000.00000003.479251697.0000000000711000.00000004.00000001.sdmpString found in binary or memory: https://daycareforyou.xyz/index.htmLL
            Source: {5694FC47-2664-11EB-90E5-ECF4BB2D2496}.dat.3.drString found in binary or memory: https://daycareforyou.xyz/index.htmRoot
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593557029.00000000006AA000.00000004.00000020.sdmpString found in binary or memory: https://daycareforyou.xyz/index.htmd
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593557029.00000000006AA000.00000004.00000020.sdmpString found in binary or memory: https://daycareforyou.xyz/index.htmoundary=e55e7d15fe29458e
            Source: {5694FC47-2664-11EB-90E5-ECF4BB2D2496}.dat.3.drString found in binary or memory: https://daycareforyou.xyz/index.htmxyz/index.htm
            Source: 9JRFKqb0ML.exe, 00000000.00000003.429582663.00000000006D5000.00000004.00000001.sdmpString found in binary or memory: https://diycareforyou.xyz/
            Source: 9JRFKqb0ML.exe, 00000000.00000003.555452581.000000000073E000.00000004.00000001.sdmpString found in binary or memory: https://fsycareforyou.xyz/
            Source: 9JRFKqb0ML.exeString found in binary or memory: https://sectigo.com/CPS0B
            Source: 9JRFKqb0ML.exeString found in binary or memory: https://sectigo.com/CPS0C
            Source: 9JRFKqb0ML.exeString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
            Source: 9JRFKqb0ML.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
            Source: 9JRFKqb0ML.exeString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
            Source: 9JRFKqb0ML.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
            Source: 9JRFKqb0ML.exeString found in binary or memory: http://ocsp.sectigo.com0
            Source: 9JRFKqb0ML.exe, 00000000.00000003.327430855.00000000030C0000.00000004.00000040.sdmp, 9JRFKqb0ML.exe, 00000000.00000003.407176912.000000000072A000.00000004.00000001.sdmpString found in binary or memory: https://daycareforyou.xyz
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593661879.0000000000711000.00000004.00000020.sdmp, 9JRFKqb0ML.exe, 00000000.00000003.429526964.0000000000713000.00000004.00000001.sdmpString found in binary or memory: https://daycareforyou.xyz/
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593557029.00000000006AA000.00000004.00000020.sdmpString found in binary or memory: https://daycareforyou.xyz/7
            Source: 9JRFKqb0ML.exe, 00000000.00000003.429799958.00000000006D9000.00000004.00000001.sdmp, ~DFE4B63E1B19B94E90.TMP.24.drString found in binary or memory: https://daycareforyou.xyz/index.htm
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593661879.0000000000711000.00000004.00000020.sdmpString found in binary or memory: https://daycareforyou.xyz/index.htm(m
            Source: 9JRFKqb0ML.exe, 00000000.00000003.555785562.000000000073B000.00000004.00000001.sdmpString found in binary or memory: https://daycareforyou.xyz/index.htm39Dz
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593629880.00000000006F1000.00000004.00000020.sdmpString found in binary or memory: https://daycareforyou.xyz/index.htm:
            Source: 9JRFKqb0ML.exe, 00000000.00000003.479251697.0000000000711000.00000004.00000001.sdmpString found in binary or memory: https://daycareforyou.xyz/index.htmLL
            Source: {5694FC47-2664-11EB-90E5-ECF4BB2D2496}.dat.3.drString found in binary or memory: https://daycareforyou.xyz/index.htmRoot
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593557029.00000000006AA000.00000004.00000020.sdmpString found in binary or memory: https://daycareforyou.xyz/index.htmd
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593557029.00000000006AA000.00000004.00000020.sdmpString found in binary or memory: https://daycareforyou.xyz/index.htmoundary=e55e7d15fe29458e
            Source: {5694FC47-2664-11EB-90E5-ECF4BB2D2496}.dat.3.drString found in binary or memory: https://daycareforyou.xyz/index.htmxyz/index.htm
            Source: 9JRFKqb0ML.exe, 00000000.00000003.429582663.00000000006D5000.00000004.00000001.sdmpString found in binary or memory: https://diycareforyou.xyz/
            Source: 9JRFKqb0ML.exe, 00000000.00000003.555452581.000000000073E000.00000004.00000001.sdmpString found in binary or memory: https://fsycareforyou.xyz/
            Source: 9JRFKqb0ML.exeString found in binary or memory: https://sectigo.com/CPS0B
            Source: 9JRFKqb0ML.exeString found in binary or memory: https://sectigo.com/CPS0C

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.327430855.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327547863.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326900879.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327662190.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327606871.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.429416643.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327234157.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326441239.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326352166.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327498168.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327785776.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.328009389.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326615853.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327175582.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327907532.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326974510.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327982477.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327824636.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327951450.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327932281.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327748500.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327882919.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327041003.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326800318.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.593974010.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327292215.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.328017755.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326530113.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327705993.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327994990.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327375776.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326705151.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327854234.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327111933.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 9JRFKqb0ML.exe PID: 7080, type: MEMORY
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593557029.00000000006AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593557029.00000000006AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.327430855.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327547863.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326900879.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327662190.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327606871.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.429416643.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327234157.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326441239.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326352166.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327498168.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327785776.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.328009389.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326615853.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327175582.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327907532.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326974510.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327982477.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327824636.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327951450.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327932281.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327748500.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327882919.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327041003.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326800318.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.593974010.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327292215.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.328017755.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326530113.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327705993.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327994990.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327375776.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326705151.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327854234.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327111933.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 9JRFKqb0ML.exe PID: 7080, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_00401EE1 NtQueryVirtualMemory,0_2_00401EE1
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0208152F memcpy,memcpy,lstrcatW,CreateEventA,_wcsupr,lstrlenW,NtQueryInformationProcess,CloseHandle,0_2_0208152F
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_02086FB6 NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,RtlNtStatusToDosError,0_2_02086FB6
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_020890C7 RtlInitUnicodeString,NtSetValueKey,NtDeleteValueKey,NtClose,RtlNtStatusToDosError,0_2_020890C7
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_02082CD1 RtlInitUnicodeString,NtCreateKey,0_2_02082CD1
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_00401EE1 NtQueryVirtualMemory,0_2_00401EE1
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0208152F memcpy,memcpy,lstrcatW,CreateEventA,_wcsupr,lstrlenW,NtQueryInformationProcess,CloseHandle,0_2_0208152F
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_02086FB6 NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,RtlNtStatusToDosError,0_2_02086FB6
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_020890C7 RtlInitUnicodeString,NtSetValueKey,NtDeleteValueKey,NtClose,RtlNtStatusToDosError,0_2_020890C7
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_02082CD1 RtlInitUnicodeString,NtCreateKey,0_2_02082CD1
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_00401CC00_2_00401CC0
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0208B4200_2_0208B420
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0208ABCA0_2_0208ABCA
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_00401CC00_2_00401CC0
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0208B4200_2_0208B420
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0208ABCA0_2_0208ABCA
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593928245.00000000020D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs 9JRFKqb0ML.exe
            Source: 9JRFKqb0ML.exe, 00000000.00000002.594016312.00000000031F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs 9JRFKqb0ML.exe
            Source: 9JRFKqb0ML.exe, 00000000.00000000.325600272.0000000000423000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWTVConverter.exej% vs 9JRFKqb0ML.exe
            Source: 9JRFKqb0ML.exeBinary or memory string: OriginalFilenameWTVConverter.exej% vs 9JRFKqb0ML.exe
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593928245.00000000020D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs 9JRFKqb0ML.exe
            Source: 9JRFKqb0ML.exe, 00000000.00000002.594016312.00000000031F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs 9JRFKqb0ML.exe
            Source: 9JRFKqb0ML.exe, 00000000.00000000.325600272.0000000000423000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWTVConverter.exej% vs 9JRFKqb0ML.exe
            Source: 9JRFKqb0ML.exeBinary or memory string: OriginalFilenameWTVConverter.exej% vs 9JRFKqb0ML.exe
            Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@13/47@24/0
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5694FC43-2664-11EB-90E5-ECF4BB2D2496}.datJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5694FC43-2664-11EB-90E5-ECF4BB2D2496}.datJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF1BE3B9AB9F4D4BA5.TMPJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF1BE3B9AB9F4D4BA5.TMPJump to behavior
            Source: 9JRFKqb0ML.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 9JRFKqb0ML.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: 9JRFKqb0ML.exeVirustotal: Detection: 72%
            Source: 9JRFKqb0ML.exeReversingLabs: Detection: 85%
            Source: 9JRFKqb0ML.exeVirustotal: Detection: 72%
            Source: 9JRFKqb0ML.exeReversingLabs: Detection: 85%
            Source: 9JRFKqb0ML.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
            Source: 9JRFKqb0ML.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
            Source: unknownProcess created: C:\Users\user\Desktop\9JRFKqb0ML.exe 'C:\Users\user\Desktop\9JRFKqb0ML.exe'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5056 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6592 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4980 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1768 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5056 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6592 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4980 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1768 CREDAT:17410 /prefetch:2Jump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\9JRFKqb0ML.exe 'C:\Users\user\Desktop\9JRFKqb0ML.exe'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5056 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6592 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4980 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1768 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5056 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6592 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4980 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1768 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeUnpacked PE file: 0.2.9JRFKqb0ML.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeUnpacked PE file: 0.2.9JRFKqb0ML.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeUnpacked PE file: 0.2.9JRFKqb0ML.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeUnpacked PE file: 0.2.9JRFKqb0ML.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_00401A1C GetModuleHandleW,LoadLibraryW,GetProcAddress,0_2_00401A1C
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_00401A1C GetModuleHandleW,LoadLibraryW,GetProcAddress,0_2_00401A1C
            Source: 9JRFKqb0ML.exeStatic PE information: real checksum: 0x2be15 should be: 0x2eea6
            Source: 9JRFKqb0ML.exeStatic PE information: real checksum: 0x2be15 should be: 0x2eea6
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_00401CAF push ecx; ret 0_2_00401CBF
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0204B7C0 push edx; ret 0_2_0204B94E
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_02042637 push ds; iretw 0_2_02042639
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0204B670 push edx; ret 0_2_0204B67B
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_02043FA0 push EB564757h; ret 0_2_02043FA7
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_02043405 push eax; iretd 0_2_02043406
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0204442C push esi; retf 0_2_0204444A
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0204543A push FFFFFFA2h; iretd 0_2_0204545D
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0204545F pushad ; iretd 0_2_0204549C
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_020430BB push ss; ret 0_2_020430D7
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_02044DDE push ecx; retf 0_2_02044DE5
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_020459E9 push esi; ret 0_2_020459ED
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0208B40F push ecx; ret 0_2_0208B41F
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_00401CAF push ecx; ret 0_2_00401CBF
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0204B7C0 push edx; ret 0_2_0204B94E
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_02042637 push ds; iretw 0_2_02042639
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0204B670 push edx; ret 0_2_0204B67B
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_02043FA0 push EB564757h; ret 0_2_02043FA7
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_02043405 push eax; iretd 0_2_02043406
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0204442C push esi; retf 0_2_0204444A
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0204543A push FFFFFFA2h; iretd 0_2_0204545D
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0204545F pushad ; iretd 0_2_0204549C
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_020430BB push ss; ret 0_2_020430D7
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_02044DDE push ecx; retf 0_2_02044DE5
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_020459E9 push esi; ret 0_2_020459ED
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0208B40F push ecx; ret 0_2_0208B41F

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.327430855.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327547863.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326900879.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327662190.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327606871.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.429416643.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327234157.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326441239.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326352166.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327498168.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327785776.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.328009389.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326615853.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327175582.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327907532.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326974510.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327982477.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327824636.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327951450.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327932281.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327748500.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327882919.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327041003.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326800318.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.593974010.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327292215.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.328017755.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326530113.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327705993.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327994990.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327375776.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326705151.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327854234.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327111933.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 9JRFKqb0ML.exe PID: 7080, type: MEMORY
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exe TID: 6584Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exe TID: 6584Thread sleep time: -180000s >= -30000sJump to behavior
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593629880.00000000006F1000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593629880.00000000006F1000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_00401A1C GetModuleHandleW,LoadLibraryW,GetProcAddress,0_2_00401A1C
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_00401A1C GetModuleHandleW,LoadLibraryW,GetProcAddress,0_2_00401A1C
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_00401076 EntryPoint,GetModuleHandleA,GetProcessHeap,GetCurrentThread,WaitForSingleObject,ExitProcess,0_2_00401076
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_00401076 EntryPoint,GetModuleHandleA,GetProcessHeap,GetCurrentThread,WaitForSingleObject,ExitProcess,0_2_00401076
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeMemory protected: page execute read | page execute and read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeMemory protected: page execute read | page execute and read and write | page guardJump to behavior
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593756041.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593756041.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593756041.0000000000C30000.00000002.00000001.sdmpBinary or memory string: &Program Manager
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593756041.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593756041.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593756041.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593756041.0000000000C30000.00000002.00000001.sdmpBinary or memory string: &Program Manager
            Source: 9JRFKqb0ML.exe, 00000000.00000002.593756041.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0208893A cpuid 0_2_0208893A
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_0208893A cpuid 0_2_0208893A
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_00401668 GetSystemTimeAsFileTime,memcpy,memcpy,memcpy,memset,0_2_00401668
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_00401668 GetSystemTimeAsFileTime,memcpy,memcpy,memcpy,memset,0_2_00401668
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_004110C0 LoadIconA,GetUserNameA,SetErrorMode,0_2_004110C0
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeCode function: 0_2_004110C0 LoadIconA,GetUserNameA,SetErrorMode,0_2_004110C0
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct
            Source: C:\Users\user\Desktop\9JRFKqb0ML.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.327430855.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327547863.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326900879.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327662190.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327606871.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.429416643.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327234157.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326441239.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326352166.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327498168.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327785776.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.328009389.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326615853.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327175582.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327907532.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326974510.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327982477.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327824636.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327951450.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327932281.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327748500.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327882919.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327041003.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326800318.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.593974010.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327292215.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.328017755.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326530113.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327705993.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327994990.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327375776.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326705151.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327854234.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327111933.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 9JRFKqb0ML.exe PID: 7080, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.327430855.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327547863.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326900879.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327662190.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327606871.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.429416643.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327234157.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326441239.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326352166.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327498168.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327785776.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.328009389.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326615853.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327175582.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327907532.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326974510.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327982477.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327824636.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327951450.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327932281.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327748500.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327882919.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327041003.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326800318.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.593974010.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327292215.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.328017755.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326530113.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327705993.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327994990.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327375776.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.326705151.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327854234.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.327111933.00000000030C0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 9JRFKqb0ML.exe PID: 7080, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection2Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsNative API1Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerSecurity Software Discovery21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection2NTDSVirtualization/Sandbox Evasion1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing21Cached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowFile and Directory Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Information Discovery12Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 316301 Sample: 9JRFKqb0ML Startdate: 14/11/2020 Architecture: WINDOWS Score: 100 34 daycareforyou.xyz 2->34 38 Multi AV Scanner detection for domain / URL 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 2 other signatures 2->44 7 9JRFKqb0ML.exe 2->7         started        11 iexplore.exe 1 54 2->11         started        13 iexplore.exe 1 50 2->13         started        15 2 other processes 2->15 signatures3 process4 dnsIp5 36 daycareforyou.xyz 7->36 46 Detected unpacking (changes PE section rights) 7->46 48 Detected unpacking (overwrites its own PE header) 7->48 50 Writes or reads registry keys via WMI 7->50 52 2 other signatures 7->52 17 iexplore.exe 38 11->17         started        20 iexplore.exe 29 13->20         started        22 iexplore.exe 29 15->22         started        24 iexplore.exe 29 15->24         started        signatures6 process7 dnsIp8 26 daycareforyou.xyz 17->26 28 daycareforyou.xyz 20->28 30 daycareforyou.xyz 22->30 32 daycareforyou.xyz 24->32

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.