Loading ...

Play interactive tourEdit tour

Windows Analysis Report R0xLHA2mT5.exe

Overview

General Information

Sample Name:R0xLHA2mT5.exe
Analysis ID:528072
MD5:9f3b8462c508884f6966f3ad4a275799
SHA1:6288e611de585a6dc56c6399ef03012698d60392
SHA256:a548ac73d6acb5a260cb2e1760946c37ce94d89f3cd2a5b126e266e007dfc543
Tags:exeGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Detected unpacking (changes PE section rights)
Writes or reads registry keys via WMI
Machine Learning detection for sample
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • R0xLHA2mT5.exe (PID: 3608 cmdline: "C:\Users\user\Desktop\R0xLHA2mT5.exe" MD5: 9F3B8462C508884F6966F3AD4A275799)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.2.R0xLHA2mT5.exe.22b0000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.2.R0xLHA2mT5.exe.42a94a0.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 00000000.00000002.558633327.0000000002130000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: R0xLHA2mT5.exeMetadefender: Detection: 22%Perma Link
                  Source: R0xLHA2mT5.exeReversingLabs: Detection: 45%
                  Machine Learning detection for sampleShow sources
                  Source: R0xLHA2mT5.exeJoe Sandbox ML: detected
                  Source: 0.2.R0xLHA2mT5.exe.2130e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 0.2.R0xLHA2mT5.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: 0.3.R0xLHA2mT5.exe.2140000.0.unpackAvira: Label: TR/Patched.Ren.Gen

                  Compliance:

                  barindex
                  Detected unpacking (overwrites its own PE header)Show sources
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeUnpacked PE file: 0.2.R0xLHA2mT5.exe.400000.0.unpack
                  Source: R0xLHA2mT5.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: unknownHTTPS traffic detected: 74.6.231.21:443 -> 192.168.2.3:49720 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49721 version: TLS 1.2
                  Source: Binary string: C:\julokapinuf\da.pdb source: R0xLHA2mT5.exe
                  Source: Binary string: C:\julokapinuf\da.pdbP+C source: R0xLHA2mT5.exe
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: Joe Sandbox ViewIP Address: 74.6.231.21 74.6.231.21
                  Source: Joe Sandbox ViewIP Address: 87.248.100.216 87.248.100.216
                  Source: global trafficHTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=0kqfhp5gpsta9&b=3&s=ki
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 24 Nov 2021 17:24:25 GMTp3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"cache-control: privatex-content-type-options: nosniffcontent-type: text/html; charset=UTF-8x-envoy-upstream-service-time: 12server: ATSContent-Length: 1048Age: 2Connection: closeStrict-Transport-Security: max-age=31536000Content-Security-Policy: frame-ancestors 'self' https://*.builtbygirls.com https://*.rivals.com https://*.engadget.com https://*.intheknow.com https://*.autoblog.com https://*.techcrunch.com https://*.yahoo.com https://*.aol.com https://*.huffingtonpost.com https://*.oath.com https://*.search.yahoo.com https://*.search.aol.com https://*.search.huffpost.com https://*.verizonmedia.com https://*.publishing.oath.com https://*.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=0p10fa5gpsta9&partner=;X-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=block
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448860394.000000000242A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559628202.000000000242D000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354035535.00000000023E6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354962867.000000000242B000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354031046.00000000023E2000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: *.www.yahoo.com equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448860394.000000000242A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559628202.000000000242D000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354035535.00000000023E6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354962867.000000000242B000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354031046.00000000023E2000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: *.www.yahoo.com0 equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmpString found in binary or memory: +www.yahoo.com; equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmpString found in binary or memory: <noscript><META http-equiv="refresh" content="0;URL='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmz2Twl8%2fgY8V0mj8FFAgQDgBa_2Fr%2fju3YDzGHJQvJy7Ul%2fWNFipJkcZdncwpj%2fywnxu6MUxONK0Xvi9f%2fucETuIFdm%2fwokZPT9eFRDqyFNdNZik%2fFUVXSPqAP_2FwjH1nuX%2f3xMD5fDEH8K9cekhYWTKgU%2flNhM0C6AYaGMU%2fwTNgbH70ZfWGyVix%2f60.crw'"></noscript> equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: Location: https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: MUxOnew-fp-shed.wg1.b.yahoo.comwww.yahoo.comVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTK equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: com.yahoo.www. equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/ equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/6 equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/? equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/\en-US\CRYPT32.dll.muiq equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: s://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmz2Twl8%2fgY8V0mj8FFAgQDgBa_2Fr%2fju3YDzGHJQvJy7Ul%2fWNFipJkcZdncwpj%2fywnxu6MUxONK0Xvi9f%2fucETuIFdm%2fwokZPT9eFRDqyFNdNZik%2fFUVXSPqAP_2FwjH1nuX%2f3xMD5fDEH8K9cekhYWTKgU%2flNhM0C6AYaGMU%2fwTNgbH70ZfWGyVix%2f60.crw'; equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560060461.0000000004FDA000.00000004.00000010.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com- equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZd equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com5 equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com>Y equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.comG equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.comows\system32\jsproxy.dll equals www.yahoo.com (Yahoo)
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354035535.00000000023E6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=0p1
                  Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                  Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmpString found in binary or memory: https://qoderunovos.website
                  Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmpString found in binary or memory: https://soderunovos.website
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/0
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/T
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/_
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/jdraw/Few7Dvcu/4Rmd9fKY9IL2UtEgJUD5q9n/BajREx_2Bc/Peb7n8IHTpfTu9y6I/faIv
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/s
                  Source: R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmpString found in binary or memory: https://soderunovos.websitehttps://qoderunovos.website
                  Source: R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/6
                  Source: R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/?
                  Source: R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmz
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJ
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmpString found in binary or memory: https://yahoo.com/b
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmpString found in binary or memory: https://yahoo.com/d
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmpString found in binary or memory: https://yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZd
                  Source: unknownDNS traffic detected: queries for: yahoo.com
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022B5988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,
                  Source: global trafficHTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=0kqfhp5gpsta9&b=3&s=ki
                  Source: unknownHTTPS traffic detected: 74.6.231.21:443 -> 192.168.2.3:49720 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49721 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559091455.000000000234A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  E-Banking Fraud:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY

                  System Summary:

                  barindex
                  Writes or reads registry keys via WMIShow sources
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Writes registry values via WMIShow sources
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: R0xLHA2mT5.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022B836E
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022B7FBE
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022BAFC0
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_00401703 NtMapViewOfSection,
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_00401C90 GetProcAddress,NtCreateSection,memset,
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_004019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022B9A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022BB1E5 NtQueryVirtualMemory,
                  Source: R0xLHA2mT5.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: R0xLHA2mT5.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: R0xLHA2mT5.exeMetadefender: Detection: 22%
                  Source: R0xLHA2mT5.exeReversingLabs: Detection: 45%
                  Source: R0xLHA2mT5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@4/2
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022B8F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: R0xLHA2mT5.exeStatic PE information: More than 200 imports for KERNEL32.dll
                  Source: R0xLHA2mT5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: R0xLHA2mT5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: R0xLHA2mT5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: R0xLHA2mT5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: R0xLHA2mT5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: R0xLHA2mT5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: R0xLHA2mT5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\julokapinuf\da.pdb source: R0xLHA2mT5.exe
                  Source: Binary string: C:\julokapinuf\da.pdbP+C source: R0xLHA2mT5.exe

                  Data Obfuscation:

                  barindex
                  Detected unpacking (overwrites its own PE header)Show sources
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeUnpacked PE file: 0.2.R0xLHA2mT5.exe.400000.0.unpack
                  Detected unpacking (changes PE section rights)Show sources
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeUnpacked PE file: 0.2.R0xLHA2mT5.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022BE62F push edi; retf
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022BAC00 push ecx; ret
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022BAFAF push ecx; ret
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022BE9AC push 0B565A71h; ret
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_0042E630 push ecx; mov dword ptr [esp], 00000000h
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_023600A6 push esp; iretd
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_02363EAD push 12BFE4EFh; ret
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_0235EE91 push edx; iretd
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_0235E89D push esi; iretd
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_02362CF3 push es; iretd
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_0235F184 push ebx; retf
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_02365B88 push ds; ret
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_00401264 LoadLibraryA,GetProcAddress,
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.03993935197

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeProcess information set: NOOPENFILEERRORBOX
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559383521.00000000023C6000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_00401264 LoadLibraryA,GetProcAddress,
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_0235C2F6 push dword ptr fs:[00000030h]
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmpBinary or memory string: Progman
                  Source: R0xLHA2mT5.exe, 00000000.00000002.559717345.00000000028D0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022B7A2E cpuid
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_00401E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_00401752 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                  Source: C:\Users\user\Desktop\R0xLHA2mT5.exeCode function: 0_2_022B7A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: R0xLHA2mT5.exe PID: 3608, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.22b0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.R0xLHA2mT5.exe.42a94a0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection1Process Injection1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information2LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing22Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  R0xLHA2mT5.exe23%MetadefenderBrowse
                  R0xLHA2mT5.exe45%ReversingLabsWin32.Trojan.Chapak
                  R0xLHA2mT5.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  0.2.R0xLHA2mT5.exe.2130e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                  0.2.R0xLHA2mT5.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                  0.3.R0xLHA2mT5.exe.2140000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                  0.2.R0xLHA2mT5.exe.22b0000.2.unpack100%AviraHEUR/AGEN.1108168Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  qoderunovos.website0%VirustotalBrowse
                  soderunovos.website0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  https://soderunovos.website/0%Avira URL Cloudsafe
                  https://soderunovos.website/_0%Avira URL Cloudsafe
                  https://soderunovos.websitehttps://qoderunovos.website0%Avira URL Cloudsafe
                  https://soderunovos.website/jdraw/Few7Dvcu/4Rmd9fKY9IL2UtEgJUD5q9n/BajREx_2Bc/Peb7n8IHTpfTu9y6I/faIv0%Avira URL Cloudsafe
                  https://soderunovos.website/T0%Avira URL Cloudsafe
                  https://soderunovos.website/s0%Avira URL Cloudsafe
                  https://soderunovos.website0%Avira URL Cloudsafe
                  https://soderunovos.website/00%Avira URL Cloudsafe
                  https://qoderunovos.website0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  new-fp-shed.wg1.b.yahoo.com
                  87.248.100.216
                  truefalse
                    high
                    yahoo.com
                    74.6.231.21
                    truefalse
                      high
                      www.yahoo.com
                      unknown
                      unknownfalse
                        high
                        qoderunovos.website
                        unknown
                        unknowntrueunknown
                        soderunovos.website
                        unknown
                        unknowntrueunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crwfalse
                          high
                          https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crwfalse
                            high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://soderunovos.website/R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://soderunovos.website/_R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://soderunovos.websitehttps://qoderunovos.websiteR0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmzR0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmpfalse
                              high
                              https://soderunovos.website/jdraw/Few7Dvcu/4Rmd9fKY9IL2UtEgJUD5q9n/BajREx_2Bc/Peb7n8IHTpfTu9y6I/faIvR0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://soderunovos.website/TR0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://soderunovos.website/sR0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://yahoo.com/dR0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmpfalse
                                high
                                https://yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdR0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmpfalse
                                  high
                                  https://soderunovos.websiteR0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmptrue
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://www.yahoo.com/?R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpfalse
                                    high
                                    https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJR0xLHA2mT5.exe, 00000000.00000002.559418267.00000000023E0000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.448819097.00000000023DD000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354046152.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpfalse
                                      high
                                      https://soderunovos.website/0R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://qoderunovos.websiteR0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmptrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://policies.yahoo.com/w3c/p3p.xmlR0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354919579.00000000023E0000.00000004.00000001.sdmpfalse
                                        high
                                        https://www.yahoo.com/R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpfalse
                                          high
                                          https://yahoo.com/bR0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmpfalse
                                            high
                                            https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=0p1R0xLHA2mT5.exe, 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000003.355137973.000000000477B000.00000004.00000040.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559183663.000000000236A000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmpfalse
                                              high
                                              https://www.yahoo.com/6R0xLHA2mT5.exe, 00000000.00000003.448832665.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000003.354933028.00000000023FB000.00000004.00000001.sdmp, R0xLHA2mT5.exe, 00000000.00000002.559469390.00000000023FB000.00000004.00000001.sdmpfalse
                                                high

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                74.6.231.21
                                                yahoo.comUnited States
                                                36646YAHOO-NE1USfalse
                                                87.248.100.216
                                                new-fp-shed.wg1.b.yahoo.comUnited Kingdom
                                                34010YAHOO-IRDGBfalse

                                                General Information

                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                Analysis ID:528072
                                                Start date:24.11.2021
                                                Start time:18:22:58
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 6m 21s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:R0xLHA2mT5.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:17
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@1/0@4/2
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 15% (good quality ratio 14.4%)
                                                • Quality average: 82.1%
                                                • Quality standard deviation: 27.1%
                                                HCA Information:
                                                • Successful, ratio: 66%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                No simulations

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                74.6.231.21GLpkbbRAp2.dllGet hashmaliciousBrowse
                                                  youNextNext.dllGet hashmaliciousBrowse
                                                    bebys10.dllGet hashmaliciousBrowse
                                                      loveTubeLike.dllGet hashmaliciousBrowse
                                                        zuroq1.dllGet hashmaliciousBrowse
                                                          kANwTlkiJp.dllGet hashmaliciousBrowse
                                                            gVuD2n1r5v.dllGet hashmaliciousBrowse
                                                              BQIyt2B7Im.dllGet hashmaliciousBrowse
                                                                uj8A47Ew7u.dllGet hashmaliciousBrowse
                                                                  mqxJYyvnoI.dllGet hashmaliciousBrowse
                                                                    zq8o6y1z60.dllGet hashmaliciousBrowse
                                                                      SecuriteInfo.com.Variant.Bulz.383129.23206.exeGet hashmaliciousBrowse
                                                                        SecuriteInfo.com.Variant.Bulz.383129.29566.exeGet hashmaliciousBrowse
                                                                          File_868646.xlsbGet hashmaliciousBrowse
                                                                            jvBfrKaF4S.xlsbGet hashmaliciousBrowse
                                                                              COQV159DNC.xlsbGet hashmaliciousBrowse
                                                                                aJA1Ldh1iR.xlsbGet hashmaliciousBrowse
                                                                                  AdGhJBWo7O.xlsbGet hashmaliciousBrowse
                                                                                    B2v9PZCsbT.xlsbGet hashmaliciousBrowse
                                                                                      SecuriteInfo.com.Trojan.GenericKDZ.73289.4020.xlsbGet hashmaliciousBrowse
                                                                                        87.248.100.216FpYf5EGDO9.exeGet hashmaliciousBrowse
                                                                                          anIV2qJeLD.exeGet hashmaliciousBrowse
                                                                                            0MGLPJiSa5.dllGet hashmaliciousBrowse
                                                                                              Fuutbqvhmc.dllGet hashmaliciousBrowse
                                                                                                X4V4jFmFhO.dllGet hashmaliciousBrowse
                                                                                                  GLpkbbRAp2.dllGet hashmaliciousBrowse
                                                                                                    bebys12.dllGet hashmaliciousBrowse
                                                                                                      loveTubeLike.dllGet hashmaliciousBrowse
                                                                                                        zuroq8.dllGet hashmaliciousBrowse
                                                                                                          zuroq1.dllGet hashmaliciousBrowse
                                                                                                            nextNextLike.dllGet hashmaliciousBrowse
                                                                                                              gVuD2n1r5v.dllGet hashmaliciousBrowse
                                                                                                                BQIyt2B7Im.dllGet hashmaliciousBrowse
                                                                                                                  52k0qe3yt3.dllGet hashmaliciousBrowse
                                                                                                                    BQIyt2B7Im.dllGet hashmaliciousBrowse
                                                                                                                      SayEjNMwtQ.dllGet hashmaliciousBrowse
                                                                                                                        uj8A47Ew7u.dllGet hashmaliciousBrowse
                                                                                                                          SecuriteInfo.com.W64.Bzrloader.IEldorado.25041.dllGet hashmaliciousBrowse
                                                                                                                            powTubeDoor.dllGet hashmaliciousBrowse
                                                                                                                              WGEcMZQA.dllGet hashmaliciousBrowse

                                                                                                                                Domains

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                new-fp-shed.wg1.b.yahoo.comFpYf5EGDO9.exeGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.216
                                                                                                                                anIV2qJeLD.exeGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.216
                                                                                                                                0MGLPJiSa5.dllGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.216
                                                                                                                                loveTubeLike.dllGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.215
                                                                                                                                Fuutbqvhmc.dllGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.215
                                                                                                                                Antic Cracked.exeGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.215
                                                                                                                                nesfooF2Q1.exeGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.215
                                                                                                                                X4V4jFmFhO.dllGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.216
                                                                                                                                GLpkbbRAp2.dllGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.216
                                                                                                                                youNextNext.dllGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.215
                                                                                                                                bebys10.dllGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.215
                                                                                                                                bebys12.dllGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.216
                                                                                                                                loveTubeLike.dllGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.216
                                                                                                                                zuroq8.dllGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.216
                                                                                                                                zuroq1.dllGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.216
                                                                                                                                nextNextLike.dllGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.215
                                                                                                                                TFIw2EIiZh.exeGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.215
                                                                                                                                Solicitor Inquiry No. 001_4921 - UK.xlsGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.215
                                                                                                                                kANwTlkiJp.dllGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.215
                                                                                                                                gVuD2n1r5v.dllGet hashmaliciousBrowse
                                                                                                                                • 87.248.100.215

                                                                                                                                ASN

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                YAHOO-NE1USloveTubeLike.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.20
                                                                                                                                Fuutbqvhmc.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.20
                                                                                                                                mipsGet hashmaliciousBrowse
                                                                                                                                • 98.137.87.76
                                                                                                                                GLpkbbRAp2.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                youNextNext.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                bebys10.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                bebys12.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.20
                                                                                                                                loveTubeLike.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                zuroq1.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                nextNextLike.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.20
                                                                                                                                kANwTlkiJp.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                gVuD2n1r5v.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                BQIyt2B7Im.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                BQIyt2B7Im.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.20
                                                                                                                                uj8A47Ew7u.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                EWTeT0uzHWGet hashmaliciousBrowse
                                                                                                                                • 98.139.7.81
                                                                                                                                OcO4KUSfwnGet hashmaliciousBrowse
                                                                                                                                • 98.137.87.66
                                                                                                                                mqxJYyvnoI.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                Tsunami.x86Get hashmaliciousBrowse
                                                                                                                                • 98.137.87.95
                                                                                                                                zq8o6y1z60.dllGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21

                                                                                                                                JA3 Fingerprints

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                37f463bf4616ecd445d4a1937da06e19XP-SN-7843884.htmGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                XP-SN-8324655.htmGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                new-1834138397.xlsGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                1.htmGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                FACTURAS.exeGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                new-1179494065.xlsGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                Arrival Notice, CIA Awb Inv Form.pdf.exeGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                TT-PRIME USD242,357,59.ppamGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                chase.xlsGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                Statement from QNB.exeGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                private-1915056036.xlsGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                private-1910485378.xlsGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                doc201002124110300200.exeGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                t 2021.HtMLGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                INVOICE - FIRST 2 CONTAINERS 1110.docxGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                INVOICE - FIRST 2 CONTAINERS 1110.docxGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                Justificante.exeGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                muhammadbad.htmlGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                MtCsSK9TK2.exeGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216
                                                                                                                                0331C7BCA665F36513377FC301CBB32822FF35F925115.exeGet hashmaliciousBrowse
                                                                                                                                • 74.6.231.21
                                                                                                                                • 87.248.100.216

                                                                                                                                Dropped Files

                                                                                                                                No context

                                                                                                                                Created / dropped Files

                                                                                                                                No created / dropped files found

                                                                                                                                Static File Info

                                                                                                                                General

                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                Entropy (8bit):5.862869752671554
                                                                                                                                TrID:
                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                File name:R0xLHA2mT5.exe
                                                                                                                                File size:298496
                                                                                                                                MD5:9f3b8462c508884f6966f3ad4a275799
                                                                                                                                SHA1:6288e611de585a6dc56c6399ef03012698d60392
                                                                                                                                SHA256:a548ac73d6acb5a260cb2e1760946c37ce94d89f3cd2a5b126e266e007dfc543
                                                                                                                                SHA512:d9d529ed258ffaf33f729cb822fc602748772df8f8710a4a77e9d4fbea02658fd0c9a0e4d1f920c99230551705c0e643e4eac5bcca0b008f5cb48679e56c1a37
                                                                                                                                SSDEEP:6144:0fcUtwkDhJYbsB/qMZSXuZet0yyen73jF20+Mpbz/CyU:0U2n1B/3ZSXuZet0yye7w0+MpC
                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0.r"t..qt..qt..q...q]..q...qe..q...q...q}..q...qt..qq..q...qu..q...qu..q...qu..qRicht..q........PE..L.....``...................

                                                                                                                                File Icon

                                                                                                                                Icon Hash:a2e8e8e8aaa2a488

                                                                                                                                Static PE Info

                                                                                                                                General

                                                                                                                                Entrypoint:0x417cf0
                                                                                                                                Entrypoint Section:.text
                                                                                                                                Digitally signed:false
                                                                                                                                Imagebase:0x400000
                                                                                                                                Subsystem:windows gui
                                                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                                                                Time Stamp:0x6060D3B3 [Sun Mar 28 19:06:27 2021 UTC]
                                                                                                                                TLS Callbacks:
                                                                                                                                CLR (.Net) Version:
                                                                                                                                OS Version Major:5
                                                                                                                                OS Version Minor:1
                                                                                                                                File Version Major:5
                                                                                                                                File Version Minor:1
                                                                                                                                Subsystem Version Major:5
                                                                                                                                Subsystem Version Minor:1
                                                                                                                                Import Hash:62f526399c5bc6ba1d2354b3cc3131f3

                                                                                                                                Entrypoint Preview

                                                                                                                                Instruction
                                                                                                                                mov edi, edi
                                                                                                                                push ebp
                                                                                                                                mov ebp, esp
                                                                                                                                call 00007FA350B87BBBh
                                                                                                                                call 00007FA350B878C6h
                                                                                                                                pop ebp
                                                                                                                                ret
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                mov edi, edi
                                                                                                                                push ebp
                                                                                                                                mov ebp, esp
                                                                                                                                push FFFFFFFEh
                                                                                                                                push 0042FAD0h
                                                                                                                                push 0041BF10h
                                                                                                                                mov eax, dword ptr fs:[00000000h]
                                                                                                                                push eax
                                                                                                                                add esp, FFFFFF98h
                                                                                                                                push ebx
                                                                                                                                push esi
                                                                                                                                push edi
                                                                                                                                mov eax, dword ptr [00432064h]
                                                                                                                                xor dword ptr [ebp-08h], eax
                                                                                                                                xor eax, ebp
                                                                                                                                push eax
                                                                                                                                lea eax, dword ptr [ebp-10h]
                                                                                                                                mov dword ptr fs:[00000000h], eax
                                                                                                                                mov dword ptr [ebp-18h], esp
                                                                                                                                mov dword ptr [ebp-70h], 00000000h
                                                                                                                                lea eax, dword ptr [ebp-60h]
                                                                                                                                push eax
                                                                                                                                call dword ptr [00401368h]
                                                                                                                                cmp dword ptr [01FB5ABCh], 00000000h
                                                                                                                                jne 00007FA350B878C0h
                                                                                                                                push 00000000h
                                                                                                                                push 00000000h
                                                                                                                                push 00000001h
                                                                                                                                push 00000000h
                                                                                                                                call dword ptr [00401364h]
                                                                                                                                call 00007FA350B87A43h
                                                                                                                                mov dword ptr [ebp-6Ch], eax
                                                                                                                                call 00007FA350B8BA0Bh
                                                                                                                                test eax, eax
                                                                                                                                jne 00007FA350B878BCh
                                                                                                                                push 0000001Ch
                                                                                                                                call 00007FA350B87A00h
                                                                                                                                add esp, 04h
                                                                                                                                call 00007FA350B8B368h
                                                                                                                                test eax, eax
                                                                                                                                jne 00007FA350B878BCh
                                                                                                                                push 00000010h
                                                                                                                                call 00007FA350B879EDh
                                                                                                                                add esp, 04h
                                                                                                                                push 00000001h
                                                                                                                                call 00007FA350B8B2B3h
                                                                                                                                add esp, 04h
                                                                                                                                call 00007FA350B88F6Bh
                                                                                                                                mov dword ptr [ebp-04h], 00000000h
                                                                                                                                call 00007FA350B88B4Fh
                                                                                                                                test eax, eax

                                                                                                                                Rich Headers

                                                                                                                                Programming Language:
                                                                                                                                • [LNK] VS2010 build 30319
                                                                                                                                • [ASM] VS2010 build 30319
                                                                                                                                • [ C ] VS2010 build 30319
                                                                                                                                • [C++] VS2010 build 30319
                                                                                                                                • [RES] VS2010 build 30319
                                                                                                                                • [IMP] VS2008 SP1 build 30729

                                                                                                                                Data Directories

                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x300b40x78.text
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1bb70000x5470.rsrc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1bbd0000x17fc.reloc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x14500x1c.text
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x17b280x40.text
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x10000x408.text
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                Sections

                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                .text0x10000x309700x30a00False0.607316436375data7.03993935197IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                .data0x320000x1b84ac00x1400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                .rsrc0x1bb70000x54700x5600False0.609783793605data5.95998340963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                .reloc0x1bbd0000x115e00x11600False0.0756379271583data0.97914473251IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                Resources

                                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                                YONAMIKORUFENI0x1bba7000xee8ASCII text, with very long lines, with no line terminatorsSpanishParaguay
                                                                                                                                RT_CURSOR0x1bbb5e80x8a8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"Divehi; Dhivehi; MaldivianMaldives
                                                                                                                                RT_ICON0x1bb73300x8a8dataSpanishParaguay
                                                                                                                                RT_ICON0x1bb7bd80x6c8dataSpanishParaguay
                                                                                                                                RT_ICON0x1bb82a00x568GLS_BINARY_LSB_FIRSTSpanishParaguay
                                                                                                                                RT_ICON0x1bb88080x10a8dataSpanishParaguay
                                                                                                                                RT_ICON0x1bb98b00x988dataSpanishParaguay
                                                                                                                                RT_ICON0x1bba2380x468GLS_BINARY_LSB_FIRSTSpanishParaguay
                                                                                                                                RT_STRING0x1bbbea80xfcdataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                RT_STRING0x1bbbfa80x26cdataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                RT_STRING0x1bbc2180x254dataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                RT_GROUP_CURSOR0x1bbbe900x14dataDivehi; Dhivehi; MaldivianMaldives
                                                                                                                                RT_GROUP_ICON0x1bba6a00x5adataSpanishParaguay

                                                                                                                                Imports

                                                                                                                                DLLImport
                                                                                                                                KERNEL32.dllGetNumaNodeProcessorMask, SetCriticalSectionSpinCount, SearchPathW, SetInformationJobObject, lstrcmpA, FindFirstFileW, SetThreadContext, EnumCalendarInfoA, WriteConsoleInputW, IsBadStringPtrW, lstrlenA, EnumDateFormatsExW, CopyFileExW, GetNumaProcessorNode, TlsGetValue, SetLocalTime, UnmapViewOfFile, MoveFileExA, CommConfigDialogA, GetNumberOfConsoleInputEvents, GetConsoleAliasExesLengthA, SetErrorMode, FindResourceW, BuildCommDCBAndTimeoutsA, FreeLibrary, DeleteVolumeMountPointA, SetUnhandledExceptionFilter, LoadLibraryExW, SetDllDirectoryW, InterlockedIncrement, GetQueuedCompletionStatus, VerSetConditionMask, MoveFileExW, ReadConsoleA, InterlockedDecrement, WaitNamedPipeA, SetMailslotInfo, SetConsoleActiveScreenBuffer, WritePrivateProfileSectionA, SetDefaultCommConfigW, GetSystemWindowsDirectoryW, SetEnvironmentVariableW, CreateJobObjectW, SignalObjectAndWait, AddConsoleAliasW, GetComputerNameW, SetEvent, SetThreadExecutionState, OpenSemaphoreA, CreateHardLinkA, GetFileAttributesExA, _lclose, GetModuleHandleW, GetTickCount, GetCommConfig, GetProcessHeap, IsBadReadPtr, GetConsoleAliasesLengthA, GetSystemTimeAsFileTime, GetPrivateProfileStringW, GetConsoleTitleA, CreateRemoteThread, GetCompressedFileSizeW, EnumTimeFormatsA, GetSystemWow64DirectoryA, SetCommTimeouts, CreateActCtxW, InitializeCriticalSection, GetProcessTimes, TlsSetValue, AllocateUserPhysicalPages, OpenProcess, FindResourceExA, GlobalAlloc, GetPrivateProfileIntA, LoadLibraryW, GetConsoleMode, FatalAppExitW, GetThreadSelectorEntry, AssignProcessToJobObject, GetCalendarInfoA, ReadFileScatter, SetSystemTimeAdjustment, SetVolumeMountPointA, ReadConsoleOutputW, SetConsoleCP, InterlockedPopEntrySList, LeaveCriticalSection, GetFileAttributesA, GlobalFlags, lstrcpynW, GetNamedPipeInfo, HeapValidate, GetVolumePathNamesForVolumeNameW, CreateSemaphoreA, SetConsoleCursorPosition, VerifyVersionInfoA, HeapQueryInformation, WritePrivateProfileSectionW, TerminateProcess, GetAtomNameW, FileTimeToSystemTime, UnregisterWait, GetModuleFileNameW, lstrcatA, GetBinaryTypeW, CompareStringW, ExitThread, GetVolumePathNameA, lstrlenW, SetConsoleTitleA, WritePrivateProfileStringW, GlobalUnlock, VirtualUnlock, GetTempPathW, GetStringTypeExA, GetNamedPipeHandleStateW, GetLargestConsoleWindowSize, GetPrivateProfileIntW, InterlockedExchange, ReleaseActCtx, SetCurrentDirectoryA, GetStdHandle, FindFirstFileA, GetLastError, ChangeTimerQueueTimer, BackupRead, BindIoCompletionCallback, GetProcAddress, FindVolumeMountPointClose, GetLongPathNameA, VirtualAlloc, HeapSize, SetFirmwareEnvironmentVariableW, CreateNamedPipeA, CreateJobSet, LocalLock, LockFileEx, VerLanguageNameW, BuildCommDCBW, DefineDosDeviceA, FindClose, GetPrivateProfileStringA, LoadLibraryA, Process32FirstW, OpenMutexA, ProcessIdToSessionId, MoveFileA, GetExitCodeThread, GetNumberFormatW, SetFileApisToANSI, QueryDosDeviceW, SetConsoleWindowInfo, SetThreadIdealProcessor, HeapWalk, GetPrivateProfileStructA, GetTapeParameters, GetVolumePathNamesForVolumeNameA, GetModuleFileNameA, GetDefaultCommConfigA, FindNextFileA, WriteProfileStringA, WTSGetActiveConsoleSessionId, EnumDateFormatsA, WaitCommEvent, _lread, FindFirstChangeNotificationA, GetProcessShutdownParameters, QueueUserWorkItem, ContinueDebugEvent, IsDebuggerPresent, GetProcessAffinityMask, FatalExit, FreeEnvironmentStringsW, EnumResourceNamesA, WriteProfileStringW, EnumDateFormatsW, FatalAppExitA, PeekConsoleInputA, DeleteCriticalSection, WriteConsoleOutputAttribute, OutputDebugStringA, GetCPInfoExA, DuplicateHandle, FindFirstVolumeA, GetVersionExA, ReadConsoleInputW, TlsAlloc, TerminateJobObject, CloseHandle, GetVersion, DeleteTimerQueueTimer, GlobalAddAtomW, SetFileValidData, FindActCtxSectionStringW, ResetWriteWatch, UnregisterWaitEx, ReadConsoleOutputCharacterW, TlsFree, GetProfileSectionW, EnumSystemLocalesW, lstrcpyW, CopyFileExA, CreateFileW, SetStdHandle, GetPrivateProfileSectionNamesW, EnumResourceNamesW, GetThreadContext, IsDBCSLeadByte, GetFullPathNameA, RaiseException, GetCommandLineW, HeapSetInformation, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, DecodePointer, ExitProcess, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, EncodePointer, SetLastError, HeapCreate, WriteFile, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, EnterCriticalSection, GetCurrentProcess, UnhandledExceptionFilter, HeapAlloc, HeapReAlloc, HeapFree, RtlUnwind, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetStringTypeW, WriteConsoleW, OutputDebugStringW, IsProcessorFeaturePresent, SetFilePointer, GetConsoleCP, FlushFileBuffers
                                                                                                                                USER32.dllGetMessageTime
                                                                                                                                GDI32.dllGetBitmapBits
                                                                                                                                ADVAPI32.dllInitiateSystemShutdownA, GetFileSecurityW
                                                                                                                                MSIMG32.dllAlphaBlend

                                                                                                                                Possible Origin

                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                SpanishParaguay
                                                                                                                                Divehi; Dhivehi; MaldivianMaldives

                                                                                                                                Network Behavior

                                                                                                                                Network Port Distribution

                                                                                                                                TCP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Nov 24, 2021 18:24:25.064677000 CET49720443192.168.2.374.6.231.21
                                                                                                                                Nov 24, 2021 18:24:25.064727068 CET4434972074.6.231.21192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:25.064826965 CET49720443192.168.2.374.6.231.21
                                                                                                                                Nov 24, 2021 18:24:25.084196091 CET49720443192.168.2.374.6.231.21
                                                                                                                                Nov 24, 2021 18:24:25.084261894 CET4434972074.6.231.21192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:25.350553036 CET4434972074.6.231.21192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:25.350639105 CET49720443192.168.2.374.6.231.21
                                                                                                                                Nov 24, 2021 18:24:25.605936050 CET49720443192.168.2.374.6.231.21
                                                                                                                                Nov 24, 2021 18:24:25.605972052 CET4434972074.6.231.21192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:25.606558084 CET4434972074.6.231.21192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:25.606643915 CET49720443192.168.2.374.6.231.21
                                                                                                                                Nov 24, 2021 18:24:25.609898090 CET49720443192.168.2.374.6.231.21
                                                                                                                                Nov 24, 2021 18:24:25.652873993 CET4434972074.6.231.21192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:25.739583015 CET4434972074.6.231.21192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:25.739701033 CET4434972074.6.231.21192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:25.739703894 CET49720443192.168.2.374.6.231.21
                                                                                                                                Nov 24, 2021 18:24:25.739758968 CET49720443192.168.2.374.6.231.21
                                                                                                                                Nov 24, 2021 18:24:25.788775921 CET49720443192.168.2.374.6.231.21
                                                                                                                                Nov 24, 2021 18:24:25.788804054 CET4434972074.6.231.21192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:25.822021008 CET49721443192.168.2.387.248.100.216
                                                                                                                                Nov 24, 2021 18:24:25.822061062 CET4434972187.248.100.216192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:25.822155952 CET49721443192.168.2.387.248.100.216
                                                                                                                                Nov 24, 2021 18:24:25.822999954 CET49721443192.168.2.387.248.100.216
                                                                                                                                Nov 24, 2021 18:24:25.823020935 CET4434972187.248.100.216192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:25.910984993 CET4434972187.248.100.216192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:25.911099911 CET49721443192.168.2.387.248.100.216
                                                                                                                                Nov 24, 2021 18:24:25.929397106 CET49721443192.168.2.387.248.100.216
                                                                                                                                Nov 24, 2021 18:24:25.929425001 CET4434972187.248.100.216192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:25.929687977 CET4434972187.248.100.216192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:25.929764032 CET49721443192.168.2.387.248.100.216
                                                                                                                                Nov 24, 2021 18:24:25.930593014 CET49721443192.168.2.387.248.100.216
                                                                                                                                Nov 24, 2021 18:24:25.972871065 CET4434972187.248.100.216192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:26.150295019 CET4434972187.248.100.216192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:26.150407076 CET49721443192.168.2.387.248.100.216
                                                                                                                                Nov 24, 2021 18:24:26.150423050 CET4434972187.248.100.216192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:26.150445938 CET4434972187.248.100.216192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:26.150509119 CET49721443192.168.2.387.248.100.216
                                                                                                                                Nov 24, 2021 18:24:26.150522947 CET49721443192.168.2.387.248.100.216
                                                                                                                                Nov 24, 2021 18:24:26.152529001 CET49721443192.168.2.387.248.100.216
                                                                                                                                Nov 24, 2021 18:24:26.152566910 CET4434972187.248.100.216192.168.2.3

                                                                                                                                UDP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Nov 24, 2021 18:24:25.005891085 CET5902653192.168.2.38.8.8.8
                                                                                                                                Nov 24, 2021 18:24:25.025409937 CET53590268.8.8.8192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:25.798044920 CET4957253192.168.2.38.8.8.8
                                                                                                                                Nov 24, 2021 18:24:25.818571091 CET53495728.8.8.8192.168.2.3
                                                                                                                                Nov 24, 2021 18:24:46.316181898 CET5361553192.168.2.38.8.8.8
                                                                                                                                Nov 24, 2021 18:24:46.338320017 CET53536158.8.8.8192.168.2.3
                                                                                                                                Nov 24, 2021 18:26:06.369411945 CET6035253192.168.2.38.8.8.8
                                                                                                                                Nov 24, 2021 18:26:06.391844034 CET53603528.8.8.8192.168.2.3

                                                                                                                                DNS Queries

                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                Nov 24, 2021 18:24:25.005891085 CET192.168.2.38.8.8.80x4a4Standard query (0)yahoo.comA (IP address)IN (0x0001)
                                                                                                                                Nov 24, 2021 18:24:25.798044920 CET192.168.2.38.8.8.80xe878Standard query (0)www.yahoo.comA (IP address)IN (0x0001)
                                                                                                                                Nov 24, 2021 18:24:46.316181898 CET192.168.2.38.8.8.80x802dStandard query (0)soderunovos.websiteA (IP address)IN (0x0001)
                                                                                                                                Nov 24, 2021 18:26:06.369411945 CET192.168.2.38.8.8.80xd72fStandard query (0)qoderunovos.websiteA (IP address)IN (0x0001)

                                                                                                                                DNS Answers

                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                Nov 24, 2021 18:24:25.025409937 CET8.8.8.8192.168.2.30x4a4No error (0)yahoo.com74.6.231.21A (IP address)IN (0x0001)
                                                                                                                                Nov 24, 2021 18:24:25.025409937 CET8.8.8.8192.168.2.30x4a4No error (0)yahoo.com74.6.143.26A (IP address)IN (0x0001)
                                                                                                                                Nov 24, 2021 18:24:25.025409937 CET8.8.8.8192.168.2.30x4a4No error (0)yahoo.com74.6.143.25A (IP address)IN (0x0001)
                                                                                                                                Nov 24, 2021 18:24:25.025409937 CET8.8.8.8192.168.2.30x4a4No error (0)yahoo.com74.6.231.20A (IP address)IN (0x0001)
                                                                                                                                Nov 24, 2021 18:24:25.025409937 CET8.8.8.8192.168.2.30x4a4No error (0)yahoo.com98.137.11.164A (IP address)IN (0x0001)
                                                                                                                                Nov 24, 2021 18:24:25.025409937 CET8.8.8.8192.168.2.30x4a4No error (0)yahoo.com98.137.11.163A (IP address)IN (0x0001)
                                                                                                                                Nov 24, 2021 18:24:25.818571091 CET8.8.8.8192.168.2.30xe878No error (0)www.yahoo.comnew-fp-shed.wg1.b.yahoo.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                Nov 24, 2021 18:24:25.818571091 CET8.8.8.8192.168.2.30xe878No error (0)new-fp-shed.wg1.b.yahoo.com87.248.100.216A (IP address)IN (0x0001)
                                                                                                                                Nov 24, 2021 18:24:25.818571091 CET8.8.8.8192.168.2.30xe878No error (0)new-fp-shed.wg1.b.yahoo.com87.248.100.215A (IP address)IN (0x0001)
                                                                                                                                Nov 24, 2021 18:24:46.338320017 CET8.8.8.8192.168.2.30x802dName error (3)soderunovos.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                                Nov 24, 2021 18:26:06.391844034 CET8.8.8.8192.168.2.30xd72fName error (3)qoderunovos.websitenonenoneA (IP address)IN (0x0001)

                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                • yahoo.com
                                                                                                                                • www.yahoo.com

                                                                                                                                HTTPS Proxied Packets

                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                0192.168.2.34972074.6.231.21443C:\Users\user\Desktop\R0xLHA2mT5.exe
                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                2021-11-24 17:24:25 UTC0OUTGET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1
                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                Host: yahoo.com
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Cache-Control: no-cache
                                                                                                                                2021-11-24 17:24:25 UTC0INHTTP/1.1 301 Moved Permanently
                                                                                                                                Date: Wed, 24 Nov 2021 17:24:25 GMT
                                                                                                                                Connection: keep-alive
                                                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                                                Server: ATS
                                                                                                                                Cache-Control: no-store, no-cache
                                                                                                                                Content-Type: text/html
                                                                                                                                Content-Language: en
                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                Set-Cookie: B=0kqfhp5gpsta9&b=3&s=ki; expires=Thu, 24-Nov-2022 17:24:25 GMT; path=/; domain=.yahoo.com
                                                                                                                                Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only"
                                                                                                                                Referrer-Policy: no-referrer-when-downgrade
                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                Location: https://www.yahoo.com/jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw
                                                                                                                                Content-Length: 8
                                                                                                                                2021-11-24 17:24:25 UTC1INData Raw: 72 65 64 69 72 65 63 74
                                                                                                                                Data Ascii: redirect


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                1192.168.2.34972187.248.100.216443C:\Users\user\Desktop\R0xLHA2mT5.exe
                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                2021-11-24 17:24:25 UTC1OUTGET /jdraw/bxL1xwjyIDF/WhnrXJWmz2Twl8/gY8V0mj8FFAgQDgBa_2Fr/ju3YDzGHJQvJy7Ul/WNFipJkcZdncwpj/ywnxu6MUxONK0Xvi9f/ucETuIFdm/wokZPT9eFRDqyFNdNZik/FUVXSPqAP_2FwjH1nuX/3xMD5fDEH8K9cekhYWTKgU/lNhM0C6AYaGMU/wTNgbH70ZfWGyVix/60.crw HTTP/1.1
                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Cache-Control: no-cache
                                                                                                                                Host: www.yahoo.com
                                                                                                                                Cookie: B=0kqfhp5gpsta9&b=3&s=ki
                                                                                                                                2021-11-24 17:24:26 UTC1INHTTP/1.1 404 Not Found
                                                                                                                                date: Wed, 24 Nov 2021 17:24:25 GMT
                                                                                                                                p3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
                                                                                                                                cache-control: private
                                                                                                                                x-content-type-options: nosniff
                                                                                                                                content-type: text/html; charset=UTF-8
                                                                                                                                x-envoy-upstream-service-time: 12
                                                                                                                                server: ATS
                                                                                                                                Content-Length: 1048
                                                                                                                                Age: 2
                                                                                                                                Connection: close
                                                                                                                                Strict-Transport-Security: max-age=31536000
                                                                                                                                Content-Security-Policy: frame-ancestors 'self' https://*.builtbygirls.com https://*.rivals.com https://*.engadget.com https://*.intheknow.com https://*.autoblog.com https://*.techcrunch.com https://*.yahoo.com https://*.aol.com https://*.huffingtonpost.com https://*.oath.com https://*.search.yahoo.com https://*.search.aol.com https://*.search.huffpost.com https://*.verizonmedia.com https://*.publishing.oath.com https://*.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=0p10fa5gpsta9&partner=;
                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                2021-11-24 17:24:26 UTC2INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 42 3d 30 6b 71 66 68 70 35 67 70 73 74 61 39 26 62 3d 33 26 73 3d 6b 69 3b 20 45 78 70 69 72 65 73 3d 54 68 75 2c 20 32 34 20 4e 6f 76 20 32 30 32 32 20 32 33 3a 32 34 3a 32 36 20 47 4d 54 3b 20 4d 61 78 2d 41 67 65 3d 33 31 35 35 37 36 30 30 3b 20 44 6f 6d 61 69 6e 3d 2e 79 61 68 6f 6f 2e 63 6f 6d 3b 20 50 61 74 68 3d 2f 0d 0a 45 78 70 65 63 74 2d 43 54 3a 20 6d 61 78 2d 61 67 65 3d 33 31 35 33 36 30 30 30 2c 20 72 65 70 6f 72 74 2d 75 72 69 3d 22 68 74 74 70 3a 2f 2f 63 73 70 2e 79 61 68 6f 6f 2e 63 6f 6d 2f 62 65 61 63 6f 6e 2f 63 73 70 3f 73 72 63 3d 79 61 68 6f 6f 63 6f 6d 2d 65 78 70 65 63 74 2d 63 74 2d 72 65 70 6f 72 74 2d 6f 6e 6c 79 22 0d 0a 52 65 66 65 72 72 65 72 2d 50 6f 6c 69 63 79 3a 20 6e 6f 2d 72 65 66
                                                                                                                                Data Ascii: Set-Cookie: B=0kqfhp5gpsta9&b=3&s=ki; Expires=Thu, 24 Nov 2022 23:24:26 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only"Referrer-Policy: no-ref
                                                                                                                                2021-11-24 17:24:26 UTC3INData Raw: 3c 68 74 6d 6c 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 75 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 61 68 6f 6f 2e 63 6f 6d 2f 3f 65 72 72 3d 34 30 34 26 65 72 72 5f 75 72 6c 3d 68 74 74 70 73 25 33 61 25 32 66 25 32 66 77 77 77 2e 79 61 68 6f 6f 2e 63 6f 6d 25 32 66 6a 64 72 61 77 25 32 66 62 78 4c 31 78 77 6a 79 49 44 46 25 32 66 57 68 6e 72 58 4a 57 6d 7a 32 54 77 6c 38 25 32 66 67 59 38 56 30 6d 6a 38 46 46 41 67 51 44 67 42 61 5f 32 46 72 25 32 66 6a 75 33 59 44 7a 47 48 4a 51 76 4a 79 37 55 6c 25 32 66 57 4e 46 69 70 4a 6b 63 5a 64 6e 63 77 70 6a 25 32 66 79 77 6e 78 75 36 4d 55 78 4f 4e 4b 30 58 76 69 39 66 25 32 66 75 63 45 54 75 49 46 64 6d 25 32 66 77 6f 6b 5a 50 54 39
                                                                                                                                Data Ascii: <html><meta charset='utf-8'><script>var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fbxL1xwjyIDF%2fWhnrXJWmz2Twl8%2fgY8V0mj8FFAgQDgBa_2Fr%2fju3YDzGHJQvJy7Ul%2fWNFipJkcZdncwpj%2fywnxu6MUxONK0Xvi9f%2fucETuIFdm%2fwokZPT9


                                                                                                                                Code Manipulations

                                                                                                                                Statistics

                                                                                                                                System Behavior

                                                                                                                                General

                                                                                                                                Start time:18:23:55
                                                                                                                                Start date:24/11/2021
                                                                                                                                Path:C:\Users\user\Desktop\R0xLHA2mT5.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Users\user\Desktop\R0xLHA2mT5.exe"
                                                                                                                                Imagebase:0x400000
                                                                                                                                File size:298496 bytes
                                                                                                                                MD5 hash:9F3B8462C508884F6966F3AD4A275799
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.354992227.0000000004778000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.355061879.0000000004778000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.355102011.0000000004778000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.560013904.0000000004778000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.355079733.0000000004778000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.355113871.0000000004778000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.355042494.0000000004778000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.559974818.00000000042A9000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.355017568.0000000004778000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.355125356.0000000004778000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                                Reputation:low

                                                                                                                                Disassembly

                                                                                                                                Code Analysis

                                                                                                                                Reset < >