Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OojqjHGE0W.exe

Overview

General Information

Sample Name:OojqjHGE0W.exe
Analysis ID:630152
MD5:4ed3fa33609a51baf209a5954bef6633
SHA1:aff82f0554f18c780561d6b8b1ca5a1001e42512
SHA256:988177454fe3a5ba8fcdf7f3124e2c56f312b776542d3763540c254df6fe6f76
Tags:exesigned
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Snort IDS alert for network traffic
Writes to foreign memory regions
Writes or reads registry keys via WMI
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Found API chain indicative of debugger detection
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • OojqjHGE0W.exe (PID: 3408 cmdline: "C:\Users\user\Desktop\OojqjHGE0W.exe" MD5: 4ED3FA33609A51BAF209A5954BEF6633)
    • InstallUtil.exe (PID: 5584 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "S0cXgkczLn8DzpFkqJkBMx5geC7yniHR4ECyGeVYDO5jsqYVdXE2v679nj0L+4Im3j/P6z1P+Yt1BRosNI7Edvd1U5N0OYNwNVRfWwfbhm6jaX9Kjt9vEFS5dCsKX71jt2XzO+H4zoaN0nbuxJko5Np4J7p0zDkJiLw6HxWp4zGiWIwT2o7vLE3guRMwyRVXO9dkUDWYMn+gWBAKovUuxnaDZD7PIJ/H8zTx3Yz7628+O4pRw2KlIh0/fkIzdLb08ciTd+kW2cM+z/W40SWfyGxExAOJ7AMei6jzcKc68f1Bamsf4QGIbKQz9UqHR5cBlCKpLVi3hYeembcW9ep7oVhTb5Y2TC0ZAzzb/feTdhI=", "c2_domain": ["anm.msn.com", "194.76.225.45", "msi.msn.com", "194.76.225.56"], "botnet": "1700", "server": "50", "serpent_key": "1OoXFPbINCQ6HCAa", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    0000000A.00000003.501961576.00000000020C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      0000000A.00000003.502032730.00000000020C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          0000000A.00000003.501571456.00000000020C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.InstallUtil.exe.1b694a0.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              10.2.InstallUtil.exe.1340000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                10.2.InstallUtil.exe.1b694a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.352.169.118.17349702802033203 05/19/22-14:41:40.292996
                  SID:2033203
                  Source Port:49702
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.352.169.118.17349702802033204 05/19/22-14:41:40.292996
                  SID:2033204
                  Source Port:49702
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 10.2.InstallUtil.exe.1b694a0.2.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "S0cXgkczLn8DzpFkqJkBMx5geC7yniHR4ECyGeVYDO5jsqYVdXE2v679nj0L+4Im3j/P6z1P+Yt1BRosNI7Edvd1U5N0OYNwNVRfWwfbhm6jaX9Kjt9vEFS5dCsKX71jt2XzO+H4zoaN0nbuxJko5Np4J7p0zDkJiLw6HxWp4zGiWIwT2o7vLE3guRMwyRVXO9dkUDWYMn+gWBAKovUuxnaDZD7PIJ/H8zTx3Yz7628+O4pRw2KlIh0/fkIzdLb08ciTd+kW2cM+z/W40SWfyGxExAOJ7AMei6jzcKc68f1Bamsf4QGIbKQz9UqHR5cBlCKpLVi3hYeembcW9ep7oVhTb5Y2TC0ZAzzb/feTdhI=", "c2_domain": ["anm.msn.com", "194.76.225.45", "msi.msn.com", "194.76.225.56"], "botnet": "1700", "server": "50", "serpent_key": "1OoXFPbINCQ6HCAa", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
                  Multi AV Scanner detection for submitted file
                  Source: OojqjHGE0W.exeReversingLabs: Detection: 46%
                  Machine Learning detection for sample
                  Source: OojqjHGE0W.exeJoe Sandbox ML: detected
                  Source: 10.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: 0.2.OojqjHGE0W.exe.8b5230.0.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 10.0.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: 10.0.InstallUtil.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: 0.3.OojqjHGE0W.exe.2580000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: 0.3.OojqjHGE0W.exe.8b5230.2.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 0.3.OojqjHGE0W.exe.2580000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: OojqjHGE0W.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: OojqjHGE0W.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\Wotagebe poqu viquowe\Hosayem\Cajap\Viseti.pdb source: OojqjHGE0W.exe
                  Source: Binary string: C:\Wotagebe poqu viquowe\Hosayem\Cajap\Viseti.pdbP; source: OojqjHGE0W.exe, 00000000.00000000.267737292.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, OojqjHGE0W.exe, 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp
                  Source: Binary string: C:\Wotagebe poqu viquowe\Hosayem\Cajap\Viseti.pdbP;Q source: OojqjHGE0W.exe

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49702 -> 52.169.118.173:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49702 -> 52.169.118.173:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.com
                  Source: global trafficHTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgyMDA5NjkwMDQ5NzI5NzksIlZlcnNpb24iOjF90; marketPref=de-ch
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="http://www.bing.com" /><link rel="preconnect" href="//browser.events.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="http://www.bing.com" /><link rel="dns-prefetch" href="//browser.events.data.msn.com" /><link rel="canonical" href="http://www.msn.com/de-ch/" /> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 79em)",size3column:"(min-width: 58.875em) and (max-width: 78.99em)",size2column:"(min-width: 43.75em) and (max-width: 58.865em)",size2rowsize4column:"(min-width: 79em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 58.875em) and (max-width: 78.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 58.865em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 79em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 58.875em) and (max-width: 78.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 58.865em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="http://www.msn.com/de-ch"/><meta property="og:url" content="http://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="http://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick{di
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ogp.me/ns#
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                  Source: OojqjHGE0W.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
                  Source: OojqjHGE0W.exeString found in binary or memory: http://s.symcd.com06
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/d7cb56b9-/direction=ltr.l
                  Source: InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/d7cb56b9-/direction=ltr.lo
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAXt9ve.img?h=368&amp;w
                  Source: OojqjHGE0W.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                  Source: OojqjHGE0W.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                  Source: OojqjHGE0W.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.msn.com/de-ch
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.msn.com/de-ch/
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&amp;anoncknm=%22%22&amp;name=%22M
                  Source: InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.hoergeraete.hoeren-heute.ch/horizon_reveal/?act=ACT0000040013ACT&amp;utm_source=mcrs&amp
                  Source: OojqjHGE0W.exeString found in binary or memory: https://d.symcb.com/cps0%
                  Source: OojqjHGE0W.exeString found in binary or memory: https://d.symcb.com/rpa0
                  Source: OojqjHGE0W.exeString found in binary or memory: https://d.symcb.com/rpa0.
                  Source: InstallUtil.exe, 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i.geistm.com/l/HFCH_DTS_LP?bcid=61c4707a19d27603f32a58b8&amp;bhid=62470ee6adad76040858398f&a
                  Source: InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i.geistm.com/l/HFCH_DTS_LP?bcid=61c4707a19d27603f32a58ba&amp;bhid=6203eb0e7db0ad17f44b22d8&a
                  Source: InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1652964100&amp;rver=7.0.6730.0&am
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/logout.srf?ct=1652964101&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1652964100&amp;rver=7.0.6730.0&amp;w
                  Source: InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.com/
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/autofahrer-38-rast-mit-94-km-h-durch-30er-zone/ar-AAXsnwd?ocid=
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/fremdes-b%c3%bcsi-gef%c3%bcttert-frau-soll-1250-franken-strafe-
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/olivia-und-noah-sind-die-beliebtesten-baby-vornamen-in-z%c3%bcr
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/polizei-nimmt-baukran-kletterer-fest/ar-AAXq550?ocid=hplocalnew
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/stadtrat-handelt-in-z%c3%bcrich-west-mehr-preisg%c3%bcnstige-wo
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/weniger-verbindungen-zwischen-z%c3%bcrich-und-bern-daf%c3%bcr-m
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrcher-kantonsrat-pr%c3%bcft-nach-igelkot-vorfall-sicherh
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/shopping
                  Source: InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/sport/other/der-fcz-verabschiedet-sich-von-doumbia-und-ceesay/ar-AAXsezM?o
                  Source: unknownDNS traffic detected: queries for: anm.msn.com
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.com
                  Source: global trafficHTTP traffic detected: GET /de-ch/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.msn.comCookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgyMDA5NjkwMDQ5NzI5NzksIlZlcnNpb24iOjF90; marketPref=de-ch

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Yara detected Ursnif
                  Source: Yara matchFile source: 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501961576.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.502032730.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501571456.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501753987.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501977722.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501825234.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501701977.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501914236.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5584, type: MEMORYSTR
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1340000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.535054926.0000000001B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                  E-Banking Fraud

                  barindex
                  Yara detected Ursnif
                  Source: Yara matchFile source: 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501961576.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.502032730.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501571456.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501753987.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501977722.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501825234.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501701977.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501914236.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5584, type: MEMORYSTR
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1340000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.535054926.0000000001B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                  System Summary

                  barindex
                  Writes or reads registry keys via WMI
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Writes registry values via WMI
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: OojqjHGE0W.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: String function: 00B38510 appears 105 times
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: String function: 00B381D0 appears 77 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_004015C0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0040188D GetProcAddress,NtCreateSection,memset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_004013B7 NtMapViewOfSection,
                  Source: OojqjHGE0W.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: OojqjHGE0W.exeStatic PE information: invalid certificate
                  Source: OojqjHGE0W.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: OojqjHGE0W.exeReversingLabs: Detection: 46%
                  Source: OojqjHGE0W.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\OojqjHGE0W.exe "C:\Users\user\Desktop\OojqjHGE0W.exe"
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@3/0@2/1
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B28340 StartServiceA,StrokePath,SetCurrentDirectoryA,CreateActCtxW,CloseHandle,GetTapeStatus,SetCurrentDirectoryA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: OojqjHGE0W.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: OojqjHGE0W.exeStatic file information: File size 1241656 > 1048576
                  Source: OojqjHGE0W.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x111a00
                  Source: OojqjHGE0W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: OojqjHGE0W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: OojqjHGE0W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: OojqjHGE0W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: OojqjHGE0W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: OojqjHGE0W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: OojqjHGE0W.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: OojqjHGE0W.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\Wotagebe poqu viquowe\Hosayem\Cajap\Viseti.pdb source: OojqjHGE0W.exe
                  Source: Binary string: C:\Wotagebe poqu viquowe\Hosayem\Cajap\Viseti.pdbP; source: OojqjHGE0W.exe, 00000000.00000000.267737292.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, OojqjHGE0W.exe, 00000000.00000002.478000343.0000000000B21000.00000020.00000001.01000000.00000003.sdmp
                  Source: Binary string: C:\Wotagebe poqu viquowe\Hosayem\Cajap\Viseti.pdbP;Q source: OojqjHGE0W.exe
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B28AC2 push ebp; iretd
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B28A6D push es; iretd
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B28B2A push ebp; iretd
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B3A3D0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.57139474025
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B28340 StartServiceA,StrokePath,SetCurrentDirectoryA,CreateActCtxW,CloseHandle,GetTapeStatus,SetCurrentDirectoryA,

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Yara detected Ursnif
                  Source: Yara matchFile source: 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501961576.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.502032730.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501571456.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501753987.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501977722.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501825234.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501701977.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501914236.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5584, type: MEMORYSTR
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1340000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.535054926.0000000001B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: OojqjHGE0W.exe, 00000000.00000002.477711873.00000000006FA000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ODBGHELP.DLLPSTOREC.DLLDIR_WATCH.DLLAPI_LOG.DLLCMDVRT64.DLLCMDVRT32.DLLSBIEDLL.DLLBGAGENT.DLLH
                  Found evasive API chain (may stop execution after checking system information)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5664Thread sleep count: 48 > 30
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeAPI coverage: 7.5 %
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeAPI call chain: ExitProcess graph end node

                  Anti Debugging

                  barindex
                  Found API chain indicative of debugger detection
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B3A1A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B3A3D0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B3A1A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B322D0 SetUnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B38260 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: F21008
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page read and write
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Users\user\Desktop\OojqjHGE0W.exeCode function: 0_2_00B322F0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_00401400 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Ursnif
                  Source: Yara matchFile source: 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501961576.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.502032730.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501571456.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501753987.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501977722.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501825234.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501701977.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501914236.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5584, type: MEMORYSTR
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1340000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.535054926.0000000001B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                  Remote Access Functionality

                  barindex
                  Yara detected Ursnif
                  Source: Yara matchFile source: 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501961576.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.502032730.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501571456.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501753987.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501977722.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501825234.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501701977.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.501914236.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5584, type: MEMORYSTR
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1340000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.InstallUtil.exe.1b694a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.535054926.0000000001B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts2
                  Windows Management Instrumentation                  		1
                  Windows Service                  		1
                  Windows Service                  		12
                  Virtualization/Sandbox Evasion                  		OS Credential Dumping1
                  System Time Discovery                  		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
                  Ingress Tool Transfer                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts2
                  Service Execution                  		Boot or Logon Initialization Scripts311
                  Process Injection                  		311
                  Process Injection                  		LSASS Memory22
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
                  Non-Application Layer Protocol                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts12
                  Native API                  		Logon Script (Windows)Logon Script (Windows)1
                  Deobfuscate/Decode Files or Information                  		Security Account Manager12
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration12
                  Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
                  Obfuscated Files or Information                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
                  Software Packing                  		LSA Secrets1
                  Remote System Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials14
                  System Information Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  OojqjHGE0W.exe46%ReversingLabsWin32.Trojan.Jaik
                  OojqjHGE0W.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  10.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                  0.2.OojqjHGE0W.exe.8b5230.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                  10.0.InstallUtil.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                  10.2.InstallUtil.exe.1340000.1.unpack100%AviraHEUR/AGEN.1245293Download File
                  10.0.InstallUtil.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                  0.3.OojqjHGE0W.exe.2580000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                  0.3.OojqjHGE0W.exe.8b5230.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                  0.3.OojqjHGE0W.exe.2580000.1.unpack100%AviraTR/Crypt.XPACK.Gen7Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;0%URL Reputationsafe
                  https://i.geistm.com/l/HFCH_DTS_LP?bcid=61c4707a19d27603f32a58ba&amp;bhid=6203eb0e7db0ad17f44b22d8&a0%Avira URL Cloudsafe
                  https://cdn.hoergeraete.hoeren-heute.ch/horizon_reveal/?act=ACT0000040013ACT&amp;utm_source=mcrs&amp0%Avira URL Cloudsafe
                  https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                  https://i.geistm.com/l/HFCH_DTS_LP?bcid=61c4707a19d27603f32a58b8&amp;bhid=62470ee6adad76040858398f&a0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  a-0003.fbs2-a-msedge.net
                  		13.107.40.203
                  		truefalse
                    		unknown
                    anm.msn.com
                    		unknown
                    		unknownfalse
                      		high
                      www.msn.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.msn.com/de-ch/false
                          		high
                          http://www.msn.com/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.msn.com/de-ch/news/other/weniger-verbindungen-zwischen-z%c3%bcrich-und-bern-daf%c3%bcr-mInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://www.msn.com/de-ch/news/other/fremdes-b%c3%bcsi-gef%c3%bcttert-frau-soll-1250-franken-strafe-InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://outlook.com/InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.msn.com/de-ch/shoppingInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://ogp.me/ns#InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://i.geistm.com/l/HFCH_DTS_LP?bcid=61c4707a19d27603f32a58ba&amp;bhid=6203eb0e7db0ad17f44b22d8&aInstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&amp;anoncknm=%22%22&amp;name=%22MInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://cdn.hoergeraete.hoeren-heute.ch/horizon_reveal/?act=ACT0000040013ACT&amp;utm_source=mcrs&ampInstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.msn.com/de-ch/sport/other/der-fcz-verabschiedet-sich-von-doumbia-und-ceesay/ar-AAXsezM?oInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.msn.com/de-ch/news/other/stadtrat-handelt-in-z%c3%bcrich-west-mehr-preisg%c3%bcnstige-woInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://deff.nelreports.net/api/report?cat=msnInstallUtil.exe, 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.msn.com/de-ch/news/other/autofahrer-38-rast-mit-94-km-h-durch-30er-zone/ar-AAXsnwd?ocid=InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://ogp.me/ns/fb#InstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.msn.com/de-ch/news/other/olivia-und-noah-sind-die-beliebtesten-baby-vornamen-in-z%c3%bcrInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.msn.com/de-ch/news/other/z%c3%bcrcher-kantonsrat-pr%c3%bcft-nach-igelkot-vorfall-sicherhInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.msn.com/de-chInstallUtil.exe, 0000000A.00000002.535230526.0000000004300000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535290243.0000000004396000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504725612.0000000004301000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.535347560.0000000004400000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://i.geistm.com/l/HFCH_DTS_LP?bcid=61c4707a19d27603f32a58b8&amp;bhid=62470ee6adad76040858398f&aInstallUtil.exe, 0000000A.00000003.504892855.0000000002049000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      13.107.40.203
                                                      		a-0003.fbs2-a-msedge.netUnited States
                                                      		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                      General Information

                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                      Analysis ID:630152
                                                      Start date and time: 19/05/202214:38:372022-05-19 14:38:37 +02:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 6m 49s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:OojqjHGE0W.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:12
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.evad.winEXE@3/0@2/1
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HDC Information:
                                                      • Successful, ratio: 96.7% (good quality ratio 96.7%)
                                                      • Quality average: 91.3%
                                                      • Quality standard deviation: 14%
                                                      HCA Information:
                                                      • Successful, ratio: 69%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Adjust boot time
                                                      • Enable AMSI

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                      • TCP Packets have been reduced to 100
                                                      • Excluded IPs from analysis (whitelisted): 52.169.118.173
                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, redirection.prod.cms.msn.com.akadns.net, ctldl.windowsupdate.com, legacy-redirection-neurope-prod-hp.cloudapp.net
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • VT rate limit hit for: OojqjHGE0W.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      No simulations

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      No context

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      No created / dropped files found

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):7.52461417001665
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:OojqjHGE0W.exe
                                                      File size:1241656
                                                      MD5:4ed3fa33609a51baf209a5954bef6633
                                                      SHA1:aff82f0554f18c780561d6b8b1ca5a1001e42512
                                                      SHA256:988177454fe3a5ba8fcdf7f3124e2c56f312b776542d3763540c254df6fe6f76
                                                      SHA512:3beaba94d2a6df632b029d0c48521cea8adb98a1b7eeee9d547544415b36a251c41fabce2bcbbdaf53f4e090783f49d7c10e5d952d9313aa182aa1c2971201f4
                                                      SSDEEP:24576:21uu0F2xRqVHdQ9PerE5gOGFGtCZXUzvjJMFHk1Udgd:A02WdQ9GCOFb6eXO
                                                      TLSH:AC4501017D8CC031ECA226B43836E295A13B7D81672664CB65F9B3AF95B1BC0DD79363
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t.....U.].....`.d.....T.....}.m.s...t...,.....Q.v.....d.u...t.i.r.....c.u...Richt...................PE..L......b...

                                                      File Icon

                                                      Icon Hash:54f9e0c4dcf8705d

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x411fc0
                                                      Entrypoint Section:.text
                                                      Digitally signed:true
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x6283FED8 [Tue May 17 20:00:24 2022 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:5
                                                      OS Version Minor:1
                                                      File Version Major:5
                                                      File Version Minor:1
                                                      Subsystem Version Major:5
                                                      Subsystem Version Minor:1
                                                      Import Hash:06a834e3824803366fcfecb5c9777295

                                                      Authenticode Signature

                                                      Signature Valid:false
                                                      Signature Issuer:CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US
                                                      Signature Validation Error:A certificate chain could not be built to a trusted root authority
                                                      Error Number:-2146762486
                                                      Not Before, Not After
                                                      • 12/29/2021 4:00:00 PM 9/2/2022 4:59:59 PM
                                                      Subject Chain
                                                      • CN=exxon.com, O=Exxon Mobil Corporation, L=Irving, S=Texas, C=US
                                                      Version:3
                                                      Thumbprint MD5:B7C2B39C14AF65D1434078B10A8064DE
                                                      Thumbprint SHA-1:9B93192A2BF5E6EC0A32E4966431D1E2FD1FA4AF
                                                      Thumbprint SHA-256:97135CBA56D0300287DF31C8B39546AD4605FB9C88311AEB0B12B76AC15C46BF
                                                      Serial:0A2787FBB4627C91611573E323584113

                                                      Entrypoint Preview

                                                      Instruction
                                                      mov edi, edi
                                                      push ebp
                                                      mov ebp, esp
                                                      call 00007FEAECD8B32Bh
                                                      call 00007FEAECD8B036h
                                                      pop ebp
                                                      ret
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      mov edi, edi
                                                      push ebp
                                                      mov ebp, esp
                                                      push FFFFFFFEh
                                                      push 00511B30h
                                                      push 00416210h
                                                      mov eax, dword ptr fs:[00000000h]
                                                      push eax
                                                      add esp, FFFFFF98h
                                                      push ebx
                                                      push esi
                                                      push edi
                                                      mov eax, dword ptr [00513064h]
                                                      xor dword ptr [ebp-08h], eax
                                                      xor eax, ebp
                                                      push eax
                                                      lea eax, dword ptr [ebp-10h]
                                                      mov dword ptr fs:[00000000h], eax
                                                      mov dword ptr [ebp-18h], esp
                                                      mov dword ptr [ebp-70h], 00000000h
                                                      lea eax, dword ptr [ebp-60h]
                                                      push eax
                                                      call dword ptr [00401044h]
                                                      cmp dword ptr [00515DDCh], 00000000h
                                                      jne 00007FEAECD8B010h
                                                      push 00000000h
                                                      push 00000000h
                                                      push 00000001h
                                                      push 00000000h
                                                      call dword ptr [00401040h]
                                                      call 00007FEAECD8B193h
                                                      mov dword ptr [ebp-6Ch], eax
                                                      call 00007FEAECD8F16Bh
                                                      test eax, eax
                                                      jne 00007FEAECD8B00Ch
                                                      push 0000001Ch
                                                      call 00007FEAECD8B150h
                                                      add esp, 04h
                                                      call 00007FEAECD8EAC8h
                                                      test eax, eax
                                                      jne 00007FEAECD8B00Ch
                                                      push 00000010h
                                                      call 00007FEAECD8B13Dh

                                                      Rich Headers

                                                      Programming Language:
                                                      • [LNK] VS2010 build 30319
                                                      • [ASM] VS2010 build 30319
                                                      • [ C ] VS2010 build 30319
                                                      • [C++] VS2010 build 30319
                                                      • [RES] VS2010 build 30319
                                                      • [IMP] VS2008 SP1 build 30729

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1121140x50.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1160000x17630.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x12de000x1438
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x12e0000x1638.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x11800x1c.text
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x81180x40.text
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x140.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x11184a0x111a00False0.832347104842data7.57139474025IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .data0x1130000x2de00x1000False0.190673828125data2.23907016207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x1160000x176300x17800False0.692538646941data6.63567575561IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x12e0000x36a40x3800False0.331473214286data3.51322756003IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x1163d00xd633PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                      RT_ICON0x123a080x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                      RT_ICON0x127c300x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                      RT_ICON0x12a1d80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 41910143
                                                      RT_ICON0x12b2800x988data
                                                      RT_ICON0x12bc080x468GLS_BINARY_LSB_FIRST
                                                      RT_MENU0x12d3800x4data
                                                      RT_DIALOG0x12d3880xf0data
                                                      RT_DIALOG0x12d4780x88data
                                                      RT_DIALOG0x12d5000x12cdata
                                                      RT_STRING0x12c2b80x1e8data
                                                      RT_STRING0x12c4a00x424data
                                                      RT_STRING0x12c8c80x43cdata
                                                      RT_STRING0x12cd080x4fcdata
                                                      RT_STRING0x12d2080x174data
                                                      RT_GROUP_ICON0x12c0700x5adata
                                                      RT_VERSION0x12c0d00x1e4data

                                                      Imports

                                                      DLLImport
                                                      KERNEL32.dllGetProcAddress, GetTapeStatus, Sleep, LocalAlloc, CloseHandle, CreateActCtxW, SetCurrentDirectoryA, LoadLibraryW, GetModuleHandleW, ResetEvent, GetCommandLineW, HeapSetInformation, GetStartupInfoW, SetUnhandledExceptionFilter, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, InterlockedIncrement, InterlockedDecrement, DecodePointer, ExitProcess, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, HeapValidate, IsBadReadPtr, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetLastError, HeapCreate, WriteFile, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, EnterCriticalSection, LeaveCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetModuleFileNameA, HeapReAlloc, HeapSize, HeapQueryInformation, HeapFree, RtlUnwind, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetStringTypeW, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, IsProcessorFeaturePresent, SetFilePointer, GetConsoleCP, GetConsoleMode, RaiseException, SetStdHandle, CreateFileW, FlushFileBuffers
                                                      GDI32.dllStrokePath
                                                      ADVAPI32.dllStartServiceA, CloseEventLog

                                                      Version Infos

                                                      DescriptionData
                                                      LegalCopyrightCopyright 2012-2022 by Kone LLC All Rights Reserved.
                                                      FileVersion87.90.67.49
                                                      ProductVersion70.56.51.66
                                                      Translation0x0838 0x03a4

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      192.168.2.352.169.118.17349702802033203 05/19/22-14:41:40.292996TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4970280192.168.2.352.169.118.173
                                                      192.168.2.352.169.118.17349702802033204 05/19/22-14:41:40.292996TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4970280192.168.2.352.169.118.173

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 19, 2022 14:41:40.411487103 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.451590061 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.454516888 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.455178022 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.497522116 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.559830904 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.559859991 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.559952974 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.597235918 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.672713995 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.899105072 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.899158001 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.899280071 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.899312973 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.899624109 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.899714947 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.899843931 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.899908066 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.899981022 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.900038958 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.900139093 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.900206089 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.900228977 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.900290966 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.900367022 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.900387049 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.900490999 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.901165009 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.901251078 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.901267052 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.901326895 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.901454926 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.901515961 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.901649952 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.901673079 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.901721001 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.901721954 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.901740074 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.901740074 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.901761055 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.901782990 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.901804924 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.901818991 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.901851892 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.901859999 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.939166069 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.939214945 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.939244032 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.939275980 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.939341068 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.939419985 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.939547062 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.939582109 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.939611912 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.939615011 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.939640045 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.939672947 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.939692020 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.939724922 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.939743042 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.939773083 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.939801931 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.939929962 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.939976931 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.939985037 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.940009117 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.940037966 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.940047026 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.940068960 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.940104961 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.940218925 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.940260887 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.940289974 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.940351009 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.941071033 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.941108942 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.941138029 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.941155910 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.941165924 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.941198111 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.941199064 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.941226006 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.941261053 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.941303968 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.941472054 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.941521883 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.941545010 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.941579103 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.941605091 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.941606998 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.941634893 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.941634893 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.941664934 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.941670895 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.941694975 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.941704035 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.941725016 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.941730976 CEST4970380192.168.2.313.107.40.203
                                                      May 19, 2022 14:41:40.941754103 CEST804970313.107.40.203192.168.2.3
                                                      May 19, 2022 14:41:40.941760063 CEST4970380192.168.2.313.107.40.203

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 19, 2022 14:41:40.197166920 CEST5122953192.168.2.38.8.8.8
                                                      May 19, 2022 14:41:40.389507055 CEST6485153192.168.2.38.8.8.8
                                                      May 19, 2022 14:41:40.408665895 CEST53648518.8.8.8192.168.2.3

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      May 19, 2022 14:41:40.197166920 CEST192.168.2.38.8.8.80x918eStandard query (0)anm.msn.comA (IP address)IN (0x0001)
                                                      May 19, 2022 14:41:40.389507055 CEST192.168.2.38.8.8.80x35aStandard query (0)www.msn.comA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      May 19, 2022 14:41:40.229801893 CEST8.8.8.8192.168.2.30x918eNo error (0)anm.msn.comredirection.prod.cms.msn.comCNAME (Canonical name)IN (0x0001)
                                                      May 19, 2022 14:41:40.229801893 CEST8.8.8.8192.168.2.30x918eNo error (0)redirection.prod.cms.msn.comredirection.prod.cms.msn.com.akadns.netCNAME (Canonical name)IN (0x0001)
                                                      May 19, 2022 14:41:40.408665895 CEST8.8.8.8192.168.2.30x35aNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                      May 19, 2022 14:41:40.408665895 CEST8.8.8.8192.168.2.30x35aNo error (0)www-msn-com.a-0003.a-msedge.neticePrime.a-0003.dc-msedge.netCNAME (Canonical name)IN (0x0001)
                                                      May 19, 2022 14:41:40.408665895 CEST8.8.8.8192.168.2.30x35aNo error (0)icePrime.a-0003.dc-msedge.neta-0003.fbs2-a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                      May 19, 2022 14:41:40.408665895 CEST8.8.8.8192.168.2.30x35aNo error (0)a-0003.fbs2-a-msedge.net13.107.40.203A (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • www.msn.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.34970313.107.40.20380C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                      TimestampkBytes transferredDirectionData
                                                      May 19, 2022 14:41:40.455178022 CEST109OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Host: www.msn.com
                                                      May 19, 2022 14:41:40.559830904 CEST110INHTTP/1.1 302 Found
                                                      Cache-Control: no-cache, no-store, no-transform
                                                      Pragma: no-cache
                                                      Content-Length: 142
                                                      Content-Type: text/html; charset=utf-8
                                                      Expires: -1
                                                      Location: http://www.msn.com/de-ch/
                                                      Vary: User-Agent
                                                      Set-Cookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgyMDA5NjkwMDQ5NzI5NzksIlZlcnNpb24iOjF90; domain=msn.com; expires=Fri, 19-May-2023 12:41:40 GMT; path=/; HttpOnly
                                                      Set-Cookie: marketPref=de-ch; domain=msn.com; expires=Fri, 19-May-2023 12:41:40 GMT; path=/; HttpOnly
                                                      Access-Control-Allow-Origin: *
                                                      X-AspNetMvc-Version: 5.2
                                                      X-AppVersion: 20220517_28677693
                                                      X-Activity-Id: efab37a0-e368-4926-ad9f-55ad4ca02ec9
                                                      X-Az: {did:2be360ae5c6345da911d978376c0449f, rid: 20, sn: neurope-prod-hp, dt: 2022-05-18T22:13:14.6536596Z, bt: 2022-05-17T20:41:53.5606999Z}
                                                      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                                                      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]}
                                                      X-UA-Compatible: IE=Edge;chrome=1
                                                      X-Content-Type-Options: nosniff
                                                      X-FRAME-OPTIONS: SAMEORIGIN
                                                      X-Powered-By: ASP.NET
                                                      Ac
                                                      Data Raw:
                                                      Data Ascii:
                                                      May 19, 2022 14:41:40.597235918 CEST111OUTGET /de-ch/ HTTP/1.1
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Host: www.msn.com
                                                      Cookie: PreferencesMsn=eyJIb21lUGFnZSI6eyJTdHJpcGVzIjpbXSwiTWVTdHJpcGVNb2R1bGVzIjpbXSwiTWFya2V0Q29uZmlndXJhdGlvbiI6eyJNYXJrZXQiOiJkZS1jaCIsIlN1cHByZXNzUHJvbXB0IjpmYWxzZSwiUHJlZmVycmVkTGFuZ3VhZ2VDb2RlIjoiZGUtZGUiLCJDb3VudHJ5Q29kZSI6IkNIIn19LCJFeHBpcnlUaW1lIjo2MzgyMDA5NjkwMDQ5NzI5NzksIlZlcnNpb24iOjF90; marketPref=de-ch
                                                      May 19, 2022 14:41:40.899105072 CEST113INHTTP/1.1 200 OK
                                                      Cache-Control: no-cache, no-store, no-transform
                                                      Pragma: no-cache
                                                      Content-Length: 336579
                                                      Content-Type: text/html; charset=utf-8
                                                      Expires: -1
                                                      Vary: User-Agent
                                                      Set-Cookie: PreferencesMsn=eyJFeHBpcnlUaW1lIjo2MzgyMDA5NjkwMDYzNzkyNDAsIlZlcnNpb24iOjF90; domain=msn.com; expires=Fri, 19-May-2023 12:41:40 GMT; path=/; HttpOnly
                                                      Access-Control-Allow-Origin: *
                                                      X-AspNetMvc-Version: 5.2
                                                      X-AppVersion: 20220517_28677693
                                                      X-Activity-Id: ded43fef-0e10-4ef5-a726-676e283054af
                                                      X-Az: {did:2be360ae5c6345da911d978376c0449f, rid: 20, sn: neurope-prod-hp, dt: 2022-05-18T22:13:14.6536596Z, bt: 2022-05-17T20:41:53.5606999Z}
                                                      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                                                      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]}
                                                      X-UA-Compatible: IE=Edge;chrome=1
                                                      X-Content-Type-Options: nosniff
                                                      X-FRAME-OPTIONS: SAMEORIGIN
                                                      X-Powered-By: ASP.NET
                                                      Access-Control-Allow-Methods: HEAD,GET,OPTIONS
                                                      X-XSS-Protection: 1
                                                      X-Cache: CONFIG_NOCACHE
                                                      X-MSEdge-Ref: Ref A: DED43FEF0E104EF5A726676E283054AF Ref B: HEL01EDGE1020 Ref C: 2022-05-19T12:41:40Z
                                                      Date: Thu, 19 May 2022 12:41:40 GMT
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 66 62 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 2f 66 62 23 22 20 20 6c 61 6e 67 3d 22 64 65 2d 43 48 22 20 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 22 20 20 63 6c 61 73
                                                      Data Ascii: <!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" style="font-size:62.5%" clas


                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:14:39:49
                                                      Start date:19/05/2022
                                                      Path:C:\Users\user\Desktop\OojqjHGE0W.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\OojqjHGE0W.exe"
                                                      Imagebase:0xb20000
                                                      File size:1241656 bytes
                                                      MD5 hash:4ED3FA33609A51BAF209A5954BEF6633
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low

                                                      General

                                                      Target ID:10
                                                      Start time:14:41:25
                                                      Start date:19/05/2022
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                      Imagebase:0xd80000
                                                      File size:41064 bytes
                                                      MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.504942023.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.501961576.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.502032730.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000002.535140555.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.501571456.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.501753987.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000A.00000002.535054926.0000000001B69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.501977722.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.501825234.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.501701977.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000003.501914236.00000000020C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high

                                                      Disassembly

                                                      No disassembly