Edit tour

Windows Analysis Report
https://wwre.lanzoup.com/iUb312qvvxyd

Overview

General Information

Sample URL:https://wwre.lanzoup.com/iUb312qvvxyd
Analysis ID:1641705
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

Yara detected ZipBomb
Drops password protected ZIP file
Dynamic code execution using eval()
HTML page contains hidden javascript code
Program does not show much activity (idle)
Script element or tag injection

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • chrome.exe (PID: 6760 cmdline: "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized "about:blank" MD5: B6CB00FCB81D3B66870817AEBE7163BB)
    • chrome.exe (PID: 2556 cmdline: "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --no-sandbox --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2044 --field-trial-handle=1792,i,5437045901747490287,607807609955483898,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: B6CB00FCB81D3B66870817AEBE7163BB)
  • chrome.exe (PID: 7140 cmdline: "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" "https://wwre.lanzoup.com/iUb312qvvxyd" MD5: B6CB00FCB81D3B66870817AEBE7163BB)
  • chrome.exe (PID: 7488 cmdline: "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized --single-argument https://wwre.lanzoup.com/iUb312qvvxyd?<?=$codepost?> MD5: B6CB00FCB81D3B66870817AEBE7163BB)
  • chrome.exe (PID: 7992 cmdline: "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized --single-argument https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?<?=$codepost?> MD5: B6CB00FCB81D3B66870817AEBE7163BB)
  • chrome.exe (PID: 7176 cmdline: "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized --single-argument https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3E?<?=$codepost?> MD5: B6CB00FCB81D3B66870817AEBE7163BB)
  • chrome.exe (PID: 7276 cmdline: "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized --single-argument https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3E?%3C?=$codepost?%3E?<?=$codepost?> MD5: B6CB00FCB81D3B66870817AEBE7163BB)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\Downloads\e5e58d59-b168-46cc-abcd-2069309faeec.tmpJoeSecurity_ZipBombYara detected ZipBombJoe Security
    No Sigma rule has matched
    No Suricata rule has matched

    Click to jump to signature section

    Show All Signature Results
    Source: https\://wwre.lanzoup.com/iUb312qvvxydJavaScript Tracing: call to eval("(function(){var w=window.jQuery,_$=window.$;var D=window.jQuery=window.$=function(a,b){return new D.fn.init(a,b)};var u=/^[^<]*(<(.|\\s)+>)[^>]*$|^#(\\w+)$/,isSimple=/^.[^\:#\\[\\.]*$/,undefined;D.fn=D.prototype={init\:function(d,b){d=d||document;if(d.nodeType){this[0]=d;this.length=1;return this}if(typeof d=="string"){var c=u.exec(d);if(c&&(c[1]||!b)){if(c[1])d=D.clean([c[1]],b);else{var a=document.getElementById(c[3]);if(a){if(a.id!=c[3])return D().find(d);return D(a)}d=[]}}else return D(b).find(d)}else if(D.isFunction(d))return D(document)[D.fn.ready?"ready"\:"load"](d);return this.setArray(D.makeArray(d))},jquery\:"1.2.6",size\:function(){return this.length},length\:0,get\:function(a){return a==undefined?D.makeArray(this)\:this[a]},pushStack\:function(b){var a=D(b);a.prevObject=this;return a},setArray\:function(a){this.length=0;Array.prototype.push.apply(this,a);return this},each\:function(a,b){return D.each(this,a,b)},index\:function(b){var a=-1;return D.inArray(b&&b.jquery?b[0]\:b,this)},attr\:function(c,a,b){var d=c;if(c.constructor==String)if(a===undefined)return this[0]&&D[b||"attr"](this[0],c);else{d={};d[c]=a}return this.each(function(i){for(c in d)D.attr(b?this.style\:this,c,D.prop(this,d[c],b,i,c))})},css\:function(b,a){if((b=='width'||b=='height')&&parseFloat(a)<0)a=undefined;return this.attr(b,a,"curCSS")},text\:function(b){if(typeof b!="object"&&b!=null)return this.empty().append((this[0]&&this[0].ownerDocument||document).createTextNode(b));var a="";D.each(b||this,function(){D.each(this.childNodes,function(){if(this.nodeType!=8)a+=this.nodeType!=1?this.nodeValue\:D.fn.text([this])})});return a},wrapAll\:function(b){if(this[0])D(b,this[0].ownerDocument).clone().insertBefore(this[0]).map(function(){var a=this;while(a.firstChild)a=a.firstChild;return a}).append(this);return this},wrapInner\:function(a){return this.each(function(){D(this).contents().wrapAll(a)})},wrap\:function(a){return this.each(function(){D(this).wrapAll(a)})},append\:function(){return this.domManip(arguments,true,false,function(a){if(this.nodeType==1)this.appendChild(a)})},prepend\:function(){return this.domManip(arguments,true,true,function(a){if(this.nodeType==1)this.insertBefore(a,this.firstChild)})},before\:function(){return this.domManip(arguments,false,false,function(a){this.parentNode.insertBefore(a,this)})},after\:function(){return this.domManip(arguments,false,true,function(a){this.parentNode.insertBefore(a,this.nextSibling)})},end\:function(){return this.prevObject||D([])},find\:function(b){var c=D.map(this,function(a){return D.find(b,a)});return this.pushStack(/[^+>] [^+>]/.test(b)||b.indexOf("..")>-1?D.unique(c)\:c)},clone\:function(e){var f=this.map(function(){if(D.browser.msie&&!D.isXMLDoc(this)){var a=this.cloneNode(true),container=document.createElement("div");container.appendChild(a);return D.clean([container.innerHTML])[0]}else return this.cloneNode(true)});var d=f.find("*").andSelf().each(function(){if(this[E]!=undefined)this[E]=nu
    Source: https\://wwre.lanzoup.com/iUb312qvvxydJavaScript Tracing: call to eval("")
    Source: https\://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3EJavaScript Tracing: call to eval("(function(){var w=window.jQuery,_$=window.$;var D=window.jQuery=window.$=function(a,b){return new D.fn.init(a,b)};var u=/^[^<]*(<(.|\\s)+>)[^>]*$|^#(\\w+)$/,isSimple=/^.[^\:#\\[\\.]*$/,undefined;D.fn=D.prototype={init\:function(d,b){d=d||document;if(d.nodeType){this[0]=d;this.length=1;return this}if(typeof d=="string"){var c=u.exec(d);if(c&&(c[1]||!b)){if(c[1])d=D.clean([c[1]],b);else{var a=document.getElementById(c[3]);if(a){if(a.id!=c[3])return D().find(d);return D(a)}d=[]}}else return D(b).find(d)}else if(D.isFunction(d))return D(document)[D.fn.ready?"ready"\:"load"](d);return this.setArray(D.makeArray(d))},jquery\:"1.2.6",size\:function(){return this.length},length\:0,get\:function(a){return a==undefined?D.makeArray(this)\:this[a]},pushStack\:function(b){var a=D(b);a.prevObject=this;return a},setArray\:function(a){this.length=0;Array.prototype.push.apply(this,a);return this},each\:function(a,b){return D.each(this,a,b)},index\:function(b){var a=-1;return D.inArray(b&&b.jquery?b[0]\:b,this)},attr\:function(c,a,b){var d=c;if(c.constructor==String)if(a===undefined)return this[0]&&D[b||"attr"](this[0],c);else{d={};d[c]=a}return this.each(function(i){for(c in d)D.attr(b?this.style\:this,c,D.prop(this,d[c],b,i,c))})},css\:function(b,a){if((b=='width'||b=='height')&&parseFloat(a)<0)a=undefined;return this.attr(b,a,"curCSS")},text\:function(b){if(typeof b!="object"&&b!=null)return this.empty().append((this[0]&&this[0].ownerDocument||document).createTextNode(b));var a="";D.each(b||this,function(){D.each(this.childNodes,function(){if(this.nodeType!=8)a+=this.nodeType!=1?this.nodeValue\:D.fn.text([this])})});return a},wrapAll\:function(b){if(this[0])D(b,this[0].ownerDocument).clone().insertBefore(this[0]).map(function(){var a=this;while(a.firstChild)a=a.firstChild;return a}).append(this);return this},wrapInner\:function(a){return this.each(function(){D(this).contents().wrapAll(a)})},wrap\:function(a){return this.each(function(){D(this).wrapAll(a)})},append\:function(){return this.domManip(arguments,true,false,function(a){if(this.nodeType==1)this.appendChild(a)})},prepend\:function(){return this.domManip(arguments,true,true,function(a){if(this.nodeType==1)this.insertBefore(a,this.firstChild)})},before\:function(){return this.domManip(arguments,false,false,function(a){this.parentNode.insertBefore(a,this)})},after\:function(){return this.domManip(arguments,false,true,function(a){this.parentNode.insertBefore(a,this.nextSibling)})},end\:function(){return this.prevObject||D([])},find\:function(b){var c=D.map(this,function(a){return D.find(b,a)});return this.pushStack(/[^+>] [^+>]/.test(b)||b.indexOf("..")>-1?D.unique(c)\:c)},clone\:function(e){var f=this.map(function(){if(D.browser.msie&&!D.isXMLDoc(this)){var a=this.cloneNode(true),container=document.createElement("div");container.appendChild(a);return D.clean([container.innerHTML])[0]}else return this.cloneNode(true)});var d=f.find("*").andSelf().each(function(){if(this[E]!=undefined)this[E]=nu
    Source: https\://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3EJavaScript Tracing: call to eval("")
    Source: https\://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3EJavaScript Tracing: call to eval("(function(){var w=window.jQuery,_$=window.$;var D=window.jQuery=window.$=function(a,b){return new D.fn.init(a,b)};var u=/^[^<]*(<(.|\\s)+>)[^>]*$|^#(\\w+)$/,isSimple=/^.[^\:#\\[\\.]*$/,undefined;D.fn=D.prototype={init\:function(d,b){d=d||document;if(d.nodeType){this[0]=d;this.length=1;return this}if(typeof d=="string"){var c=u.exec(d);if(c&&(c[1]||!b)){if(c[1])d=D.clean([c[1]],b);else{var a=document.getElementById(c[3]);if(a){if(a.id!=c[3])return D().find(d);return D(a)}d=[]}}else return D(b).find(d)}else if(D.isFunction(d))return D(document)[D.fn.ready?"ready"\:"load"](d);return this.setArray(D.makeArray(d))},jquery\:"1.2.6",size\:function(){return this.length},length\:0,get\:function(a){return a==undefined?D.makeArray(this)\:this[a]},pushStack\:function(b){var a=D(b);a.prevObject=this;return a},setArray\:function(a){this.length=0;Array.prototype.push.apply(this,a);return this},each\:function(a,b){return D.each(this,a,b)},index\:function(b){var a=-1;return D.inArray(b&&b.jquery?b[0]\:b,this)},attr\:function(c,a,b){var d=c;if(c.constructor==String)if(a===undefined)return this[0]&&D[b||"attr"](this[0],c);else{d={};d[c]=a}return this.each(function(i){for(c in d)D.attr(b?this.style\:this,c,D.prop(this,d[c],b,i,c))})},css\:function(b,a){if((b=='width'||b=='height')&&parseFloat(a)<0)a=undefined;return this.attr(b,a,"curCSS")},text\:function(b){if(typeof b!="object"&&b!=null)return this.empty().append((this[0]&&this[0].ownerDocument||document).createTextNode(b));var a="";D.each(b||this,function(){D.each(this.childNodes,function(){if(this.nodeType!=8)a+=this.nodeType!=1?this.nodeValue\:D.fn.text([this])})});return a},wrapAll\:function(b){if(this[0])D(b,this[0].ownerDocument).clone().insertBefore(this[0]).map(function(){var a=this;while(a.firstChild)a=a.firstChild;return a}).append(this);return this},wrapInner\:function(a){return this.each(function(){D(this).contents().wrapAll(a)})},wrap\:function(a){return this.each(function(){D(this).wrapAll(a)})},append\:function(){return this.domManip(arguments,true,false,function(a){if(this.nodeType==1)this.appendChild(a)})},prepend\:function(){return this.domManip(arguments,true,true,function(a){if(this.nodeType==1)this.insertBefore(a,this.firstChild)})},before\:function(){return this.domManip(arguments,false,false,function(a){this.parentNode.insertBefore(a,this)})},after\:function(){return this.domManip(arguments,false,true,function(a){this.parentNode.insertBefore(a,this.nextSibling)})},end\:function(){return this.prevObject||D([])},find\:function(b){var c=D.map(this,function(a){return D.find(b,a)});return this.pushStack(/[^+>] [^+>]/.test(b)||b.indexOf("..")>-1?D.unique(c)\:c)},clone\:function(e){var f=this.map(function(){if(D.browser.msie&&!D.isXMLDoc(this)){var a=this.cloneNode(true),container=document.createElement("div");container.appendChild(a);return D.clean([container.innerHTML])[0]}else return this.cloneNode(true)});var d=f.find("*").andSelf().each(function(){if(this[E]!=undefined)this[E]=nu
    Source: https\://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3EJavaScript Tracing: call to eval("")
    Source: https\://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3E?%3C?=$codepost?%3EJavaScript Tracing: call to eval("(function(){var w=window.jQuery,_$=window.$;var D=window.jQuery=window.$=function(a,b){return new D.fn.init(a,b)};var u=/^[^<]*(<(.|\\s)+>)[^>]*$|^#(\\w+)$/,isSimple=/^.[^\:#\\[\\.]*$/,undefined;D.fn=D.prototype={init\:function(d,b){d=d||document;if(d.nodeType){this[0]=d;this.length=1;return this}if(typeof d=="string"){var c=u.exec(d);if(c&&(c[1]||!b)){if(c[1])d=D.clean([c[1]],b);else{var a=document.getElementById(c[3]);if(a){if(a.id!=c[3])return D().find(d);return D(a)}d=[]}}else return D(b).find(d)}else if(D.isFunction(d))return D(document)[D.fn.ready?"ready"\:"load"](d);return this.setArray(D.makeArray(d))},jquery\:"1.2.6",size\:function(){return this.length},length\:0,get\:function(a){return a==undefined?D.makeArray(this)\:this[a]},pushStack\:function(b){var a=D(b);a.prevObject=this;return a},setArray\:function(a){this.length=0;Array.prototype.push.apply(this,a);return this},each\:function(a,b){return D.each(this,a,b)},index\:function(b){var a=-1;return D.inArray(b&&b.jquery?b[0]\:b,this)},attr\:function(c,a,b){var d=c;if(c.constructor==String)if(a===undefined)return this[0]&&D[b||"attr"](this[0],c);else{d={};d[c]=a}return this.each(function(i){for(c in d)D.attr(b?this.style\:this,c,D.prop(this,d[c],b,i,c))})},css\:function(b,a){if((b=='width'||b=='height')&&parseFloat(a)<0)a=undefined;return this.attr(b,a,"curCSS")},text\:function(b){if(typeof b!="object"&&b!=null)return this.empty().append((this[0]&&this[0].ownerDocument||document).createTextNode(b));var a="";D.each(b||this,function(){D.each(this.childNodes,function(){if(this.nodeType!=8)a+=this.nodeType!=1?this.nodeValue\:D.fn.text([this])})});return a},wrapAll\:function(b){if(this[0])D(b,this[0].ownerDocument).clone().insertBefore(this[0]).map(function(){var a=this;while(a.firstChild)a=a.firstChild;return a}).append(this);return this},wrapInner\:function(a){return this.each(function(){D(this).contents().wrapAll(a)})},wrap\:function(a){return this.each(function(){D(this).wrapAll(a)})},append\:function(){return this.domManip(arguments,true,false,function(a){if(this.nodeType==1)this.appendChild(a)})},prepend\:function(){return this.domManip(arguments,true,true,function(a){if(this.nodeType==1)this.insertBefore(a,this.firstChild)})},before\:function(){return this.domManip(arguments,false,false,function(a){this.parentNode.insertBefore(a,this)})},after\:function(){return this.domManip(arguments,false,true,function(a){this.parentNode.insertBefore(a,this.nextSibling)})},end\:function(){return this.prevObject||D([])},find\:function(b){var c=D.map(this,function(a){return D.find(b,a)});return this.pushStack(/[^+>] [^+>]/.test(b)||b.indexOf("..")>-1?D.unique(c)\:c)},clone\:function(e){var f=this.map(function(){if(D.browser.msie&&!D.isXMLDoc(this)){var a=this.cloneNode(true),container=document.createElement("div");container.appendChild(a);return D.clean([container.innerHTML])[0]}else return this.cloneNode(true)});var d=f.find("*").andSelf().each(function(){if(this[E]!=undefined)this[E]=nu
    Source: https\://developer-oss.lanrar.com/file/?UjRRb1tqBzZWX1FpADVWOldoDjZRQwBPUGBacgIkVj5TI1sqWmEHOggyBjUDCFQ8BzkHP1Y7VGRValJmUzdQYlJqUT5bNQd1VmZRdABpVmZXPQ49UTkAN1BiWmgCbFZhU3VbfFp3B24IbAZgA2VUYAdyBzJWOlR5VWNSbFMgUGJSZVExWzIHMVZlUWIANlZuVzgOOlFvADJQNVprAmpWYFNrW25aYwcwCGwGNANlVDAHZAdgVjtUYVUzUjVTN1B/UihRb1t2B3VWdVF0ADFWJVdkDm9RMwA2UGVaZQJsVmNTZFs/WiEHJwg3Bj0DMlQzB2AHM1Y+VGJVYFJmUzZQaVJnUTNbNgd9Vi5RIQAyVjtXeg42UT8ANVBjWm4CbFZuU2RbPFoyB2UIeAYlAydUIgdgBzNWPlRiVWBSZlM8UGNSYlE1WzYHdVZ1UW4AJFZqVzUOJVE6ADRQeVptAmxWZFN9Wz1aPwdqCHAGdgMzVDoHKgdsVlZUNVU5UmlTPw==JavaScript Tracing: call to eval("(function(){var w=window.jQuery,_$=window.$;var D=window.jQuery=window.$=function(a,b){return new D.fn.init(a,b)};var u=/^[^<]*(<(.|\\s)+>)[^>]*$|^#(\\w+)$/,isSimple=/^.[^\:#\\[\\.]*$/,undefined;D.fn=D.prototype={init\:function(d,b){d=d||document;if(d.nodeType){this[0]=d;this.length=1;return this}if(typeof d=="string"){var c=u.exec(d);if(c&&(c[1]||!b)){if(c[1])d=D.clean([c[1]],b);else{var a=document.getElementById(c[3]);if(a){if(a.id!=c[3])return D().find(d);return D(a)}d=[]}}else return D(b).find(d)}else if(D.isFunction(d))return D(document)[D.fn.ready?"ready"\:"load"](d);return this.setArray(D.makeArray(d))},jquery\:"1.2.6",size\:function(){return this.length},length\:0,get\:function(a){return a==undefined?D.makeArray(this)\:this[a]},pushStack\:function(b){var a=D(b);a.prevObject=this;return a},setArray\:function(a){this.length=0;Array.prototype.push.apply(this,a);return this},each\:function(a,b){return D.each(this,a,b)},index\:function(b){var a=-1;return D.inArray(b&&b.jquery?b[0]\:b,this)},attr\:function(c,a,b){var d=c;if(c.constructor==String)if(a===undefined)return this[0]&&D[b||"attr"](this[0],c);else{d={};d[c]=a}return this.each(function(i){for(c in d)D.attr(b?this.style\:this,c,D.prop(this,d[c],b,i,c))})},css\:function(b,a){if((b=='width'||b=='height')&&parseFloat(a)<0)a=undefined;return this.attr(b,a,"curCSS")},text\:function(b){if(typeof b!="object"&&b!=null)return this.empty().append((this[0]&&this[0].ownerDocument||document).createTextNode(b));var a="";D.each(b||this,function(){D.each(this.childNodes,function(){if(this.nodeType!=8)a+=this.nodeType!=1?this.nodeValue\:D.fn.text([this])})});return a},wrapAll\:function(b){if(this[0])D(b,this[0].ownerDocument).clone().insertBefore(this[0]).map(function(){var a=this;while(a.firstChild)a=a.firstChild;return a}).append(this);return this},wrapInner\:function(a){return this.each(function(){D(this).contents().wrapAll(a)})},wrap\:function(a){return this.each(function(){D(this).wrapAll(a)})},append\:function(){return this.domManip(arguments,true,false,function(a){if(this.nodeType==1)this.appendChild(a)})},prepend\:function(){return this.domManip(arguments,true,true,function(a){if(this.nodeType==1)this.insertBefore(a,this.firstChild)})},before\:function(){return this.domManip(arguments,false,false,function(a){this.parentNode.insertBefore(a,this)})},after\:function(){return this.domManip(arguments,false,true,function(a){this.parentNode.insertBefore(a,this.nextSibling)})},end\:function(){return this.prevObject||D([])},find\:function(b){var c=D.map(this,function(a){return D.find(b,a)});return this.pushStack(/[^+>] [^+>]/.test(b)||b.indexOf("..")>-1?D.unique(c)\:c)},clone\:function(e){var f=this.map(function(){if(D.browser.msie&&!D.isXMLDoc(this)){var a=this.cloneNode(true),container=document.createElement("div");container.appendChild(a);return D.clean([container.innerHTML])[0]}else return this.cloneNode(true)});var d=f.find("*").andSelf().each(function(){if(this[E]!=undefined)this[E]=nu
    Source: https\://developer-oss.lanrar.com/file/?UjRRb1tqBzZWX1FpADVWOldoDjZRQwBPUGBacgIkVj5TI1sqWmEHOggyBjUDCFQ8BzkHP1Y7VGRValJmUzdQYlJqUT5bNQd1VmZRdABpVmZXPQ49UTkAN1BiWmgCbFZhU3VbfFp3B24IbAZgA2VUYAdyBzJWOlR5VWNSbFMgUGJSZVExWzIHMVZlUWIANlZuVzgOOlFvADJQNVprAmpWYFNrW25aYwcwCGwGNANlVDAHZAdgVjtUYVUzUjVTN1B/UihRb1t2B3VWdVF0ADFWJVdkDm9RMwA2UGVaZQJsVmNTZFs/WiEHJwg3Bj0DMlQzB2AHM1Y+VGJVYFJmUzZQaVJnUTNbNgd9Vi5RIQAyVjtXeg42UT8ANVBjWm4CbFZuU2RbPFoyB2UIeAYlAydUIgdgBzNWPlRiVWBSZlM8UGNSYlE1WzYHdVZ1UW4AJFZqVzUOJVE6ADRQeVptAmxWZFN9Wz1aPwdqCHAGdgMzVDoHKgdsVlZUNVU5UmlTPw==JavaScript Tracing: call to eval("")
    Source: https\://developer-oss.lanrar.com/file/?UjRRb1tqBzZWX1FpADVWOldoDjZRQwBPUGBacgIkVj5TI1sqWmEHOggyBjUDCFQ8BzkHP1Y7VGRValJmUzdQYlJqUT5bNQd1VmZRdABpVmZXPQ49UTkAN1BiWmgCbFZhU3VbfFp3B24IbAZgA2VUYAdyBzJWOlR5VWNSbFMgUGJSZVExWzIHMVZlUWIANlZuVzgOOlFvADJQNVprAmpWYFNrW25aYwcwCGwGNANlVDAHZAdgVjtUYVUzUjVTN1B/UihRb1t2B3VWdVF0ADFWJVdkDm9RMwA2UGVaZQJsVmNTZFs/WiEHJwg3Bj0DMlQzB2AHM1Y+VGJVYFJmUzZQaVJnUTNbNgd9Vi5RIQAyVjtXeg42UT8ANVBjWm4CbFZuU2RbPFoyB2UIeAYlAydUIgdgBzNWPlRiVWBSZlM8UGNSYlE1WzYHdVZ1UW4AJFZqVzUOJVE6ADRQeVptAmxWZFN9Wz1aPwdqCHAGdgMzVDoHKgdsVlZUNVU5UmlTPw==JavaScript Tracing: call to eval("(function(){var w=window.jQuery,_$=window.$;var D=window.jQuery=window.$=function(a,b){return new D.fn.init(a,b)};var u=/^[^<]*(<(.|\\s)+>)[^>]*$|^#(\\w+)$/,isSimple=/^.[^\:#\\[\\.]*$/,undefined;D.fn=D.prototype={init\:function(d,b){d=d||document;if(d.nodeType){this[0]=d;this.length=1;return this}if(typeof d=="string"){var c=u.exec(d);if(c&&(c[1]||!b)){if(c[1])d=D.clean([c[1]],b);else{var a=document.getElementById(c[3]);if(a){if(a.id!=c[3])return D().find(d);return D(a)}d=[]}}else return D(b).find(d)}else if(D.isFunction(d))return D(document)[D.fn.ready?"ready"\:"load"](d);return this.setArray(D.makeArray(d))},jquery\:"1.2.6",size\:function(){return this.length},length\:0,get\:function(a){return a==undefined?D.makeArray(this)\:this[a]},pushStack\:function(b){var a=D(b);a.prevObject=this;return a},setArray\:function(a){this.length=0;Array.prototype.push.apply(this,a);return this},each\:function(a,b){return D.each(this,a,b)},index\:function(b){var a=-1;return D.inArray(b&&b.jquery?b[0]\:b,this)},attr\:function(c,a,b){var d=c;if(c.constructor==String)if(a===undefined)return this[0]&&D[b||"attr"](this[0],c);else{d={};d[c]=a}return this.each(function(i){for(c in d)D.attr(b?this.style\:this,c,D.prop(this,d[c],b,i,c))})},css\:function(b,a){if((b=='width'||b=='height')&&parseFloat(a)<0)a=undefined;return this.attr(b,a,"curCSS")},text\:function(b){if(typeof b!="object"&&b!=null)return this.empty().append((this[0]&&this[0].ownerDocument||document).createTextNode(b));var a="";D.each(b||this,function(){D.each(this.childNodes,function(){if(this.nodeType!=8)a+=this.nodeType!=1?this.nodeValue\:D.fn.text([this])})});return a},wrapAll\:function(b){if(this[0])D(b,this[0].ownerDocument).clone().insertBefore(this[0]).map(function(){var a=this;while(a.firstChild)a=a.firstChild;return a}).append(this);return this},wrapInner\:function(a){return this.each(function(){D(this).contents().wrapAll(a)})},wrap\:function(a){return this.each(function(){D(this).wrapAll(a)})},append\:function(){return this.domManip(arguments,true,false,function(a){if(this.nodeType==1)this.appendChild(a)})},prepend\:function(){return this.domManip(arguments,true,true,function(a){if(this.nodeType==1)this.insertBefore(a,this.firstChild)})},before\:function(){return this.domManip(arguments,false,false,function(a){this.parentNode.insertBefore(a,this)})},after\:function(){return this.domManip(arguments,false,true,function(a){this.parentNode.insertBefore(a,this.nextSibling)})},end\:function(){return this.prevObject||D([])},find\:function(b){var c=D.map(this,function(a){return D.find(b,a)});return this.pushStack(/[^+>] [^+>]/.test(b)||b.indexOf("..")>-1?D.unique(c)\:c)},clone\:function(e){var f=this.map(function(){if(D.browser.msie&&!D.isXMLDoc(this)){var a=this.cloneNode(true),container=document.createElement("div");container.appendChild(a);return D.clean([container.innerHTML])[0]}else return this.cloneNode(true)});var d=f.find("*").andSelf().each(function(){if(this[E]!=undefined)this[E]=nu
    Source: https://wwre.lanzoup.com/iUb312qvvxydHTTP Parser: Base64 decoded: T2<0TeV_54Rnn8^9VfQnU`W3>S`S"(onT5S3]ni;mQe55
    Source: https\://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3EJavaScript Tracing: HTMLScriptElement has been added to the DOM dynamically using "insertBefore();"
    Source: https\://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3E?%3C?=$codepost?%3EJavaScript Tracing: HTMLScriptElement has been added to the DOM dynamically using "insertBefore();"
    Source: https\://wwre.lanzoup.com/iUb312qvvxydJavaScript Tracing: HTMLScriptElement has been added to the DOM dynamically using "insertBefore();"
    Source: https\://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3EJavaScript Tracing: HTMLScriptElement has been added to the DOM dynamically using "insertBefore();"
    Source: https://wwre.lanzoup.com/iUb312qvvxydHTTP Parser: No favicon
    Source: https://wwre.lanzoup.com/iUb312qvvxydHTTP Parser: No favicon
    Source: https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3EHTTP Parser: No favicon
    Source: https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3EHTTP Parser: No favicon
    Source: https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3EHTTP Parser: No favicon
    Source: https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3EHTTP Parser: No favicon
    Source: https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3E?%3C?=$codepost?%3EHTTP Parser: No favicon
    Source: https://developer-oss.lanrar.com/file/?UjRRb1tqBzZWX1FpADVWOldoDjZRQwBPUGBacgIkVj5TI1sqWmEHOggyBjUDCFQ8BzkHP1Y7VGRValJmUzdQYlJqUT5bNQd1VmZRdABpVmZXPQ49UTkAN1BiWmgCbFZhU3VbfFp3B24IbAZgA2VUYAdyBzJWOlR5VWNSbFMgUGJSZVExWzIHMVZlUWIANlZuVzgOOlFvADJQNVprAmpWYFNrW25aYwcwCGwGNANlVDAHZAdgVjtUYVUzUjVTN1B/UihRb1t2B3VWdVF0ADFWJVdkDm9RMwA2UGVaZQJsVmNTZFs/WiEHJwg3Bj0DMlQzB2AHM1Y+VGJVYFJmUzZQaVJnUTNbNgd9Vi5RIQAyVjtXeg42UT8ANVBjWm4CbFZuU2RbPFoyB2UIeAYlAydUIgdgBzNWPlRiVWBSZlM8UGNSYlE1WzYHdVZ1UW4AJFZqVzUOJVE6ADRQeVptAmxWZFN9Wz1aPwdqCHAGdgMzVDoHKgdsVlZUNVU5UmlTPw==HTTP Parser: No favicon
    Source: https://developer-oss.lanrar.com/file/?UjRRb1tqBzZWX1FpADVWOldoDjZRQwBPUGBacgIkVj5TI1sqWmEHOggyBjUDCFQ8BzkHP1Y7VGRValJmUzdQYlJqUT5bNQd1VmZRdABpVmZXPQ49UTkAN1BiWmgCbFZhU3VbfFp3B24IbAZgA2VUYAdyBzJWOlR5VWNSbFMgUGJSZVExWzIHMVZlUWIANlZuVzgOOlFvADJQNVprAmpWYFNrW25aYwcwCGwGNANlVDAHZAdgVjtUYVUzUjVTN1B/UihRb1t2B3VWdVF0ADFWJVdkDm9RMwA2UGVaZQJsVmNTZFs/WiEHJwg3Bj0DMlQzB2AHM1Y+VGJVYFJmUzZQaVJnUTNbNgd9Vi5RIQAyVjtXeg42UT8ANVBjWm4CbFZuU2RbPFoyB2UIeAYlAydUIgdgBzNWPlRiVWBSZlM8UGNSYlE1WzYHdVZ1UW4AJFZqVzUOJVE6ADRQeVptAmxWZFN9Wz1aPwdqCHAGdgMzVDoHKgdsVlZUNVU5UmlTPw==HTTP Parser: No favicon
    Source: https://developer-oss.lanrar.com/file/?UjRRb1tqBzZWX1FpADVWOldoDjZRQwBPUGBacgIkVj5TI1sqWmEHOggyBjUDCFQ8BzkHP1Y7VGRValJmUzdQYlJqUT5bNQd1VmZRdABpVmZXPQ49UTkAN1BiWmgCbFZhU3VbfFp3B24IbAZgA2VUYAdyBzJWOlR5VWNSbFMgUGJSZVExWzIHMVZlUWIANlZuVzgOOlFvADJQNVprAmpWYFNrW25aYwcwCGwGNANlVDAHZAdgVjtUYVUzUjVTN1B/UihRb1t2B3VWdVF0ADFWJVdkDm9RMwA2UGVaZQJsVmNTZFs/WiEHJwg3Bj0DMlQzB2AHM1Y+VGJVYFJmUzZQaVJnUTNbNgd9Vi5RIQAyVjtXeg42UT8ANVBjWm4CbFZuU2RbPFoyB2UIeAYlAydUIgdgBzNWPlRiVWBSZlM8UGNSYlE1WzYHdVZ1UW4AJFZqVzUOJVE6ADRQeVptAmxWZFN9Wz1aPwdqCHAGdgMzVDoHKgdsVlZUNVU5UmlTPw==HTTP Parser: No favicon
    Source: https://developer-oss.lanrar.com/file/?UjRRb1tqBzZWX1FpADVWOldoDjZRQwBPUGBacgIkVj5TI1sqWmEHOggyBjUDCFQ8BzkHP1Y7VGRValJmUzdQYlJqUT5bNQd1VmZRdABpVmZXPQ49UTkAN1BiWmgCbFZhU3VbfFp3B24IbAZgA2VUYAdyBzJWOlR5VWNSbFMgUGJSZVExWzIHMVZlUWIANlZuVzgOOlFvADJQNVprAmpWYFNrW25aYwcwCGwGNANlVDAHZAdgVjtUYVUzUjVTN1B/UihRb1t2B3VWdVF0ADFWJVdkDm9RMwA2UGVaZQJsVmNTZFs/WiEHJwg3Bj0DMlQzB2AHM1Y+VGJVYFJmUzZQaVJnUTNbNgd9Vi5RIQAyVjtXeg42UT8ANVBjWm4CbFZuU2RbPFoyB2UIeAYlAydUIgdgBzNWPlRiVWBSZlM8UGNSYlE1WzYHdVZ1UW4AJFZqVzUOJVE6ADRQeVptAmxWZFN9Wz1aPwdqCHAGdgMzVDoHKgdsVlZUNVU5UmlTPw==HTTP Parser: No favicon
    Source: https://developer-oss.lanrar.com/file/?UjRRb1tqBzZWX1FpADVWOldoDjZRQwBPUGBacgIkVj5TI1sqWmEHOggyBjUDCFQ8BzkHP1Y7VGRValJmUzdQYlJqUT5bNQd1VmZRdABpVmZXPQ49UTkAN1BiWmgCbFZhU3VbfFp3B24IbAZgA2VUYAdyBzJWOlR5VWNSbFMgUGJSZVExWzIHMVZlUWIANlZuVzgOOlFvADJQNVprAmpWYFNrW25aYwcwCGwGNANlVDAHZAdgVjtUYVUzUjVTN1B/UihRb1t2B3VWdVF0ADFWJVdkDm9RMwA2UGVaZQJsVmNTZFs/WiEHJwg3Bj0DMlQzB2AHM1Y+VGJVYFJmUzZQaVJnUTNbNgd9Vi5RIQAyVjtXeg42UT8ANVBjWm4CbFZuU2RbPFoyB2UIeAYlAydUIgdgBzNWPlRiVWBSZlM8UGNSYlE1WzYHdVZ1UW4AJFZqVzUOJVE6ADRQeVptAmxWZFN9Wz1aPwdqCHAGdgMzVDoHKgdsVlZUNVU5UmlTPw==HTTP Parser: No favicon

    System Summary

    barindex
    Source: Unconfirmed 531589.crdownload.1.drZip Entry: encrypted
    Source: classification engineClassification label: mal52.evad.win@39/2@0/22
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeFile created: C:\Users\user\Downloads\e5e58d59-b168-46cc-abcd-2069309faeec.tmpJump to behavior
    Source: unknownProcess created: C:\Users\user\AppData\Local\Chromium\Application\chrome.exe "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized "about:blank"
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: C:\Users\user\AppData\Local\Chromium\Application\chrome.exe "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --no-sandbox --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2044 --field-trial-handle=1792,i,5437045901747490287,607807609955483898,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
    Source: unknownProcess created: C:\Users\user\AppData\Local\Chromium\Application\chrome.exe "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" "https://wwre.lanzoup.com/iUb312qvvxyd"
    Source: unknownProcess created: C:\Users\user\AppData\Local\Chromium\Application\chrome.exe "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized --single-argument https://wwre.lanzoup.com/iUb312qvvxyd?<?=$codepost?>
    Source: unknownProcess created: C:\Users\user\AppData\Local\Chromium\Application\chrome.exe "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized --single-argument https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?<?=$codepost?>
    Source: unknownProcess created: C:\Users\user\AppData\Local\Chromium\Application\chrome.exe "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized --single-argument https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3E?<?=$codepost?>
    Source: unknownProcess created: C:\Users\user\AppData\Local\Chromium\Application\chrome.exe "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized --single-argument https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3E?%3C?=$codepost?%3E?<?=$codepost?>
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: C:\Users\user\AppData\Local\Chromium\Application\chrome.exe "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --no-sandbox --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2044 --field-trial-handle=1792,i,5437045901747490287,607807609955483898,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected

    Malware Analysis System Evasion

    barindex
    Source: Yara matchFile source: C:\Users\user\Downloads\e5e58d59-b168-46cc-abcd-2069309faeec.tmp, type: DROPPED
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: Unconfirmed 531589.crdownload.1.drBinary or memory string: AiQeMU
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    JavaScript
    Path Interception1
    Process Injection
    1
    Masquerading
    OS Credential Dumping1
    Security Software Discovery
    Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Process Injection
    LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1641705 URL: https://wwre.lanzoup.com/iU... Startdate: 18/03/2025 Architecture: WINDOWS Score: 52 31 Yara detected ZipBomb 2->31 33 Drops password protected ZIP file 2->33 6 chrome.exe 13 2->6         started        10 chrome.exe 2->10         started        12 chrome.exe 2->12         started        14 3 other processes 2->14 process3 dnsIp4 27 192.168.2.17 unknown unknown 6->27 29 239.255.255.250 unknown Reserved 6->29 19 e5e58d59-b168-46cc-abcd-2069309faeec.tmp, Zip 6->19 dropped 16 chrome.exe 1 6->16         started        file5 process6 dnsIp7 21 8.45.176.188 ZULILYUS United States 16->21 23 108.177.15.84 GOOGLEUS United States 16->23 25 18 other IPs or domains 16->25

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    https://wwre.lanzoup.com/iUb312qvvxyd0%Avira URL Cloudsafe
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No contacted domains info
    NameMaliciousAntivirus DetectionReputation
    https://wwre.lanzoup.com/iUb312qvvxydfalse
      unknown
      https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3E?%3C?=$codepost?%3Efalse
        unknown
        https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3Efalse
          unknown
          https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3Efalse
            unknown
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            142.250.80.35
            unknownUnited States
            15169GOOGLEUSfalse
            1.1.1.1
            unknownAustralia
            13335CLOUDFLARENETUSfalse
            180.163.141.18
            unknownChina
            4812CHINANET-SH-APChinaTelecomGroupCNfalse
            108.177.15.84
            unknownUnited States
            15169GOOGLEUSfalse
            142.250.65.196
            unknownUnited States
            15169GOOGLEUSfalse
            8.45.176.188
            unknownUnited States
            394000ZULILYUSfalse
            60.165.116.42
            unknownChina
            4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
            216.58.206.78
            unknownUnited States
            15169GOOGLEUSfalse
            111.45.11.83
            unknownChina
            56040CMNET-GUANGDONG-APChinaMobilecommunicationscorporationfalse
            142.250.185.110
            unknownUnited States
            15169GOOGLEUSfalse
            101.226.26.145
            unknownChina
            4812CHINANET-SH-APChinaTelecomGroupCNfalse
            218.92.227.227
            unknownChina
            4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
            106.8.246.201
            unknownChina
            4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
            216.58.206.68
            unknownUnited States
            15169GOOGLEUSfalse
            142.250.81.238
            unknownUnited States
            15169GOOGLEUSfalse
            162.159.61.3
            unknownUnited States
            13335CLOUDFLARENETUSfalse
            239.255.255.250
            unknownReserved
            unknownunknownfalse
            183.240.98.228
            unknownChina
            56040CMNET-GUANGDONG-APChinaMobilecommunicationscorporationfalse
            142.250.185.97
            unknownUnited States
            15169GOOGLEUSfalse
            172.64.41.3
            unknownUnited States
            13335CLOUDFLARENETUSfalse
            47.98.88.99
            unknownChina
            37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
            IP
            192.168.2.17
            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1641705
            Start date and time:2025-03-18 12:31:30 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 19s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:defaultwindowsinteractivecookbook.jbs
            Sample URL:https://wwre.lanzoup.com/iUb312qvvxyd
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:18
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal52.evad.win@39/2@0/22
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtSetInformationFile calls found.
            • Skipping network analysis since amount of network traffic is too extensive
            • VT rate limit hit for: https://wwre.lanzoup.com/iUb312qvvxyd
            No simulations
            SourceURL
            Screenshothttps://wwre.lanzoup.com/iUb312qvvxyd?<?=$codepost?>
            Screenshothttps://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?<?=$codepost?>
            Screenshothttps://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?<?=$codepost?>
            Screenshothttps://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3E?<?=$codepost?>
            Screenshothttps://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3E?%3C?=$codepost?%3E?<?=$codepost?>
            Screenshothttps://wwre.lanzoup.com/iUb312qvvxyd?<?=$codepost?>
            Screenshothttps://wwre.lanzoup.com/iUb312qvvxyd?<?=$codepost?>
            No context
            No context
            No context
            No context
            No context
            Process:C:\Users\user\AppData\Local\Chromium\Application\chrome.exe
            File Type:Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
            Category:dropped
            Size (bytes):106755426
            Entropy (8bit):7.9999981907478315
            Encrypted:true
            SSDEEP:
            MD5:A76CF51968423C2F448B3009F2AE6932
            SHA1:38100EEC32B1825899085EF3109894E8873CB5FB
            SHA-256:9905B9FAED22CF233EB5FDC91A5DBB16BDE000B1C3BD18F827BBFA08EB2C43CB
            SHA-512:0AAA7BF04818DBC2EDFC20D87A0C8280D512DDEDD55E8FFC8E527A57315D4B471620ABE2A893CC13158B2D0F84CC4F67471BE3E5039D0A4797759CA69E700642
            Malicious:false
            Reputation:low
            Preview:PK..3...c.ShnZ....8.\...].....VT1/VT1.msi......AE...B...y{.27OEIt./a..C.v@.@.!:.....!0..p..<;.p.._.vR...vR.L..N.|.5..:{;..>^....a...+..c.....Z..........#.F.../....[...Z..;{..J.X.C...eB...YiB..T.....5V...0.-}.P....9LL=.q..... .v9...oKq......{.\Y........w.C?.|&:tG.>.........4.......M...hR.^.....n...3.b..z....O...}...6.LQ..1q]&!.Ps-..P..f...E......d.v...._..5.~.@.2:..f. 2........x.-!.w...s.....,..^.R.m.q'Y.m.sBU......}).X.... ...s..<,.".T.=.+T..L.[P.>.V...ku:~p.d..B.-.:.B.;...J.Rk.i........'.....$.{.oX.0~..v.n.}...JB.T.s.{..."U7..?xH{.../.5..IS..H..Y...7.;-c|dA.......U[-.Q.o.?.Hj[.V.1......w._~.."Q..u.......W.U..QiAk.2....%....E.Q....yw.2.v...A.1..H.A.Ni...q8.:F.Z.........|.XP........S..l..G......):2.*o4...z..A.N...A..,..#.X.F...1.OR.o.*ij=t..`..q...$I3..9.7>...l....O..K...&..:G..;..Z...t.^$?.3.....Q..`I.Ic......T...`C/_0.)X.=z.wx........F.l.sL. ...W..ji...+...W...L.5..W./48.M...O..=...E.:.h%.?.z..%.[...$......P..^.-s7.p.7hD...6......[fhYf^....Z..M.
            Process:C:\Users\user\AppData\Local\Chromium\Application\chrome.exe
            File Type:Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
            Category:dropped
            Size (bytes):15958
            Entropy (8bit):7.9877078519155065
            Encrypted:false
            SSDEEP:384:Lxkw1K16uKvMDCZ0Z2wdRfVfR7M3HiHug:Sw1q6uKvMuZ34pRgSOg
            MD5:3868A345CEF0D1C3EC4E75E3867B2FE6
            SHA1:25D8CCDEB5C31BF2D6206FFD780F37FC9AAA651F
            SHA-256:FA54CFD0197FEC360C4DA2B6B66B7F7B6E47BC47BA54CBB9A12B17086657CB62
            SHA-512:71C150E7EFC82DAEB8FC42AE7F927A6773FA973C82B9B593DFA12819731EC3BFEA061F0A9407A102D244C30BDA1F1E2A9BFAB1E54FA3B5331F952F6EAC73FE1A
            Malicious:true
            Yara Hits:
            • Rule: JoeSecurity_ZipBomb, Description: Yara detected ZipBomb, Source: C:\Users\user\Downloads\e5e58d59-b168-46cc-abcd-2069309faeec.tmp, Author: Joe Security
            Reputation:low
            Preview:PK..3...c.ShnZ....8.\...].....VT1/VT1.msi......AE...B...y{.27OEIt./a..C.v@.@.!:.....!0..p..<;.p.._.vR...vR.L..N.|.5..:{;..>^....a...+..c.....Z..........#.F.../....[...Z..;{..J.X.C...eB...YiB..T.....5V...0.-}.P....9LL=.q..... .v9...oKq......{.\Y........w.C?.|&:tG.>.........4.......M...hR.^.....n...3.b..z....O...}...6.LQ..1q]&!.Ps-..P..f...E......d.v...._..5.~.@.2:..f. 2........x.-!.w...s.....,..^.R.m.q'Y.m.sBU......}).X.... ...s..<,.".T.=.+T..L.[P.>.V...ku:~p.d..B.-.:.B.;...J.Rk.i........'.....$.{.oX.0~..v.n.}...JB.T.s.{..."U7..?xH{.../.5..IS..H..Y...7.;-c|dA.......U[-.Q.o.?.Hj[.V.1......w._~.."Q..u.......W.U..QiAk.2....%....E.Q....yw.2.v...A.1..H.A.Ni...q8.:F.Z.........|.XP........S..l..G......):2.*o4...z..A.N...A..,..#.X.F...1.OR.o.*ij=t..`..q...$I3..9.7>...l....O..K...&..:G..;..Z...t.^$?.3.....Q..`I.Ic......T...`C/_0.)X.=z.wx........F.l.sL. ...W..ji...+...W...L.5..W./48.M...O..=...E.:.h%.?.z..%.[...$......P..^.-s7.p.7hD...6......[fhYf^....Z..M.
            No static file info
            Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

            Click to jump to process

            Click to jump to process

            All data are 0.

            Target ID:1
            Start time:07:32:14
            Start date:18/03/2025
            Path:C:\Users\user\AppData\Local\Chromium\Application\chrome.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized "about:blank"
            Imagebase:0x7ff79d9c0000
            File size:2'450'432 bytes
            MD5 hash:B6CB00FCB81D3B66870817AEBE7163BB
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:false
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

            Target ID:2
            Start time:07:32:15
            Start date:18/03/2025
            Path:C:\Users\user\AppData\Local\Chromium\Application\chrome.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --no-sandbox --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2044 --field-trial-handle=1792,i,5437045901747490287,607807609955483898,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
            Imagebase:0x7ff79d9c0000
            File size:2'450'432 bytes
            MD5 hash:B6CB00FCB81D3B66870817AEBE7163BB
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:false

            Target ID:4
            Start time:07:32:16
            Start date:18/03/2025
            Path:C:\Users\user\AppData\Local\Chromium\Application\chrome.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" "https://wwre.lanzoup.com/iUb312qvvxyd"
            Imagebase:0x7ff79d9c0000
            File size:2'450'432 bytes
            MD5 hash:B6CB00FCB81D3B66870817AEBE7163BB
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

            Target ID:11
            Start time:07:32:27
            Start date:18/03/2025
            Path:C:\Users\user\AppData\Local\Chromium\Application\chrome.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized --single-argument https://wwre.lanzoup.com/iUb312qvvxyd?<?=$codepost?>
            Imagebase:0x7ff79d9c0000
            File size:2'450'432 bytes
            MD5 hash:B6CB00FCB81D3B66870817AEBE7163BB
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

            Target ID:12
            Start time:07:32:29
            Start date:18/03/2025
            Path:C:\Users\user\AppData\Local\Chromium\Application\chrome.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized --single-argument https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?<?=$codepost?>
            Imagebase:0x7ff79d9c0000
            File size:2'450'432 bytes
            MD5 hash:B6CB00FCB81D3B66870817AEBE7163BB
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

            Target ID:13
            Start time:07:32:37
            Start date:18/03/2025
            Path:C:\Users\user\AppData\Local\Chromium\Application\chrome.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized --single-argument https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3E?<?=$codepost?>
            Imagebase:0x7ff79d9c0000
            File size:2'450'432 bytes
            MD5 hash:B6CB00FCB81D3B66870817AEBE7163BB
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

            Target ID:14
            Start time:07:32:42
            Start date:18/03/2025
            Path:C:\Users\user\AppData\Local\Chromium\Application\chrome.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized --single-argument https://wwre.lanzoup.com/iUb312qvvxyd?%3C?=$codepost?%3E?%3C?=$codepost?%3E?%3C?=$codepost?%3E?<?=$codepost?>
            Imagebase:0x7ff79d9c0000
            File size:2'450'432 bytes
            MD5 hash:B6CB00FCB81D3B66870817AEBE7163BB
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            No disassembly